Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 23:02

General

  • Target

    dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe

  • Size

    2.6MB

  • MD5

    2592424d2fc5fed0e389c9ef93d1ffc3

  • SHA1

    cfa1a620ad2808318c8d4f282d474e0fbb4556e8

  • SHA256

    9f162b3ad9ca4820511ca82de5d7b93bda80f37228bff0b996482b207e2c8260

  • SHA512

    5d769a726a5c2f6e3f126682b97be67cca53fedded8bf313d85a858df3458001c78e2718c32772ca44c4594240e842253f254a6f867f7410b995025fb3f61f7e

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBpB/bSqi:sxX7QnxrloE5dpUpmbVi

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe
    "C:\Users\Admin\AppData\Local\Temp\dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2236
    • C:\Adobe7G\xbodsys.exe
      C:\Adobe7G\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1256

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Adobe7G\xbodsys.exe

          Filesize

          12KB

          MD5

          5ce46de9d1c8ab23eeb8a98bb0b2232e

          SHA1

          eb2b026ffaf5a7802065fa5971c5c4495fa6763a

          SHA256

          0f99b7bc2b192971b8bed8dbf4f50389b59e62d5cae4d0fbbb58657c2730a6b0

          SHA512

          173969eb6ea4e493f9c0d1c1df5c1080fb72fc38f0fc13e5eaffdd7eeae658b9464603a66d0a918d3f86bca65b97dccfd201cd7d66c1758e452476026a290712

        • C:\KaVBXB\optidevloc.exe

          Filesize

          2.6MB

          MD5

          dc841518908b59993a7dc3b76f2d8fa5

          SHA1

          11080f957adaf78193805a781975215a008b1e41

          SHA256

          b9dc4e1720ebc4c4fcdd2a375915ef115c2ddfb26164fd1c32aa96d7e59d07a4

          SHA512

          fe4e06f7a689364c17062b5a8f43776ba7f64659e639ec71584188cf1c2f80c3eef37240e05fcab92fff1af5ee53089a9251005d799060080098bbeb37aaf11e

        • C:\KaVBXB\optidevloc.exe

          Filesize

          10KB

          MD5

          211c211281a83cae04ba8989e177223a

          SHA1

          2c6a912a90ce71ae095e8f16a97222e28964a271

          SHA256

          c2beca0f3cf592fda96ba710769ff2d67fd97592da9df195990bf22499d20a4b

          SHA512

          10dbfb3c33737e1b9a691fdbb89cea3f018443e481d57887d53a605597bc3ba56db26480f2efdbf443c71b4f4a0b594257d8f34f4cbd7826ff71936f4b5487eb

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          171B

          MD5

          815912636a6bb7ff6b5e88866341a66f

          SHA1

          99ba5bf340c1b92572512d21a35c1d28b82659ba

          SHA256

          fdf009d1c26fa1a7e9c214ea694e3eaf6921831afb38ba862d2a2d8255517da5

          SHA512

          55ff89d5eafb204d1df9861e6bad9a749fb27ac80b67a3daa6b25e488f31bd1b8e9a5b6ad2592a04fb37ab5f88de0e356df0236dd88d9e55cb5d5bd20bffe981

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          203B

          MD5

          d1fc3f201e8090f8dcee64c474cd0cf4

          SHA1

          6024cc3ca5aa6ad6de71eadad73d8bb33deec076

          SHA256

          a60d58e4cfc3ce5d8a12fcdd798d8d94a7917bb1f845021ae4e800eb9008095d

          SHA512

          8f4d8310c3f0c142b2507d3232d85176bfe8dabadec18c5f986d007320b420b7ffa823fe37c66c1b4f23380e3ea1c238d89b4966594b9e547e9f3780cf1a9731

        • \Adobe7G\xbodsys.exe

          Filesize

          2.6MB

          MD5

          6549aa20c876e6bf63cadac932ef0590

          SHA1

          16c184a26ece04e50897d6f0ca3dccc459089713

          SHA256

          69a0d6dcae021488732fa5d434a86b9bc7b4ff9571f55b8d5090b670eb55a55b

          SHA512

          261968386848629b0f1000a2ef42810d6c963ccd1f5f422cc0e35296f2b7ec59d0499d1cc50f1580935875b47433102ff57d82eea4766ac7928755286095537b

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

          Filesize

          2.6MB

          MD5

          cd4f5eddc43ba9e26c1df2090b781fc1

          SHA1

          4f5a040edf0f2d95416f304f86878a3cfd5b9b07

          SHA256

          c1d4c6e0110f24dd5cc07a7468dec5fd6962ac4c67aa63bca49eaa9848583fe7

          SHA512

          44d5e9bca88ed2689ad8b84fd881b816f4ad0f36feff7f3d2bd7f9c1e8e9c69682a9486eef0439c5a526ef36b2fb66994a71f1bda611ee59312bb905240c27d4