Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 20:55

General

  • Target

    2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe

  • Size

    2.6MB

  • MD5

    757fd4a96075124bd1bfe506f6fff955

  • SHA1

    c035eeb5e726d7515b76a17431c63e83868bc627

  • SHA256

    2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7

  • SHA512

    fdd75ea3a80a8eceb66da72918976c57d29b8b9c015fa212fc5041b23e54e96a8dc239dcf04a6af82332ceac6e8854eaed02581b79ea5fc7bab580f0388ab6bd

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bS:sxX7QnxrloE5dpUpRb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe
    "C:\Users\Admin\AppData\Local\Temp\2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1240
    • C:\FilesE7\abodsys.exe
      C:\FilesE7\abodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2896

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesE7\abodsys.exe

          Filesize

          2.6MB

          MD5

          c008f82098d0fc86d6d97b06931ed1e9

          SHA1

          d6ff2bf29202294dc3d9f0b5cea1c43d597456a8

          SHA256

          9a782330ee77bf9befd1b459ec49cac1d8fad95f90899dd703ed854109200c0d

          SHA512

          3d7711f384bef8cd8202edda611ac0c4bd5e7c71fe62510beff7d57952eb68523599dab94a584c25935a66915791d04d51b4f7b842ccb6ac9d41eef7a19acde5

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          169B

          MD5

          0cf379b8a788f24c886168a4b0ab0667

          SHA1

          50f83fb912415bb3e897dfe558071429e6791e13

          SHA256

          a457df7bde4e48561fd87e9fca3df7044fc3a9a924568fe38615c45cee958741

          SHA512

          a722db24992af509c55f09c923e803be385b5006fdc494bfbfa45855b819afafb34305de35d5a7adfa292e453aae9f257debc8dae9362bfce7b8f41e4afc4d3b

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          201B

          MD5

          694ce1056ba8e3b8b3c1d6fc30ecb7b4

          SHA1

          0d390eaa282c51d3bd94ae4e1ed2c6c91d669f1a

          SHA256

          14fb9cb969e4ca1dd6e494baff55de93475eacecfd23b75f4106f0ab901653d8

          SHA512

          c4e4f18a22029e489eca4a034db2820be796dceafffd2922d59edfd9258fc81e77ec077d5ada8e64e2c6813fcc97a52830d787197ae5635c64528429c61588e2

        • C:\Vid9D\dobdevloc.exe

          Filesize

          2.6MB

          MD5

          2eaea640c6ca3c6436663edd759a3c1f

          SHA1

          616234afae3afee7e55ba7f2c3e57c4253bd8fe8

          SHA256

          4f36c8304845010c35af64302515f4d08c93924c9075c6421437b92e267442c3

          SHA512

          648ff818cd55cdb6304b895925336ef78aa14393d19064e71a42677edbb67cc79ead803d5ee867ee61f894df7895904deb6a1f48c7e83faf5dbd878842270dce

        • C:\Vid9D\dobdevloc.exe

          Filesize

          2.6MB

          MD5

          0019475ee865cecb0012b5ae9e8b2645

          SHA1

          1aa62475d2857430fb9515238eb0e3b18968e225

          SHA256

          6584feffc09cd03a2f75c80a3d36463d8e7e18993485ed822b030833a6917c0a

          SHA512

          ddba0e3a0549043f1205ad8b68770c3e260b7d5c5d8b8bcc5376bbee3d8f892bbe63e64ebfec2b403bb3e66f7392a9bddb0dff66147cbff812af3458e908dd03

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

          Filesize

          2.6MB

          MD5

          e538c5b2ae4ef7159d430b149a46bae8

          SHA1

          b7edf37155c2889eeb08ab2db3eae447985ceea0

          SHA256

          202cac51887c7853421e3ef163da2126d8b233801c3d73d54275c0f5de03f497

          SHA512

          ea5da3192b6ad903d3eb3298eb87420760a84dc2f8552d5ad7b6b10fdcde09e57c26b56a71888e8e3801b9e67505147506aac31fb9fbf06c85968162b30448f1