Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 17:13

General

  • Target

    95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe

  • Size

    2.6MB

  • MD5

    7dfd8ebf5512591fc9a1f79239380f6f

  • SHA1

    ebe3dcdabe9e7f5f07f1f44573406172453c064f

  • SHA256

    95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10

  • SHA512

    d566cd4cdd428a1d554da42cd6ca17ba53539e682c220ca447c714494f5f32e4cc538f0f526df06129b73652c882d0fcd14dc166c46efba94daa84cd069288cb

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBVB/bSS:sxX7QnxrloE5dpUp6bF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe
    "C:\Users\Admin\AppData\Local\Temp\95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2500
    • C:\AdobeR3\abodec.exe
      C:\AdobeR3\abodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:848

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeR3\abodec.exe

          Filesize

          2.6MB

          MD5

          39244d9ba1a52e4aeef4259c9e698e90

          SHA1

          5ae70bc14e19c264ea60e5e0fb27e116405d7deb

          SHA256

          40869c814345bf023b4be62cab3aa85b1b3e5352deec3c2ab2e820a3c17f81bb

          SHA512

          a48b3d92171e906d3b39b9808ed5c00ecd68e59961be2697b3352b9016e420a51846518cbe7a08a7af03b10b952beb7e59b30f6f6ac00f6da431afea9c9920d9

        • C:\Galax6T\optialoc.exe

          Filesize

          2.6MB

          MD5

          ae403f060aa22cad7b0ed0009dcab246

          SHA1

          28bc0a15cf767caadeaeac040ddf4da37ef81571

          SHA256

          19080880aeca3d3074d5394bd46ef1ba653f783c861a13a14c031ae26bea2393

          SHA512

          04b584f990b7b67c55c742dabc8e18e4e18a15260fad82a91a4cf9fa254d75f6a193db911d63e8db0e1b933ac04a64f989f1283da281d69bff0d4814ed157e05

        • C:\Galax6T\optialoc.exe

          Filesize

          2.6MB

          MD5

          b65eaa6b527a3af59bd949a90da7cba2

          SHA1

          aa021b73edff73c7f29e237a2cebaa335ba5f5df

          SHA256

          77ab70d58e706461912632334bb6007cb4e9073e0ad34790ad1f1c0358941123

          SHA512

          9f9d26df3c8b177995f53b7b65dcb05d886ce163a8acfb7ae256170bc5bf6ee5c20b29046e3e81a04f04ebe9e536c53ae626eff29a1cc677136491326164d7cb

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          170B

          MD5

          caab9aa866e9537d4b4e8f7a71b1c322

          SHA1

          bfb3db4a64d7a43e56871b285406bf1ad3f1b788

          SHA256

          07b637558e81b303e132a09b6ce3ae1fe5c0fc6521a45ecf9a0d05f8bdf65919

          SHA512

          a7c257465067957f8d973dc1fcf471f2f1a01b0cca3edd252c569b390280d0b7d0d87e44f7e4f5b5d9bff1d262bdb38ef0684b619ac07494b5c9a47c41a88782

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          202B

          MD5

          133bc5fd613094e0373c8c12c84fb475

          SHA1

          2de9773784ae3a3bbd7a6de189a8d44345f72d5a

          SHA256

          4dd243e7d2f0925e498a468e9dd47378ba016f8b37e872c8aaa22e9eb885b034

          SHA512

          4d75d35da7fc0575d20b02d4b29aa8f78f2aeabc53f2fbeaf488f65bdf16feca3e38babd9b23689a0c1550f1baa7d2888931b8040270754c7425c4f511701271

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

          Filesize

          2.6MB

          MD5

          66f212d571e1b9aec9d49982a68c9944

          SHA1

          4d5f794f18c0240e71494cf3fdd08006d34a3fca

          SHA256

          8618595687a8527abc16205b8ed5c96770b1aa4d621736c29b838725e16c422c

          SHA512

          4c018ef074cacbcb00dc09192a1fb845c9a0904b329448b1e69a291e8336be67729e6e440467192cc015649be51a290689fbc25220c1c2832f1609e8ae7a53ed