Analysis

  • max time kernel
    119s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 23:30

General

  • Target

    8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe

  • Size

    2.6MB

  • MD5

    d2403f45884e0fde9b26de7e4bd1c3a0

  • SHA1

    5a6c9b8dc6a3f9e98d0a6680769d17854782bde3

  • SHA256

    8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141

  • SHA512

    bcc057d3047b35f3804727f51c84e7dfef6573f9c0dc85c77fca03ee6859ba5d15553021541cfdbe2c089bc7b22587466ebbf7455dc3e671b14b9fa69853735f

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bS:sxX7QnxrloE5dpUpkb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe
    "C:\Users\Admin\AppData\Local\Temp\8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3396
    • C:\Intelproc0E\aoptiec.exe
      C:\Intelproc0E\aoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4472

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Intelproc0E\aoptiec.exe

          Filesize

          2.6MB

          MD5

          dbe22823c7022a2ca08e09183f69c5a1

          SHA1

          f20a210b2d8d193b046def7e50d1d6d68ffb858b

          SHA256

          37b169becdc2af09818564b23d1ab585e522732df01e231667b04e8464bf941b

          SHA512

          3d7a30e9d21aaaf67802c3b875e8ec0ea94349164280e74cb30aa10b4ce7a54f23d00ed86a7abbde52866a54a866633d7047091ef05d4c9e2dc794a1da943e6c

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          204B

          MD5

          29632ef342cd4d058fab7081de8b38c9

          SHA1

          79fcb2b64984de7b955f2c445e357c46c584fd7e

          SHA256

          119125a768af84827fa9d16285b175f411b6dded4f33c1311d14f5c561cbfb3d

          SHA512

          ebfb6db3d898e4c4f05f8187d4eae5a09647e3e4432d8fb4021ce02261d729ea8831a761500aaba028139e648bdcd351431dd9332b3786bea68ab0fca79bb82f

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          172B

          MD5

          5956c438f20edb92abb9bfbe0d32898c

          SHA1

          3e9913e2171b59bef5f8dda06998e67f984643d4

          SHA256

          9370abbfe9cc5e05024a9148e024dc238883dac0d346d855c634d22d79d0ea7a

          SHA512

          cbee199dac2ee63814e4f0f4c1fff1d08bb7bf5acc598275227e21e4fc2a046b5ee01e351ace01562d003f5454f63b68b7d21d521266ffd0c6b378654c3e0c95

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

          Filesize

          2.6MB

          MD5

          5933cdefdad094e75a166510b89f0e9e

          SHA1

          7dbb983188ca7fa5418a4020a988b91a8a8dbe08

          SHA256

          e4abc9536253a97547d89c9ff472e9bf1751ca8be3389102d74fcf5603a5b993

          SHA512

          aea12f8f51667e17477a333bf1a36bd606d493a554cae21e04c53195a3b783784f26e0be8a7489a270c4737f3fa76934afe22199f85a3a058471b8dc66a4ed66

        • C:\VidJB\boddevec.exe

          Filesize

          2.6MB

          MD5

          a0990a322d88eb89c7f828a7aa4d0548

          SHA1

          36f0a6b2656310f34302bf0013856be5ae37fff7

          SHA256

          28d50350bf4349acde64371c7dffc78b9097dec1d54f745f58de13575e2a79e0

          SHA512

          8e8da40d6c1c27d42bd6bfab611c36d4aee3d764220d8e73ad19b67584ae698f0d7672bf2f26130e8d697a41e18b3c1f323c62d98e96d02bd340992bc640fbea

        • C:\VidJB\boddevec.exe

          Filesize

          2.6MB

          MD5

          d6ef944603d160b8ca825a93471a86fc

          SHA1

          d117d894fe73e8cbe5a09bafc0cc8890919d74ce

          SHA256

          ae5a5c4498946e8e41773d2b484fb1c6a500a96eec5634e9b7b72332a1db95d5

          SHA512

          e7df1acc0d9ed243403cac264495a98bc335f538c479b79e0d047c030a5649ff280e0257a5aa11838f229bcf5a6dead3c87d20d73a124a8800c1d3dcaee7b844