Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 23:20

General

  • Target

    119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe

  • Size

    2.6MB

  • MD5

    9c8e2668fabfeb142bb974b0d69a0a75

  • SHA1

    cfb0173ceb3461fca2da5e7b7f6848b3d0c3be11

  • SHA256

    119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30

  • SHA512

    929884d5ae9b9124c95e79757cee62a4341bf55f2a9150ec5b99a383a0b47fa1f67d0b29503eb6b57c5ef7efb3a21b48acd1f6df0c04310aa93066b47901e6ee

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBSB/bSf:sxX7QnxrloE5dpUptbA

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe
    "C:\Users\Admin\AppData\Local\Temp\119ce5247c164be3323cc5fb9a1af164e494ded85da24e1589f3c0d25e74de30.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3788
    • C:\SysDrvWI\adobsys.exe
      C:\SysDrvWI\adobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4768

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\KaVBOQ\optixloc.exe

          Filesize

          3KB

          MD5

          1158f86a0845ee6fe9ce7b682fd51439

          SHA1

          caf9890ab05a6eef87827bb3ab60eaee3b254faa

          SHA256

          3d1f80bce336609701c74a291ec5f27ae76b198dfc51fe6615349996dcba8ab1

          SHA512

          3820fa06d8911561113535b4e01a0e4a3bcb87a566762f0995074fdd561e824454613a36d5347004f0370ff27867df4f962f498ca63e8e4b5e82c935860d3503

        • C:\KaVBOQ\optixloc.exe

          Filesize

          21KB

          MD5

          c9ac313e906df1f057c5759320a5feac

          SHA1

          6f1bb04a2bcf2f67632823911043d6c3db80de2d

          SHA256

          b4130f462775ca1786a87d2bb2551bf5c3bf0341a658a98b47a682ef5199fd0d

          SHA512

          b782353e01cee193e32a075797ffcb25fa8a4a8ad8d857f1247560d850f7c2cb77598ea4b65d72ddbf45b7566c0efb59196b26ad8e6d13cac41f806deb708bde

        • C:\SysDrvWI\adobsys.exe

          Filesize

          37KB

          MD5

          d63a823168f9fe823402bd544db3a7f6

          SHA1

          9b86fd4b090688f3b8b7895822bd94c632f0e8aa

          SHA256

          5b94b32986d895fee06fe460ef15f27348b8205ec548909189edac07a17aaf25

          SHA512

          d08c95656226b1e7f4a7223d1ff91590ada4ce93f2c5e079df57cbf86616eb2c4c639f700f66618178363b89a88561ce648303b8237270ca8e7f8cb54b6cdcc8

        • C:\SysDrvWI\adobsys.exe

          Filesize

          2.6MB

          MD5

          ef6e98d76b01749350af1376877a94a2

          SHA1

          9a9d371b9ed3cd96d5a3cb47379de4d91d417823

          SHA256

          882003ec8f5a850819ddbe3fe948cfc2cc067964c9bf32ab4bd6390b3e4af92a

          SHA512

          ab208206dd275e4659b2ae2a86d6f5bc79eab71c72aedb36a4291416f8441af56d4c0f1195e430d42bef391971898c1c5f016ec970f5e355eb882e74a476f560

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          205B

          MD5

          929f1a4b37b34dcdafbb732a0e857a44

          SHA1

          53d519757f3e6818613d76fc5262e86a1c997734

          SHA256

          680cd41a178fce11fc946e39eca1f647fd7f16441a8f35f83c884727d89f9f70

          SHA512

          c40cc7db176ff01d8311de7c5d77fdd21ed60150c37e2cd1d0314087cff7eeefce375f03d1ef82857e2212dc8d525bb853c1fe701de0365be548db869bfd79b5

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          173B

          MD5

          dfbde180a5d6517e769767920a9f3284

          SHA1

          8531993eafbc87679f9abd94b3cd5df6cd48d981

          SHA256

          6c22100f33a7be204f617c31154258390693eee89167959e29864e52edde919b

          SHA512

          7359cf2d21524a75cea0b7d049b51a48ad53a3929d84da7fab3879421790e19e74ba3b8d477ca1cabc2ba30ca6f82ece4ec42087b418827eafd2b52e2260b607

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

          Filesize

          2.6MB

          MD5

          e540afa7cc19bde7178c682401d9f620

          SHA1

          2dab0adb05fad7fe460f555a8d16ffc84d270f25

          SHA256

          3b16bb278dfa40a0f8d9fe484ab3234a53338b57ad988364f75bd0929d99b8c5

          SHA512

          40ee8d257fd3113c76021dfa2d5b98559a2acf7ddeaed6bf5dd5f188b25b445fb080727da466d8931d32f6020e0d357b7a903163fe3e9be7380c505f8d1dc0fb