Analysis

  • max time kernel
    120s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 23:23

General

  • Target

    40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe

  • Size

    2.6MB

  • MD5

    de5119a5833a00c284562514bc52aef3

  • SHA1

    f2e62e9ff4d6d0c40c911b0dc404a33d18e22fc2

  • SHA256

    40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf

  • SHA512

    3a024ad05413ff62a08d19e7d636cbfa29148f714b8122de5dcfcea137f2b036f738fa9748e0f7c9dc258a099b75a698e3bf36dfeb5d46ebd0d91270edd050d6

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSf:sxX7QnxrloE5dpUpabe

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe
    "C:\Users\Admin\AppData\Local\Temp\40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4676
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2104
    • C:\IntelprocX7\aoptiloc.exe
      C:\IntelprocX7\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1804

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocX7\aoptiloc.exe

          Filesize

          2.6MB

          MD5

          2af0bd5ae01f91857312e205249995d1

          SHA1

          15545f051e50ae35e2410435316f63229c22a595

          SHA256

          f719e1c91547caf5183f75e548f5895b71b140e2da525f945163fbb686bfaaa5

          SHA512

          a1c24aab3116419bc6370980f8503f387d0064a25044db6ecb95fde40938d302c016564557e6fe6c527466e0d36393a13bd40e0c97736254dd9f8edc1f3ad081

        • C:\LabZQ9\dobaec.exe

          Filesize

          4KB

          MD5

          ede40b36034d11420daf9b761d447622

          SHA1

          83e69cb72e12fd8ccd507bfa21133e1fca0fd5d7

          SHA256

          6e27085c9b049479ed4b5d515c82d49091d1d0d6a70cc1af4fe1e085816236d4

          SHA512

          0fc2330cfab1d7a2fa7e55f9cc177aa246de7f672540212721ca9232920652a2306906719e60af2bd37ca2fc9074d2244a5514fdc7f344e7c4006b4c69a75120

        • C:\LabZQ9\dobaec.exe

          Filesize

          2.6MB

          MD5

          8db449dcb72c9cb76f3b40a45fa3b7f0

          SHA1

          5746e2ddb56a8e87296f9bdd26afa7556d134c18

          SHA256

          feabc132898df8d45ccf390c9cd43660f291aed81f63d168562c4a01f24919db

          SHA512

          7a9e218404df7227dc36d9c805ed5bfaf1ab1fd52af11def0df7e41f7af2f15e64a5a8a51b36edc4ca3fd64a4a8b07d27f83d072743d13ba8afc37a99d0892d4

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          204B

          MD5

          0b09938aa678b5ee0e8547df86070fc4

          SHA1

          6353d418f3f66cbdd151acab931d584369be46c6

          SHA256

          9c6180bacf11c7c3ffcd5888ad67d3299bb3ce897f0072972ac6840651e18eb9

          SHA512

          98ef93fb21f5e99196c9dbcc740f9d041979f511a5de21b4ecdebf762f604c7c20b720d2b9b58c5ff730a75dc2ca67226f7d3c7b5b0b76611f5e68d875158ee5

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          172B

          MD5

          f72c6641f65846b3897873642263656f

          SHA1

          f760e7fe1da9c13a96e36f600f22d5b697bdfce7

          SHA256

          17021cb0b1f2f42aa9c4b3c3ba82911e595970d0a812bfb2fa465c145fa754b4

          SHA512

          30941d93aa03fa981366aa29661d9068bc2b0b4fa2a42bb9c5a762e96be67086905ace7224d0dc080ba4fa3b455300db7e482eb707ee76795a8bcba6d0990075

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

          Filesize

          2.6MB

          MD5

          304cf9add85867d5d8cded1f02b271d0

          SHA1

          c23b6913f42de1af7a58a9f1a1ab80b9cc29de75

          SHA256

          bbb7b7857fd05a515f07dfe814d34d5a6b8a612cda9e5cde22bcc0454b21b7da

          SHA512

          0c2658a1e524111b6183efafc5db3cd79bdc879114a1a30a0076c6e9f885485f80311be764ff7f7168bbd7f6118a6f1261aeaf0fac8b55c987b307189c7f4656