Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 16:58

General

  • Target

    9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe

  • Size

    2.6MB

  • MD5

    5aca2c1a262bdf9ddd1d1406af5f0c40

  • SHA1

    a33af90e123e64ae31624c0337d80a6f20bb3171

  • SHA256

    9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7

  • SHA512

    b483cdc3844af019757b285d5aabacbf41d36d790cf0d85a841d3c5cb44c5bea781481c585a0e1b3ec3cebf51d2d2b1fe670877cd8806e8f48cc0c1d335582b2

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bS:sxX7QnxrloE5dpUpgb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe
    "C:\Users\Admin\AppData\Local\Temp\9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2424
    • C:\FilesM4\abodec.exe
      C:\FilesM4\abodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2044

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesM4\abodec.exe

          Filesize

          2.6MB

          MD5

          ccd479d4fa28eda3d977b64e196d812d

          SHA1

          f0df62176324ad05231bcc0427a0733f451beae7

          SHA256

          3e32d921b590b24fc4a76b482221ec9072728e6fb44d174b4c4d8678d23305dc

          SHA512

          20746cd63bb94fe3c42c661997a19a20a69433be8845452d46281e8fd91933d909e1a9bb69e622ac8c333f8c3e5766bdfb738614d96d0f8d522aacffdf8de128

        • C:\MintSC\optixloc.exe

          Filesize

          2.6MB

          MD5

          43ff907af645e6154c981c1c1651bb8b

          SHA1

          2a4f2b3f2c73a0ad149f40163a73513148a56ee6

          SHA256

          1bc79f9af65d4d0740135bb8d9cd59193f200a270a030742e5383597124c1be6

          SHA512

          f32f68fefad50f29382b3e042419d0a91b90487c588fa7a72bc74f42d41eb91f50bac7c7c08d7b42b6211741f61b207912a2e36a00efd573dcc639645ec1b172

        • C:\MintSC\optixloc.exe

          Filesize

          2.6MB

          MD5

          ccd4cdf08fba67c70073b8173b0c3de9

          SHA1

          5eed234c984e512c5a348ab75ff627bf55c54a8a

          SHA256

          979af6a4ec69b0202ad8456533fe344738c6466433659697683038e1314e4de2

          SHA512

          10b0ce5c0edb8fcc84ace866af854f6676f95c85d1204475ab484a51a5f2b09aa30787e42df29b7614f86926833884cf8be296759351cb28cbf7652d49b66272

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          170B

          MD5

          ce293a451f54f817baa88cec4fe3404a

          SHA1

          c7eb629243561dda0d514b9e2aa681f67ac651b5

          SHA256

          2000787312bcf5f9743e0ada643c153f0d3bc083333205596dd9b291277d9750

          SHA512

          81d26a1d6d0616b306a240663faa5f3f343221396bfc55392e06fe74f4ff90d4fdbeba56c0ee7b9233a7f023e9d02426111cb7cf39ef4c1a2edd7ebdeef83ffc

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          202B

          MD5

          6c7f40f3a78b44c680defabf9c3fa758

          SHA1

          e96b3eee6cdeb9723ece107d19bfd986e90f2ea5

          SHA256

          387603d41eaa8bb38006ca4e5182c81527b433ade991dbabece040695e9d8d89

          SHA512

          7d983c2037068fb0352a6afbe812c74bf1ffd2d11893ef95ea6b00ec320d800e0c7ec12db61c1938de2acb9df2ec4a19516fbd719d638084afb5284ad0505617

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

          Filesize

          2.6MB

          MD5

          0eb6c6742160d9ae8025af3cee11d239

          SHA1

          aff5292226ad96c80384dc31b8327b5378be97e1

          SHA256

          779be9749648355102c691c4e93f0a48842e2de38571b48aec08f8f59c1f2e4a

          SHA512

          9b2d5617af325e8a4703d1c6bf8153939bdedfa875ed07cb15cba46e7c2bb88cade4a616ce57936c83f49066f112718a3ecfec895f35e3cd5c4352cecbaa8bbc