Analysis

  • max time kernel
    120s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 16:49

General

  • Target

    7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe

  • Size

    2.6MB

  • MD5

    3d9a5f944c590f6857ce536f40489f60

  • SHA1

    f5075b9092f36a62cca582b47e454cc13874aee5

  • SHA256

    7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428

  • SHA512

    3aa09ff9bfd1922f0fe807cbdb78499248127cdfb58d40c4e08ab449be0e04efd100e59dd1fdad328dc573cd8d2023ae2ba9da0399a52830544b8cd7d8ed9b96

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bS:sxX7QnxrloE5dpUpkb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe
    "C:\Users\Admin\AppData\Local\Temp\7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2396
    • C:\AdobeAL\xdobec.exe
      C:\AdobeAL\xdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1984

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeAL\xdobec.exe

          Filesize

          2.6MB

          MD5

          88d61abe9fc0c026d7dab97d7065e76e

          SHA1

          559acfebe8517111bd2876a2086320e652da36e3

          SHA256

          566938447a8acea9fcfd42f836d4ad98a57f5d19e2038322dbef27179c8794f1

          SHA512

          c0a706c1c84659da47a2c89ec947e7e1a1c2494c4fe7abade714d3193f4aac67d4ee13b6c372c56e16f864ad3374e950ff15a72b1c609b95a939b7c9ddac4ef2

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          168B

          MD5

          001f2fdcb33c3b36f249decfe708e6ae

          SHA1

          61f1dc4674a600628cb5680a866c68ccda58824d

          SHA256

          6c037f66ec8687263bab42bb211e32570585c03a83ea7221de1a2bf7ed47f274

          SHA512

          609497c66e0e18baa73c9b33504777366168b97449de3c603d728f4d14209e2c0fc3d7aa68ee841d9ac5032dda7228f8f8fb2270c076fc3c3583b5122da7a2e3

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          200B

          MD5

          478aa919f81de7d378b919c2d71129f0

          SHA1

          0a3d43f941cd77384a136bc1e1c7b15c68a56c2a

          SHA256

          663115e45d9bfa70c06cca8617aea58d2a2a2a9fe81aa988ed06791d2cd317c5

          SHA512

          c720e809f98af8548a26c6c792a6a8e2525e27e2b28fae704573e030b1f45a974888cb48c983373496a570b75370c2d9afa5770698a02ab85d4c07abe7661bfc

        • C:\VidCA\dobdevsys.exe

          Filesize

          2.6MB

          MD5

          eaa5e4853533b1eeda6f065931411762

          SHA1

          eeb92769d323f22ab7993588cb1899dce5911a49

          SHA256

          2ac9848c584f4d288d53fd7ecd28b967f6b6cc6b577b57d3f87f26e6b8bb44c2

          SHA512

          3ceee8b23914e0050d85db4fc39624ffbe06afe70d3a6e268d34089ad073001ccb1c1965a186af73854276255235039043b2172e86bba9bec598cb552e1626f2

        • C:\VidCA\dobdevsys.exe

          Filesize

          2.6MB

          MD5

          d4de867007e2b9d82ef4435e69f4ac56

          SHA1

          606e1c5f0cc271742ed447e405ee6b94e94f34e3

          SHA256

          c12003d5114a36327ff07ba7c85c181e8d037410efa83a8707524c1cc7260af9

          SHA512

          68176ec2a07b104390f9192218f49d8b850309315b63d952cce0d06a03feadb23b166ad4202c525977a21ddbaf6553fd6ab64ea39254c9272895aa31f0d3b241

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

          Filesize

          2.6MB

          MD5

          6f863215140b0c0b991e05dfcf0bf4a3

          SHA1

          3d303ea77bd125298b4ec81ec70c7f3b8a35fdb5

          SHA256

          9c45a67ecef99e6ab1c757fd435ec9c061e36cb83e2d5a37a8546f3fa10c8f70

          SHA512

          a5c8d41ded5bbca277ee14c1c425eda25f37b9ec196a084569dcdfb7ddd8b25d1569986de5e1392ad5fbe8aa5aa64e52313358392c341819923b93594c0fdebf