Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 17:05

General

  • Target

    c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe

  • Size

    2.6MB

  • MD5

    9f0b34d341fca709b940188f7317ed70

  • SHA1

    e48250b68b58d5604d4c715b41b768a570b5bd4c

  • SHA256

    c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8

  • SHA512

    d8ef9ae955dbafb2c31f2a801ced2c31136b206f6e11790ee18e1375203f0701582a194b9e70b434cca9bd795f67c42614daf81edcf3fc5f21ded9d6bc7ece3c

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bS:sxX7QnxrloE5dpUpBb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe
    "C:\Users\Admin\AppData\Local\Temp\c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5056
    • C:\SysDrvI6\xdobloc.exe
      C:\SysDrvI6\xdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:232

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MintX4\optiaec.exe

          Filesize

          207KB

          MD5

          76840a35cf3749f16427ffae318cb45d

          SHA1

          358c51a8cf123b763b5f50e7f76a3787f5461651

          SHA256

          5f80b9fa3b5db93123b3db5edd4016de36c73d5d0d7c10de98d7eaac984942bf

          SHA512

          7ffc4d738246df86a5fd6327fd82cc9d70415bc434e49f3e6469b3d6f619f198430f3ed102f3b68776b963112c9ed90def04c41587a202c6869fe67d4c61a537

        • C:\MintX4\optiaec.exe

          Filesize

          2.6MB

          MD5

          fa8cbaa4d554d6ab62a2ccac96ca1ee9

          SHA1

          4089c34bba36660127d921628fed83b236f43b1c

          SHA256

          76c67222af1af83a70e70e0e29e92063c37d3861489f83bfd80e8db87b595a59

          SHA512

          acdb54c56f33a2a1c538619a3dfd4b25bdf23e07a241537afebda9e0b31b66b72f5c335d0b877c4a1b1b628bc72dd9f71dc679ab1746d40f80a6d56426278dae

        • C:\SysDrvI6\xdobloc.exe

          Filesize

          2.6MB

          MD5

          d727bbcec65e4a8a64a4675dc311947f

          SHA1

          3fb799f9a2677244e1c3f52273b8aa41c1a835ac

          SHA256

          578917fd7bfa71e3e12978ddd8b7ac2b8c27bef7b85f7c41303ba18f6cd2da5e

          SHA512

          6933c719a041b928206f18d2e13a24686bfe08662f9ac600b4a3b4b7261f3a6feca4acc4428d076b9c944f7bc11ae2ac028f1ae240985c5199ab9c54633d533b

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          201B

          MD5

          b7a17337d693c47c9150767275f15b7d

          SHA1

          9ac4170174df9e2b73b065f7200adc33fe1c7d50

          SHA256

          32f551e258afb0f21f3fe25be8dab70eb5bee7d5baf44ea14061b37e4d023437

          SHA512

          94f8bd8e0fb853783d0a2ae5a224d0766af5cfc1176dae7875c936a8c81b95ce0ad3f44bb37520e0bfa8852ece783fe745078786b706b509cc6fbc5ad0bfe1a9

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          169B

          MD5

          396e73b7ae2f6de8a8ac35750c2e8dd7

          SHA1

          1b4981db941612599314ed83795cd6be3baeea3e

          SHA256

          778fadb294625d94a2ef2c79b284ce46f0b8aec5c41830070f0a6430b5f1ec2b

          SHA512

          a7c8e1e71f4a01a0553f64f5379ab05f74d0794bfd6d6ede79a6156f2827fd4243ceaaf3d8de4f17cf5f95cf412f04770fa6dc24b426b53927da48e588df0683

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

          Filesize

          2.6MB

          MD5

          942caae9702c34a42c59d8b02eaa4d2b

          SHA1

          85ecdb96039476979280d3db03ceb67901a17d1f

          SHA256

          c250ea2fc75c47269191eb44676bdc71b0eddc32ac5f40f9ccf0c2ac9641b8fa

          SHA512

          d302f9a35ed5f5293df95bd9622156311b3e1bb70a78f18c87092bb1fce3133fa259cca3653085b3e2572e9a77bdc163e34ce92ab630d59c4dd2aa4d2ef875e2