Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 23:11

General

  • Target

    67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe

  • Size

    2.6MB

  • MD5

    8f8e1cdd9154f1733e8c7246264bd4c1

  • SHA1

    ba5ac23a3dd0657542f218c68e3370a413f16dad

  • SHA256

    67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe

  • SHA512

    2619102b7625d49e22207d477beb662bd546370419156e8cf63050308f373970b168ae76f671966f9fafa323f19f11060740e076def0abdbfe5f151f504d4903

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSq:sxX7QnxrloE5dpUpEbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe
    "C:\Users\Admin\AppData\Local\Temp\67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2916
    • C:\AdobeLY\xdobsys.exe
      C:\AdobeLY\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2428

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeLY\xdobsys.exe

          Filesize

          15KB

          MD5

          10e6df3619bbbd1a2464d5000a56fbb5

          SHA1

          9080f324c059847c04fbc434d62d8ab2e06140a9

          SHA256

          e437e0733cdde421f32dedbcb49fb69873f23116dc2523e2a45b18e005fd1559

          SHA512

          9cf956066c20f94e36fc21e8c536ef7625e51e279c3c9794d5029cac42d155db5a2e79ccfe4010364e50c34b0675745a5fc121a112892a31b331ab14427ac6ff

        • C:\KaVBRU\boddevloc.exe

          Filesize

          33KB

          MD5

          0bff6a8bffb6b865fbe4908d666b07ee

          SHA1

          5e176ff62c86ebbdaab5e545079308f50395f3f6

          SHA256

          1eb6a2dfe3b351441008aee76bdb1d3a3300807adc21d0dad4766ded0fe17855

          SHA512

          6a6d353a1d440a17b0b10022744e48ce835c6b0a92b97224dff9d7f00f6e0a619ae3c0ecaeb891c68baa42a686e14df25712d05c5893b56d84075279e3cf1a2e

        • C:\KaVBRU\boddevloc.exe

          Filesize

          2.6MB

          MD5

          b5b522feeb98d018a0726b259322835a

          SHA1

          d71081e65329944182b60b9443f24be45c7c6d50

          SHA256

          56ffaa2f1b523e7b125e495f6106d9ed7c56eadf2488b2022976075188047389

          SHA512

          b8649bc9de4bcb3d66c4c40f1c3c34768c1d563338763fd44405568623765bd7ca8450097910c8742fefcc9d31bf24555f3f07b5aae7ab9be5f9e081329023af

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          171B

          MD5

          e761304cbd60bbcd692dd7d7f5dc2634

          SHA1

          81287d927e1095d683c151d4fe8a2463cabeeff6

          SHA256

          5a303610386a82c6bba0f70967ede2f03b35527bbf5e35f449da34290f06f219

          SHA512

          fa8db3b8c995866b72c914eb62da17afaf175df14cc1c58ded828d886dcd021f16279de3c14d70fa237470b4407c9ade317e5712340c28a6e3434d78e47ce886

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          203B

          MD5

          1eb93465e67d9e83063cebfb39299343

          SHA1

          177f56f2065cbb02d4ccecf6afb031116f4501b3

          SHA256

          7d499b47d6ea8bae64e5fda7ced238b89ca61f0fd4dab6716194060faa8cf0e5

          SHA512

          a7c2ef207175d67f55b8217432ea5d8dcb5583c7716a5c398810a323438e27f8c14355450c405a715812393de83321e53656da0633e88fcc5b61c33d27a6583b

        • \AdobeLY\xdobsys.exe

          Filesize

          2.6MB

          MD5

          3b3e70f8f17bd6d0cb900dc7cf6a95e2

          SHA1

          d0c6f8710d067a717aa28770a00b51f568a406e5

          SHA256

          91d67129d201a76a55b983ecd427a999b091ce4e615b8dc2169917e648dcfcf5

          SHA512

          4e8c4c88011d53ceedc26ea04a94abd50b2c67a49ab5b60c826b50a09d86b856fb379a23f69e7274da0e51a18181a4d68d4225ab6f6961ca96b15bdfbb46b863

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

          Filesize

          2.6MB

          MD5

          8187191e9cf58684a89c8ae94842c6e3

          SHA1

          89c5d60bfbfda4aa26acfc4bc28c288f7875d6cc

          SHA256

          d218e41e086c465e1a1ba18dce49929c064f1748c7836adcfbe8a76eaa7efbd7

          SHA512

          35d997e0de54c4913939a11b6ed4ccbf9f1059a59f48d47e45858a6b298a0e5c1f5f7bdb5909e44d8de2b8bb32ce6c4a2432e124f403982639c516f680e5d50f