Analysis

  • max time kernel
    120s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 23:24

General

  • Target

    233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe

  • Size

    2.6MB

  • MD5

    2e47363aafdf52a77e53e93942f5cff0

  • SHA1

    7ecd9a116d4e5e7b3c5d4342a05984e86c777bd2

  • SHA256

    233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7b

  • SHA512

    0a0c086e1bb060fb85c6b75befb53710db13a8eb54d5587444b18dc6d8e1122dad733c91b6c4200e4c4bb1f75166434bcc09736e0efda3a01326549bd55fa4bf

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bS:sxX7QnxrloE5dpUp6b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe
    "C:\Users\Admin\AppData\Local\Temp\233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2084
    • C:\AdobeV4\aoptiec.exe
      C:\AdobeV4\aoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2904

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeV4\aoptiec.exe

          Filesize

          32KB

          MD5

          aa404e81fdc4946ac80a30fbf1b10c14

          SHA1

          ed71e23df81576b945ef2f6e00f8f5b35f6a533b

          SHA256

          93b7a38f773796c870936ed5977333e42c13a41c33ba790d40d9ee15d294bd79

          SHA512

          3e210cc458293feedc8e52a4502d6a1fa12b5f5987d3bcb5323174b27f832f654224255aed64448d908132cb1173f0557d9a2234ee5e6d9caa220da210ee1ef0

        • C:\LabZ8A\bodaec.exe

          Filesize

          2.6MB

          MD5

          c591efcad97a654bef2575cd58d4a0b1

          SHA1

          0b921bfdf205f29802ce6969c1e07c776635c42e

          SHA256

          492568b6ff3aed2deccc990f35438dd3eccfbb329129b1dfb292665a79a8743f

          SHA512

          b395a44d7acdf69851d48f81affab34e9ae934295fc950d2af04bd3e7dfb69c258052e4f0e1c6a61bb8d45331aa7aafb6fe3a7f9665474e4d8f79014f04994c4

        • C:\LabZ8A\bodaec.exe

          Filesize

          2.6MB

          MD5

          9e3a71ac94137568ad74cd951436126b

          SHA1

          e6670517c50348cae97a5f3b5fddaef8c40dae66

          SHA256

          9215fbdd55399cda225e2226edd2ef7618c4955200cf7f56a8421846b94e0d77

          SHA512

          44be26e214abf0766b3b281fbf236b09620e045469c463ff878e1c319754cd3a2a1fe716d543c45fefee1384897ef50776cbf15f75d713d9988c908bbc814275

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          166B

          MD5

          78ba6f2743c02b1f156cb7eeb0b91a0f

          SHA1

          fb917389ea02d19d8290d329602c6fb1dd1b4f8c

          SHA256

          d51c4e03a9aef20580ed77e5a56b60624eadeb6c06d126f05813517e94c46461

          SHA512

          d2b5b0fabad63e6885b2929497d34404b9f686ae59bb9ef67a5ffd1ef7f4957d4e5475ccc1f7aa0aa760f1d853421536c1f3d69dd56cc8bb351b4dc1de5f3830

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          198B

          MD5

          b9cf59cc26fb838c012d6ce9b43e7909

          SHA1

          9f647bfc14c4926bfe8d79005c97440d8d96775f

          SHA256

          baa614e2c7767f5514f4e1605a393a8df05644492a7990f8ad7e8f4ee95610cc

          SHA512

          aa4b8f4f2c3e0a8525ecb8baa49b6d356e387f3367ab3b657e8456a035046efebf1744d6b752032ca6c39d0e4780c9e2fc9db58eb7ce9539f0b880b447e6b8b6

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

          Filesize

          2.6MB

          MD5

          ff5a5d7f5f622a427e890fbaf8f98211

          SHA1

          3917a1b54977efc0848970e1f39805180488dcb5

          SHA256

          c040eb2b101acdaa0ddf9bb6a19a9e648ba4a870e08dd4cba2f57350cca8ab2e

          SHA512

          670c189cd591f8a6f25f5bee7273d263834ab2f567f3931f1d282d514f1c042d0046d67badfb234577340a8897d84dead0e54b7a1d27d28da3cfcc2b165519d9

        • \AdobeV4\aoptiec.exe

          Filesize

          2.6MB

          MD5

          3bf0ea8743e0801be5a7ef1de0a73ff3

          SHA1

          e0c8b807c4f9eabc23787cc696e50788ad60f922

          SHA256

          837c7a2a1c38fbbb4f3c8fb8eaceba4d136d86e91eeca214597103158e4b0bd6

          SHA512

          cb9f82109f282caeaa6a328f3397b28c1d053d0cfe2d2e2aa49189750e7d83ebda711da0c5a6f0bd99fd2ffb6afb21caa9030baeecb86ebb0e508aedc13f38e2