Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 22:22

General

  • Target

    6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe

  • Size

    2.6MB

  • MD5

    256d5026cc9fcdb7faec3059941eb7d0

  • SHA1

    79970f805838ba37ed283fd3c7245f5020dd76ba

  • SHA256

    6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ff

  • SHA512

    3ed790fc1f6dcbcb2daa2da6800f56fa77284a8a31429d7487b8c3a0ba8c4e8844b549b9dfe67d760619c9b65920c8b55f00679a4762429e4a5d2d0ff10f7e81

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bS:sxX7QnxrloE5dpUpUb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe
    "C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2884
    • C:\AdobeVR\xoptiec.exe
      C:\AdobeVR\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeVR\xoptiec.exe

    Filesize

    2.6MB

    MD5

    ffc5d6fcc4066adf6bf1e89631522ffa

    SHA1

    6e747f56b2ee1d8227b717f6fec4792830b98087

    SHA256

    f333b03ff48ba246eb27a47e4203a4938197333adceeeb04c7278fbc20779fa3

    SHA512

    15c478e45554881dc3afd5664c09c2a5cc6462de56f1bff0454900ad12d3e0ffdbe0923a7b5e39cc6f1aded82c57291cd7ad104d4a1acca438647a3c09c85bb2

  • C:\KaVB6F\bodxec.exe

    Filesize

    2.6MB

    MD5

    f6cdc83b7b8cb2f9fabb05ac2fb91298

    SHA1

    c514c173940b24002c06e3a1b9cf3183dd60538b

    SHA256

    915e8eaf9b4727ed524a9fe50ed9a03d97d49886ab90bb3d9605feacb9f1dec3

    SHA512

    0141c11abba72ec6d1b94d704cfd6fbe25cbfe93652390500e455a1a8d87c32a8f8a42f91f17772884eeeb48ddbf228d8b5ad5b8ce3a622ff9d7bf58abba4ab3

  • C:\KaVB6F\bodxec.exe

    Filesize

    2.6MB

    MD5

    a0d93c62bfe22f0d8bda734267d7a2f7

    SHA1

    70c59b518bc986cac81cc5a181db4b9635e024a1

    SHA256

    d05c38f14d0ac21cff9c82bdc5061b764c7223ab560a27b3bd4b0a207c76bb34

    SHA512

    820e30e33691e8a251318199971155431c260c2b8731f29d2b5adb2c90f6c2fa6fe6300ca243d0e45c4f6c91370ef92a773264b361376dd44c2dca87f96f2a30

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    169B

    MD5

    05ec69ba5ae0a8d217c762e35de75606

    SHA1

    dcae221f4f5b13cafbe0806a700ca63d3f993875

    SHA256

    b2509ab34931061149e0569c6363608b019a8218b6de01d728a50689ef700df5

    SHA512

    3bd3fa507b06785b0792eb1ea764a614719659a6225eea86080508a2e5952ef05d949de4234b173f2a639b89a509b20c949cda7a37e1a262a8e67e7672bae911

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    201B

    MD5

    ebd011a96fd5aa8e4e854ee7ea97ddce

    SHA1

    606654b2b5029469b4246a94ac188e9bbbee0604

    SHA256

    f0cc27e10c75fce16e6e1a47abc8d559cd97bf202bd2f74f584f06b8160bb443

    SHA512

    4f214638e2341c54bf1a9f5fe430079501175b8f37d38b1bc0731b69713f1b8aded6e5f764a7dee0f7886596518c66d3c676de1e69df792eff5f0f39e6083109

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

    Filesize

    2.6MB

    MD5

    1ac98686c25d9f3c9ac2ed826fdf1b9b

    SHA1

    d947c020f3dd9feffea7f7487955ac548494a55e

    SHA256

    228204d6eff5fac80c026e3cddebe352edd33aaec2a47279805fe7f198581c89

    SHA512

    7ec6a6a3117c481b5abbabd6f148ab587db1c9baa67ff7dd02929c379f438f110c3581ff1c4219df015dea39cbc0ec6dad8b31d76e4e9543054782583568ea43