Analysis

  • max time kernel
    120s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 22:58

General

  • Target

    0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe

  • Size

    2.6MB

  • MD5

    671ca0e4036f5e4fd20da5fa86937dda

  • SHA1

    6f7522bd908960c39a8279a20ece9200947acb69

  • SHA256

    0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991

  • SHA512

    7910b63602e6128d32ee1c0dbdfa1cf3e2229d7ecd339348c2fb5f0f127a59cccffb80cd66bf711edaafbfd6a4215c90066aded58995ee307141669c14bc5ced

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bSD:sxX7QnxrloE5dpUprbI

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe
    "C:\Users\Admin\AppData\Local\Temp\0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2812
    • C:\AdobeZO\xdobsys.exe
      C:\AdobeZO\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2804

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeZO\xdobsys.exe

          Filesize

          2.6MB

          MD5

          204a05a10dad1a06e68b89c19bd400bf

          SHA1

          71bc9dfee106f6eb017fde5c50d3f8e21ffd67f0

          SHA256

          eac2874a6bd90a38bde6541bb0e0fe6772f94304263602f4a2a8c38a5577a42b

          SHA512

          01207948290b61fa7dfbd3ef8a6cef9fa7243dc7028a558bafc3bf632f201feb740ca1b7840fd620394b232f4cc01c7e64cb36c7cc071ba876c05b0fbef9ae94

        • C:\KaVB4K\dobdevsys.exe

          Filesize

          2.6MB

          MD5

          983208efccc0e70698afe0543962a3e4

          SHA1

          ca89037f6a5138a552cbdda879debcb1bfaf5cc4

          SHA256

          8f67249b1fe79296f3ada958796d50d5c0d5186b1b6aeb30c7d7ff99e0598a3b

          SHA512

          ffd580053eca1aafdf5d95fdff93fa672557a8f5348df54e9cb92d2c20aff5a57d5a4442edfc67473297ef6fd1ade395a7ac322e24060ecb72e147eca53b3191

        • C:\KaVB4K\dobdevsys.exe

          Filesize

          2.6MB

          MD5

          2a389542beea0684a398a5dc0ffff5d0

          SHA1

          6ef0a6408cde893ce38f1f04b0f9d7a1cb54ad0f

          SHA256

          7ebc21e1f79d53d77b2cec73a62a1e6e84c79677df3a7244eb41912ef9cff61a

          SHA512

          72984864685d14f94a0f69a43f274a572f7db9ed84fba4240835fa5d25711e439c4959b3931e2926f9edef0bdb071bfdf02fab7dcb0233285d356d197de5703a

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          171B

          MD5

          88d921a41fabeb3cad4ce9e179f5d6e1

          SHA1

          19aabb4bec95caa868bb6e01829d9459450d1caf

          SHA256

          5ce5c0d3dce7b80ff08161f4e65b840ad114241035a52e22dd049cc6574bea42

          SHA512

          7d66d8d348fda6b366df36969c125fd7cc69efce1bdbe166ac911ab83ac1784cef1fc8149fec2088e30c544f4f50d65198e54ad29533a3e176271b7dc119ad91

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          203B

          MD5

          e2adce868aa9c523bf1bd47f7ebc6267

          SHA1

          22c9db77b048cc3d395a5141c544655371e13968

          SHA256

          8180df726a823381aaceb846b1508e688c99691e8ae4f1ff743c6db619fccef6

          SHA512

          aac07f8c425ac2d688b20cdcd6b89463b6c33ac63298ab89a96c6278347dbac09bf07073991941f987f7bca5bc22038a1b19d5a32d94338daf8121d0fa419d0b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

          Filesize

          2.6MB

          MD5

          952164d9539bb6fe373932b7659ac1e2

          SHA1

          9eebd7f07a6ab972884b53db9d96c6dafaa40764

          SHA256

          40f9e615c5d49a137b7a5936f7d0911d49ddf6199cb32cdf819b5fce6f591210

          SHA512

          79f34ed4f9faa84e3b64d7c43b9a868fd1b3ea41024b0c9abc4e3651bd3f934e2e59fcb9122db7b6e09ce584540edfb04d3e7ee5dc68728cb728b294ef5716e7