Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 21:18

General

  • Target

    599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe

  • Size

    2.6MB

  • MD5

    8cd708d12f6a6e34ff0a7bd37917ca30

  • SHA1

    ceaaac2eea1454143243b411916c12411ac09cc0

  • SHA256

    599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47af

  • SHA512

    f4b9ca0d5ae58d63952432650beabb4abd354db7d7b265fd02ba39016519ca23aa602b3314f98aabfcc4edb8797612f7e1813f034d9628a06184f09abdb21960

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bSq:sxX7QnxrloE5dpUpabV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe
    "C:\Users\Admin\AppData\Local\Temp\599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2016
    • C:\IntelprocBN\adobsys.exe
      C:\IntelprocBN\adobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocBN\adobsys.exe

    Filesize

    2.6MB

    MD5

    181f83a25ac338cff30fabe819f4365c

    SHA1

    bae04098deb4a60366f053fe2a3fcb491415471b

    SHA256

    5ff70e549556b681068bb416cf3f35b4e1d4c6b26a91ba46965f60aa453ab314

    SHA512

    8a43c4333b475d1efe9ff499b7d9fb84788f8a1c0d60507f3df7cfdf4aa2880d56ca2d9092af154279220aab22f0e4bc41f236fe37685443c32414c490bdc472

  • C:\KaVB6U\optiasys.exe

    Filesize

    2.6MB

    MD5

    10423e1e915265a1a52b32f82e1fdcc6

    SHA1

    62f28b1e825738f1725083536559e5189111f86e

    SHA256

    095510c32197172938698b5375e7b294caa4ab7ef157825ccb359e9ad0c7cd5d

    SHA512

    7234a2bfe0d4e2636c9d8a4faf8ee0caa94bb9f32e54e5759fa8d3e1fdbf557d48ae93115a7e03da56bd9aa4b56cb4a01f98306c53d10a6de45d91b940220dc9

  • C:\KaVB6U\optiasys.exe

    Filesize

    2.6MB

    MD5

    e7ab8feffd1a944e9635f1e0d3d4b19e

    SHA1

    04aadef208dd9aacd5185c3a0f51fb8ae24cd4c0

    SHA256

    d3a577ad10686ff911aa14c51a5c45d39c69f815ff5efcb4169914ed20f4b831

    SHA512

    d886a129b63681f701d1f1f5c56d355a29627faa78b8533be568dec855fd535efdb7d981ee18b3f3a40e0d670ecfff4598a339766ef9f319eb6bdbaf7478267e

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    175B

    MD5

    ef3c6c0a4b1a8298e050d7e9838412d0

    SHA1

    5422de6a3f7a7edbccba03deffd62d2652eac39f

    SHA256

    14be82aef4f3fc3033ab6ac02dbf7c0bb68e211e99829cdde15a4d040c0be14b

    SHA512

    39202397343aaa412dc05763305830e2767d9b60a72dc3d899c4141947567fff60cfdf9fd1526a2f5241a3c9a0db558006cb6ade0a11835cc01f6e522eadfc16

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    207B

    MD5

    dd2af84d82a63d3664b0f150de86d646

    SHA1

    8c633a373bcd2774c8d5a9d2b2a4ab7fc24cf564

    SHA256

    59352b91c386b781a5b3674faad5312ba7eb8f8ea6072a569e0d8ee8e6c14d0b

    SHA512

    99637e87286c54b9a9acdd96aee10e87d62b35f87f9453c6cccb7738fd225d26d13a1063c59c347ab1ff474a1949697086da6ad7b3bc8fa593bf9fd318b4c061

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

    Filesize

    2.6MB

    MD5

    12124c663d28acd34197072e6e2eb0b2

    SHA1

    6f240f794acb888adbb588bebd6971349e6aedcd

    SHA256

    36ace00ec8c210cf280a9ff80a56383bffdf7a816d09ca1b482191551fa7f8dd

    SHA512

    4c70632b38c27e9f852906abb644146eef93da4e7a8b01597f321d127a9e53dac0d2fcb6816078d746c62e96e3495e7483bb0aa96bb4124b776483c2dc1a84db