Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 23:11

General

  • Target

    67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe

  • Size

    2.6MB

  • MD5

    8f8e1cdd9154f1733e8c7246264bd4c1

  • SHA1

    ba5ac23a3dd0657542f218c68e3370a413f16dad

  • SHA256

    67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe

  • SHA512

    2619102b7625d49e22207d477beb662bd546370419156e8cf63050308f373970b168ae76f671966f9fafa323f19f11060740e076def0abdbfe5f151f504d4903

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSq:sxX7QnxrloE5dpUpEbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe
    "C:\Users\Admin\AppData\Local\Temp\67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1448
    • C:\Files9M\adobloc.exe
      C:\Files9M\adobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2056

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Files9M\adobloc.exe

          Filesize

          2.6MB

          MD5

          274e5585aedfe98896b8ed6e3dac0e64

          SHA1

          bf56fdadcbf15e2f9d58281be1a7b944995409c2

          SHA256

          71aa807c7a8eec222df62231c87998670ceabb67389c69a00c719afe43c73820

          SHA512

          9c115d495cb8387fc243a8e67ecfed31e15f0169137a68e00f36cff634a53498726e69506869f26c8f19bfcdd4d0af175278f386cd7a43eec0634af9f9bff45f

        • C:\MintGD\bodasys.exe

          Filesize

          2.6MB

          MD5

          3f55fb9ab7829db24a822ce85b240c3a

          SHA1

          76428855a95a89dd8aec0283bd6790ab906bd0cf

          SHA256

          d725e6769caf1273e0fa565bd3db86f57854765b5c830f7ee8d296e4c22d7a84

          SHA512

          7f8a1deb30088733f9b47dd9e38158862e4dc1c1adbe53230df2e87d22145b775973fda86948fb180045d184eee9ae3ff8d4a08fe401bc30404a476b38582265

        • C:\MintGD\bodasys.exe

          Filesize

          2.6MB

          MD5

          1a5c7f172ad273d235d0f868c1be4c37

          SHA1

          ecc8f1f0e52cde30a4e5f429c11eead50b17a6ce

          SHA256

          369a68a29f50b1ee76751e6e9c3e86e735524f4a52ca9dfa6419f494ed745d27

          SHA512

          bdbe641bc4577789f78056b34915f1fe5d1f9d9b84bcb36150c4c681a3006ab234966d8fc056fdb37d531151dd1bc5862590fb249426bfcbe82d124c22d361d8

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          203B

          MD5

          d44362fe379f3f635404cb8887cbde71

          SHA1

          411dffa57b1f9f85a6283c8a55b4508499dc53bf

          SHA256

          89680c99b1c3de936b5aa03bf1afc2cfebbc795644f03f11dee64e7a6ec943af

          SHA512

          6524dd4c853b09eac7d83b4471cd50937ba03c9da886b8dd541e3ba00e819e3b2ffbb523bf520f2247ce7f6b7e4672fffbdc82400e76838f064b04e95eca9f54

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          171B

          MD5

          4b901f056344704ee8e7a3590ebc8ebd

          SHA1

          828272ab43014917c56241cfe560b1f042af4813

          SHA256

          865e244b3665ead5657c2e9d9c27ef4916de7590fe968386a0384f1dd97aa6d5

          SHA512

          245fea705bc8ed2a6567d779fbccceb8ca2bfef5c5f32bcf97feaa0c8ebd5e57ea17d6c58d4c35dea0a7c95148e73dcc07ddc9905d6d7fd918f2fa954ed964c5

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

          Filesize

          2.6MB

          MD5

          1983324de22177c05c175fc86f8a2d0d

          SHA1

          b12c52b998cf474df4e0ec53bbea83c0e64cb218

          SHA256

          8e289fea78dda9dad5d2813de8fce5b2e1961b0f728524302abefd8ef6a21e51

          SHA512

          622c8c2e54bb719085d87644b9aac75619a2d3ba09688fcb1aa968c63749f876690cd16ede7f23fa930a3c559aeab5e221b8e24cda639ab9177fd46ad599a068