Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 17:13

General

  • Target

    18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe

  • Size

    2.6MB

  • MD5

    0dfb70f35e3fa52b28c1b0902dff5080

  • SHA1

    c789c44af04c1c3d92336ad22863074c61ba4e8c

  • SHA256

    18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106

  • SHA512

    fec0fcf56b2d290d9d39d91b5d426c48d5244dc61696b2ffd316c5c426d66ce7e4f19eddcfd9bf51d0a3799bc6b15d8837e54e7d693c984eb4d4aa7e41c3d1d1

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSq:sxX7QnxrloE5dpUpxbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe
    "C:\Users\Admin\AppData\Local\Temp\18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2480
    • C:\AdobeQ4\devdobec.exe
      C:\AdobeQ4\devdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1708

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeQ4\devdobec.exe

          Filesize

          2.6MB

          MD5

          66c0ed644a55d994059cbf48f92a3f47

          SHA1

          44dc23e6332eed8c75cae981e2f02dff13593b0c

          SHA256

          16ad0804d9e21f5db6c5c317993c48e5eb17c7b14bdc5702b19abebfe2a5bddc

          SHA512

          5b19d6fe28722f5cbcfdd686c4b2f72becb262d8479b1254fec9d7495d7a391cb0d45c643fde4e6bc4ea15d09cd4b86490d0fc31ce63c6dc3c8fb28f921d6358

        • C:\MintRI\optidevsys.exe

          Filesize

          2.6MB

          MD5

          8dfaf75dcd0ba59db3edef18c654e50d

          SHA1

          0445a56622df7b9d751b85a4ba68951375f3b472

          SHA256

          7efe70f2053ecbf2dc0071cbbbc4b99fcad6624637a2d099b177f3c453fb0664

          SHA512

          637f1c68ed3800de07d4fbebdbb6606e42f1f07825ba9b95ed117cceb4882f52b8664ec4ed93d93f1f98cdc8fb0c47137497110431bb58931325495107cf8b25

        • C:\MintRI\optidevsys.exe

          Filesize

          2.6MB

          MD5

          10ceb884458040bf9e1a4dc80a849258

          SHA1

          0473339233b4dbea8a98d50bd5d7f63df6b96b56

          SHA256

          e1edbf1ff01e6593f949997f868664afc006dbc245cf0a159984a249d782411d

          SHA512

          08467962765e680e4abdc31dd6ce85db171a5dddf9249c1323261637ccaf185106530980c3783950c79e38303872f7764f0669ef29c42bc15aaba62aa7371ac4

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          173B

          MD5

          192ed5335773d412a8837cd719bba0a9

          SHA1

          7106ba468c4f368ffb60f3eb4b96d1723fd851e0

          SHA256

          b9eb210503d0ca32637e2a7611f39e78092e8efaaefd956452645cf66c682599

          SHA512

          414821fa21f928cb684ccd221f48a77d60b795d4462ef84e12e1057258f7273aa41b22bb7b8f6df9947b4d5b9631dfd06c8adba4e38ec653e39d09211ac86d65

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          205B

          MD5

          e1204374d74db41a7bf97da4e17c2a24

          SHA1

          38f428bb5c56bfda0f01184e29d657962e3e1564

          SHA256

          7f6a206013fcd34f645c921a0f474d1b57e55bfdf87581c43415248b43df517c

          SHA512

          62b4a5c8d17cc8d508ef50eed92b13b302c5f98ef1f496dd2da6b1e872a89eb26fd80216fe417d81777148f0f7bba6b8ec34e41d172ba1a55dbc643ffd9f255b

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

          Filesize

          2.6MB

          MD5

          2acb505bd9897411f9aed3a398cf0af0

          SHA1

          5ab8748db930a16dd32f081c7099a2b0f1f0cf9b

          SHA256

          51f72bdbacb62f9e02a1455019031b9b93b6f93338410cd4ab15afb30f6ba6fa

          SHA512

          ee12bd4210538903066a5b857bbc3301314d7ad8153875ae018264c456e6d2d2e5c3c713cb9c9cfe516d75a39ea82a00e6fc28b6397d0df0712edf5bd4cccbe7