Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 16:38

General

  • Target

    6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe

  • Size

    2.6MB

  • MD5

    82ee2caabd4291c3f418f19b01e71ef0

  • SHA1

    ae4eecd2446a59803a079037d2cfd42e3cae528c

  • SHA256

    6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad

  • SHA512

    bdd9f4ef5d20e7ea24ae506ba6e929d968bcf38fc66341165b19979dbf9d5f3f57a8272a43adfdeaaea37de372c8329c1b6fd978440aaf22caa8ff9da5f706bb

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBzB/bSq:sxX7QnxrloE5dpUpMbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe
    "C:\Users\Admin\AppData\Local\Temp\6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2788
    • C:\FilesY5\adobec.exe
      C:\FilesY5\adobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2684

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesY5\adobec.exe

          Filesize

          2.6MB

          MD5

          3b42f40ce641136c286e451de1180057

          SHA1

          3841dfd4b3380d4f288634a411e5e805b3a22f84

          SHA256

          66e851d96fb939a9f2beddeaa5ad8b9e454f1af5d44b4e39457dedb0adedecf0

          SHA512

          1351f736ea3b7d0d42f49d425708ade5b8f20933854d9b5e005c34d3e3485e4310201ddd06aae3ec470a90a87ea67009a4ff81a5fc75c61a36594bfebcc00be5

        • C:\KaVBRN\dobxsys.exe

          Filesize

          2.6MB

          MD5

          6d80315fe7e3c391a78b8ab4cd8b59b8

          SHA1

          0b8289fef5c26d21bb35e9f7391d444e882626d4

          SHA256

          1212f7f989e54d3a4dd5b1f7c141bf1af080f9ecbdd95459e4e5be4fc14ea070

          SHA512

          7de1e06636217651c75cc111e39aca96752a447479cd89c60328f56ea27d187dcf60f71f0d8605a5a6f0455a149ab4c564964c8265305bfec228744c9f368bb5

        • C:\KaVBRN\dobxsys.exe

          Filesize

          2.6MB

          MD5

          2430594276154b359e82593045abe164

          SHA1

          de7f5d38e61b4c9e56a2b4bd1c4b147f3615a4c9

          SHA256

          864c7c837a86d6d0a9ad0cd1c30127932441abe822487bd2eb29369419153e1e

          SHA512

          3217cbbf1343fe965b7c1196aa313515330d63c5b64194a9d33fadf860400d788f1da78ad6e74ee00aa6fe12c4648d991733f33521d7636c29f10b9bda154af4

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          167B

          MD5

          c53c40e59294e1e2eed5f658a4d1a8c8

          SHA1

          02ab5f6caee6d6b196d27d9331260d713b4d42c5

          SHA256

          07237624a0ed0a4cfa5041fb55f5e28858a82f6118ea298666b4576396825dbf

          SHA512

          36c72f11e91424224a8b1cbf97fcfb320e6175476465d1d64e6c0acdd157ca7ccf342779687b79bc40bc98dee4db8e0b7ca246e415e67129c62e74aec544c148

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          199B

          MD5

          927dc9d0edfbb129bd2142d325e7d16b

          SHA1

          bc2cab6df3cb0f0c127e7b42a4323a15d9d6bd2b

          SHA256

          1a4bbb9de5c9c982a22032dbe7ebbb424f70eed95a86b93f5a6bbf6d2906b8e3

          SHA512

          8862633c57d03ea6c44f57b4a7632a3d8af14b7072c8f79455dc21ac7df0c6d3652afc2f76c873ddd37a5b6c24ad71b835077026bf2fd7b4d5967e3e2bd0884a

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

          Filesize

          2.6MB

          MD5

          66dfc3049629a01c730729943495b47d

          SHA1

          a52eef5f8f088c6c214ef94911083a20368be253

          SHA256

          0b4eecf4faeb67e9567c8ef2e4950646d3652c60f90086bd0fbc1ca58b7782a9

          SHA512

          58bab0041208be7922c3d8eb052881e1520348eda2ad3de3357e6a7163a3b76bf868ee85e08567309e84e6fc47d7a128c51c376375413d7e283c9bbc7d760c41