Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 23:25

General

  • Target

    34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe

  • Size

    2.6MB

  • MD5

    bbf43291083500c1aa9195023fb8038c

  • SHA1

    9fe366b06a5eda3b7e58fbfb3e4cbfcca499edf1

  • SHA256

    d0608ed4f5d17b8e9fe55fd59f06f51c3be3a850d0a9edb83b096aeac4296515

  • SHA512

    577282a24e7dab7994308f36e95e2fd0665f8866170d810503cd0f6a2dbf3022d9e5d30ccfc352596ed917b54fc7a07f891446cd0a0e0902ff31e4b93fff24f7

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bS5:sxX7QnxrloE5dpUpZbg

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe
    "C:\Users\Admin\AppData\Local\Temp\34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2908
    • C:\AdobeCP\xoptisys.exe
      C:\AdobeCP\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2344

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeCP\xoptisys.exe

          Filesize

          2.6MB

          MD5

          69c569ce85ae4ac92c23ed62ccfaba1d

          SHA1

          483d0707406120ec71fec0e01f126613f81acd39

          SHA256

          10df2fd229f5c5b41b22a6fd23c21230051d39ee5e22742d526487591eb569ed

          SHA512

          f494a3b99ce601c193f32814c99900019ca11864ad8d9afe3807d5c4ca55d6efbd71d4904f54e59fce4472e41bee18724e35cab1dbdfe28b1f83bd902d0de318

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          171B

          MD5

          14b144f9afd091bbad4926ed3f2691ea

          SHA1

          7c686f6498facb4baf6d4176d1fb2cc5e46a55a8

          SHA256

          44769ca0084f7691077444b7b283ab31c199052ad483c597ab934c611346e74e

          SHA512

          bcd6f8c2008144ec91590753b5b1dff4ed5266aa90f118600f04415ac1b12a5cd0d13113a4d4c2a3d560c6aad750327e132d095bae48a7fdd59a932a57724c1a

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          203B

          MD5

          ad16d8d6e99494bb1df98bc610c3a50c

          SHA1

          ae4da1b76b57f16ba33f5e251359fa1cdf13d4ea

          SHA256

          2cd784a12fb0a5162a8e9e19d5fa748118de931958f72c0e0e15780dd1ac54ce

          SHA512

          c983742bb363920fd800b5b6ec8ca28ab2a9b661728097d1a5e77c1b61c58764a464f89e67aeec72e73b4104de4fc0a4118562db44cb00ef29e080053835b5dd

        • C:\Vid2Y\boddevec.exe

          Filesize

          2.6MB

          MD5

          29ac6b89d4e0491177a88adf518b8427

          SHA1

          fe13633e026dab8ff34c3d4a19f2ce99b72ee8ed

          SHA256

          ba31f3902232fdbf0afdf9a1da1acc06c2b76131bbc8822240feeb130d694182

          SHA512

          ff7fa9703f8778cd4a356b48671acb733f9588a8e4faf32545e368b5881b68a2b7cd7a9901bd8c290d5f404562335db71f32abc669809de7afa6efbc76d14119

        • C:\Vid2Y\boddevec.exe

          Filesize

          2.6MB

          MD5

          04e003246e4f4c90093bec8fac8d4b4c

          SHA1

          dee33ed5496137fd9c564b37204eaff424f4d8aa

          SHA256

          126f7ad5f4b547bf3efaab4f103cf7b6dabf5aa9598616319cddd16b9d5d8010

          SHA512

          a0e6cc52ebbe0a3e26b4b2dafa3a5af828dd71d54dd53bbbca000552d571c8c6cb6ac9f383a4991393ea69c1419ad0a3826905323dccd85b3031452e93011a8c

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

          Filesize

          2.6MB

          MD5

          6e0b2cbf1b96046a1c8d488bd3c52503

          SHA1

          67882c5c48ed4451663e424cdd37e14c87bc9deb

          SHA256

          a86a8a83fd247756084ac1b40fd7791d7bddff032e03cf19ead3011030f8e5f8

          SHA512

          c0bfe3aab14d621fe0e822e319d592f07ee484397e4105cd27af53595a5c6c6e3933dd338f63ea09311b193294a7176675b20dfb3d8e4562192ecde1a78e66ea