Analysis

  • max time kernel
    119s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 23:23

General

  • Target

    40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe

  • Size

    2.6MB

  • MD5

    de5119a5833a00c284562514bc52aef3

  • SHA1

    f2e62e9ff4d6d0c40c911b0dc404a33d18e22fc2

  • SHA256

    40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf

  • SHA512

    3a024ad05413ff62a08d19e7d636cbfa29148f714b8122de5dcfcea137f2b036f738fa9748e0f7c9dc258a099b75a698e3bf36dfeb5d46ebd0d91270edd050d6

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSf:sxX7QnxrloE5dpUpabe

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe
    "C:\Users\Admin\AppData\Local\Temp\40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2316
    • C:\SysDrvVZ\adobec.exe
      C:\SysDrvVZ\adobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1364

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MintLJ\optiaec.exe

          Filesize

          2.6MB

          MD5

          9a08d056ace9e50025817279219e1d78

          SHA1

          14b4c1794c5fb00d85162a3a5f0aada37fb91ea0

          SHA256

          c7662ec3027c000a55e8faf065ccd315941ee3814a6463a2e010a79900309ad1

          SHA512

          5ef4243676c76a080909d21fe3d5cf9a6c1e8dd85d509c57a261d98ea5dee7687b5a4ce1cffc1c3109a117808b2ba79059448c7a54332e8b37079dfc62d0c9b6

        • C:\MintLJ\optiaec.exe

          Filesize

          22KB

          MD5

          e8e68023b6f3a46310e33bc164b90cbd

          SHA1

          872dcdaa4087b3b4353d1bc7bda02f9887757c12

          SHA256

          7f7ac97652169d4d17d537e46d53c77f2395a3e963cd19980b9d9ee98af6c292

          SHA512

          0e0535fa571bf776c9a31ebb94071022f84600c961f2c906e609e00fc3a57901626ea3495dadd10f4a36e8e33998c456037789ec04bea4471608bf45d20fd7a4

        • C:\SysDrvVZ\adobec.exe

          Filesize

          2.6MB

          MD5

          99c1951de7e0d21cbd66c30e8a185fcb

          SHA1

          7fbda20aaf41bc3d9ce063b1ca98ac25b8b21f6c

          SHA256

          ea6596a1017ddecd01afe779e1d0a44f94e4648e533b30777eae863be31b4521

          SHA512

          82401eb19f3d42f0683141cddd0fe41e6746df18747b5ff63daf81d5644b1e032a0992b36f9c3ef1dee849f7bb03d83620da312682d6d4f15ab7f41d7afe596f

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          167B

          MD5

          f057c45aa54911fb3cd95e183009b9c7

          SHA1

          b8b2fa3a6e439b7acf3134b78c7ddc79ebde3bd6

          SHA256

          1f3507e576fa49ab0cdbffa727c70c231d53a65a7731a90218ab06ba4b4778d2

          SHA512

          b476109fa0e1e033fd301b282a2ffb8959deb5c3f4f81dd9557e14b22fa26f4c14f23ea8bb70cdcac4a6b3383f5bb42dcfe3ccd42e1b18b63d772a6c8bd56db3

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          199B

          MD5

          dd4f0a89278139fdef85e82655e9b4e3

          SHA1

          87ae512d19424cc49e6fa67195309f203c46be2a

          SHA256

          8397ce8229501c9f3da606fda44bfe5e98bcd313c5d969cfba5ef9fb209561d6

          SHA512

          62ebe27bfbe8e5fca32b0dcd35bf0834e320bb2f3690e7ac54d1be347c8d57a43677ba091f58399090eec88de886e0e3dfbba6822b1f52be11ae7f208bfeb2ff

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

          Filesize

          2.6MB

          MD5

          1db421ed91eb4bb42d37f5ecbc8a651a

          SHA1

          7f88ad41dd2303fc3e6d1e3ad48643aea0dca0bf

          SHA256

          f0dc27b4cd13d06a57d1a972de371607864e49b0c951fd480e3867541ea0fc30

          SHA512

          1c89c0ed1d0a0b940be186232ac040b11abe73467f92761803e58530ae300dec8e75e5e6987804d975b57b3515d6aa0835ac8d24892083b2b036048c68aba04e