Analysis

  • max time kernel
    149s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 19:46

General

  • Target

    1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe

  • Size

    2.6MB

  • MD5

    8dd78af353a40a21e7f4a68d1f98d862

  • SHA1

    968360bbe8492b80a45278d27f38f55a03dff1d2

  • SHA256

    1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d

  • SHA512

    dedf814fd9efaf3506bfeddc1189419968b2d2bb11927fae67936938d0a2a9518b1e319267f2a9b633663e9adb19edb4297d664f1f4492327c50a64e40b07a17

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpWb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe
    "C:\Users\Admin\AppData\Local\Temp\1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2828
    • C:\UserDot4N\adobloc.exe
      C:\UserDot4N\adobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2476

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\KaVBW3\dobxec.exe

          Filesize

          2.6MB

          MD5

          5923515b3fce01ebc92e0c070146cd6f

          SHA1

          70322451010207b3477426800f83c2dafd955477

          SHA256

          bf6be54fbd76564887bc3a7586d35c86be31d7e88eae308e05139ff4f27df8fe

          SHA512

          ad194aef8a0b362b4706e7ebf0b22cafaf3f28426e539f0f674d6e3b0da8a1d9a02c464a57d89cd9790d16d72f4cd7a2b7a4f5daa8064d86edcbfa0225cc275a

        • C:\KaVBW3\dobxec.exe

          Filesize

          2.6MB

          MD5

          313500da59f28a965bf6ca399fb560d9

          SHA1

          b26030fa4e63bd01d27b57b3aa11a7d5cd7100e5

          SHA256

          d351fa1fb8ba789289aed52c4020c0ca26e1958178480caff086344baed18e21

          SHA512

          f6df5ea3cc4f2fc83c929a0ebe2c808b5775c4801c5a3977330193ed6cd8b19188cd60c8bc63eaeab43783874b75d7ab87ace56efbe422e15e0893d69b583a45

        • C:\UserDot4N\adobloc.exe

          Filesize

          2.6MB

          MD5

          e31a65ae579441b45f3c309409ca442d

          SHA1

          63363ce16cb0eaccac734e53dd40cf7e5f564770

          SHA256

          5ee8b287c5c39e452fe2cc9d72b7eb544fe1ce8b9c73f0e997fa0438ddbcd9c9

          SHA512

          82e350d3f7b0ab7c5990407200b3a4a4a0192cb0eecd49665233f996a4854794b265d176ba653ec5ea2bdf1d6195fe832467e078eb5590b426bc85028d180b07

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          170B

          MD5

          5ed5f607e3160309103f88f4162fbb3f

          SHA1

          a5d425cfff5fd231d1c74f23c60e005a5b426547

          SHA256

          8dbce2cf1ed3f4e6d789fa4c4be59899b049811433834ff70548520f32c24a79

          SHA512

          95fc2fa26f096a11695f8be36656f88eb2e897f4742d2399a7dcb62cb09828ce10ff6d74bf95d89ebdfce1c995da541916c72dcf88980383652e223d4c114d5d

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          202B

          MD5

          71a4f1220e76772077eb1839f81c463a

          SHA1

          10177d9db956c5f8baef38bcbe8ae91fff06c895

          SHA256

          b5f33c220a208c189e62ed02e41a1c2b09eed1bedebe71a5d8c0c69ef1dc270a

          SHA512

          5fb9c45aa84ba220941713f6089e7651c1ee9c99c6730b1a55e666e269374223f7fa278677ee61e5d6b7da20441ce196fb5576fdfc693a6af8d2462eb37e6b65

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

          Filesize

          2.6MB

          MD5

          9fd8a9bb9f08394e386b41a0c260df4d

          SHA1

          90029781c44accfc5342ba5b317daec2fae19949

          SHA256

          13f47561316a13097429cbb08bf4dc966236f86629520ee6155ffe68bd6756df

          SHA512

          258d66dfe52d450810548910ec785d925bb18eee246fc0784882de0288f98ec790e775658188dabb466fdce69e3019704cf975caca12cff6e31891c9843dd6c9