Analysis

  • max time kernel
    119s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 22:59

General

  • Target

    c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe

  • Size

    2.6MB

  • MD5

    640fec66562ae3fdeec14844e2da29b0

  • SHA1

    c74620f93493cfdbcee93b10c4c821fb55739241

  • SHA256

    c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5

  • SHA512

    d736e38c9b366dcc2da152a889e7062aa0066dad57ddaf24839892a0bb19d9a33eb5a894b1c5bed38a57383aa288e0508ad859a81ddce968edf355ce1816b0b7

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bSq:sxX7QnxrloE5dpUpybV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe
    "C:\Users\Admin\AppData\Local\Temp\c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:108
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2532
    • C:\Files43\adobec.exe
      C:\Files43\adobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2424

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Files43\adobec.exe

          Filesize

          13KB

          MD5

          010abc54ad22b0097656874fb22a7154

          SHA1

          45bdf3c1248bfa8c3561f645584b422b09487bfd

          SHA256

          705f76c68555180f761c8c851afc45b406822827d7f5552bd4b1e0d0b4814633

          SHA512

          fa5324f35df376fc039ce4e3f804a6f788d3702b680d932e1c53d240d96195a223dda954f583c38f94a775656386606d2c16788dd30a1aaf3eae959c47311545

        • C:\Files43\adobec.exe

          Filesize

          2.6MB

          MD5

          79bfe05e39bed3bfe258dbcec08804a0

          SHA1

          3e53e6aa4b1fc5c4e86ffe88156a7ac8211189c7

          SHA256

          a30939aec512942ef10cc3c8fb8f46c5c618571a7877daedf0f05e9d537ce373

          SHA512

          54ee965900cc7509b8c6478389c499e31b93306efa7a38984d489b53a368ff5726c990b8e80446ed6d9a7831419b80a808edc40a6e157b8de51d2f2d92ea83c1

        • C:\KaVBXJ\optidevec.exe

          Filesize

          2.6MB

          MD5

          20f0a6c2d04c94d3aea73a3cafd640cf

          SHA1

          f0739c422f17fcc49d868fb2d2296d9465367ae2

          SHA256

          1ab6252d7e5a406eb8688ac27e0aed57e7a3df230d1414c535b755cea2ff83a3

          SHA512

          cd1c1de681e24c88957ecf8651b7235854a0ebb549969e96f8592b85c10717d91bbc4dcfd428050c81e5712b81bb141e1cc8af96c15badc47652594276cc6771

        • C:\KaVBXJ\optidevec.exe

          Filesize

          2.6MB

          MD5

          0a1eafa7c08b57b9495781af29103e12

          SHA1

          0e2c05c394c6fe6656354e41816b5423f4728cae

          SHA256

          cb81f4d5d67b59dee2a6badfcab81fd821a2acf16690ee128964a818be1d0f6a

          SHA512

          e9afe3e2c9edc2220c3e0dc26232688d2a4f523708bef9c5f9f9a8bdc4278e8b00f0644157f645935eaf4bdd4b6ec230b468269915f0869940ffae1093fdb31f

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          171B

          MD5

          7c8cbedd6ed0b62d42477f34f0cf22b5

          SHA1

          dabdde4b895b9c6124e78557e5dce29598ff7ed7

          SHA256

          f3190ace32657fe624ea548ddbf3c0a41a49c3db909b238a337b836309a863a4

          SHA512

          2a77391042fc4044373612bcbf2f079c1b0205df50eb72b8da1336fd0c018616c85dc56d498fad2ac37f61a626a05d9910c8a521a2c376e2d6b2fbb6289cf282

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          203B

          MD5

          b293c8f04ac79f7315b9712ce906491b

          SHA1

          497bb8b806ed3c7b2e38d1172830101cbb4e28f2

          SHA256

          c323b8008e3a4d726e32d167144c8c0068472b25be70016465a92fc90d5a48fb

          SHA512

          5c3d08bab6f0ac809c8b817b973e6b67486410cfe551594b993bf1a4c1ef10312df8762ef53535ef043a90f26e66460267cdb8d0b3706fe4a228024172a31608

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

          Filesize

          2.6MB

          MD5

          dbbe794b7d1e9930c5e26b245b7ada9a

          SHA1

          7771e2b873cac53688dfee441ebd2b588b238a8a

          SHA256

          0503db4a865ca857c2ead9e12f797776945bf8e97f79edc05247c7f2d5c53bb3

          SHA512

          b8d71bf2c803b9b173c71bc2868eee5ac045ec7ab03a9cdefb54a92ce3a14de09d7699875deb89404700c8c05b31505f432e5499b7100c3ea78c7714c9e75bce