Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 16:56

General

  • Target

    739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe

  • Size

    2.6MB

  • MD5

    035de7c08de365c74452708c8c4e8870

  • SHA1

    dafa05d73b2fa0a03da19772482ae4a85b738baa

  • SHA256

    739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32

  • SHA512

    e7ffb3d87e4addb180fd5881ec9a5e093a0b1a5d57307a77bd6c23fa92c48a6553dc95dc60cd2a3fbd80275cb8deefa93d2815f771e69551399bee91c3807e44

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bS:sxX7QnxrloE5dpUpeb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe
    "C:\Users\Admin\AppData\Local\Temp\739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2492
    • C:\IntelprocJQ\adobloc.exe
      C:\IntelprocJQ\adobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2264

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocJQ\adobloc.exe

          Filesize

          2.4MB

          MD5

          43c5ff3fa226186052b93c85613117fc

          SHA1

          4bd4018a724340c2f795bb47cbf9baffac9e3917

          SHA256

          558a115d5e77d7f5701099b6e0c079d3e1256cf5118670bcac59128d8a46bff2

          SHA512

          61d971a6f303571c7e088da9049b81cbf4984897ef21aaaa16f8d4e9f04c7511cd5c1dc9d56c1402be87223a62eb5974585f684aba8687288ac35543d28d775a

        • C:\LabZ7B\dobdevec.exe

          Filesize

          2.6MB

          MD5

          fa8337145b7e1dc9dbd7907a5f1c6880

          SHA1

          da15b9308684e77422bc0114264a73ce17adcb2c

          SHA256

          dfcd73efaafe3a3eddfd365dd875cd72cdb3c858f087fa5a4db1c1d764461942

          SHA512

          01347505875e30f005145ae192dc7ff999a85b519d3e9570f7e3b8fd2eb3dea70804d451786f0a25e1c6da21a4af1e005e1ddd71354b7887c5affea653e78c15

        • C:\LabZ7B\dobdevec.exe

          Filesize

          28KB

          MD5

          d405a6e6ec1ee7e8bde0fa127d94f818

          SHA1

          3a4fc1b8659a42c0c87e2cb68df493ef10520626

          SHA256

          f7769493a434bb396a726643dfcddb3d418728f3d2de4d39bc5a2304e2078ec1

          SHA512

          0db30b1f330437d858e2a4f9ab32ec3ac5e2b5fdf0605b6a0bd6f7bd3b17f31a4967bac0fd7b59c07caf47c5cd0bc0b3e81597652c08a98bf5f1913674124529

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          174B

          MD5

          bf7fdb1ad51ee2af8fd995f153e807ed

          SHA1

          12aab9efc60eb3532079834c0161e9ec749637f7

          SHA256

          91798aa195205eaef6388fb4625874a5ae4badc693e5555b42670067f7e9cfdb

          SHA512

          3930cda80b470425d3835966404aaa3e002dda5cc9aa740c9d74723bb406188cbfe903ed59aff03e57104bfc574723b2afad4b43055f3a2338a0ba6a3cf56075

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          206B

          MD5

          df8c38738e2bcb9f1ce3c570eb48b16f

          SHA1

          4944ccff5d9d55196623270b889cfaf4bc693f57

          SHA256

          ddd0e88d7ec21b0f58a3709c26ed1f1fb2e89f00160b4b846490316b817afd38

          SHA512

          e9690a19bc158cb52c6eb92ca980b52481d3929ec277fbbcde0e1f8df325831c0a92b435fb60b6943d0fb7a01530c7daa9c4f849d6cb98f4e4a129afdf68bfc7

        • \IntelprocJQ\adobloc.exe

          Filesize

          2.6MB

          MD5

          3232993d075f305d28bb5312dcc0cf08

          SHA1

          212ca000fad2991b3c25fbe56b886b74b59ed4f1

          SHA256

          b042cd38e24e98ea6ec603a6530e4eef65c0478c92c972cd1958571815021280

          SHA512

          a8343f1449a9aa7f3302044b207e91c02340bcf2a917aee1a775f3afaeead504167940d0ee839e037f62910b55aa796049e14da2f433d303bfa13104b6500819

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

          Filesize

          2.6MB

          MD5

          f64081d471bdfd6ad575b1c659698b67

          SHA1

          c85f897af71fafea0d402a472d4ef8b91692c2ca

          SHA256

          e57fe8ffacb0633970080b047cc6a3e0f0366f30be5b149007b323bfa66c7d28

          SHA512

          f0d040ba79fea24fad3028691dabfb56589f99deb8bf50529084a4b69ce50e3115e429280fa5d9d38e332d9d635acbd066a649a7229a1866d911dfd97e578712