Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 17:21

General

  • Target

    37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe

  • Size

    2.6MB

  • MD5

    5683533888eca804288fea46c019a480

  • SHA1

    985208a86692bcfa0ac678d011d4cefac366cdd6

  • SHA256

    37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fd

  • SHA512

    4ba0b018be4491073b999a4aa1ab4e9edbab96604ab69a14b961da2d3d4b0e539940fe4fac76cbcc994921244eb63857ba248de7721c2481f37fb0ccbfef533f

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bSq:sxX7QnxrloE5dpUpZbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe
    "C:\Users\Admin\AppData\Local\Temp\37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2680
    • C:\FilesOI\adobloc.exe
      C:\FilesOI\adobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2740

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesOI\adobloc.exe

          Filesize

          12KB

          MD5

          0d80c026ff7217667d1758553c9b1b94

          SHA1

          14d1f220d41220a37e1c0a894bbcc390e238adac

          SHA256

          3e19dbc8a98353863030300221ed12d9467946007da720ddec917a2b170c54b8

          SHA512

          5668dc066d36fdac6fc594b3bd11041af417aa62285919777cfb3602fe018599d010c464467465c525804c7e0b501ae6ee2fc1bec049267f5e18bb39d0aae82a

        • C:\KaVBR8\boddevec.exe

          Filesize

          2.6MB

          MD5

          2a2e03531d8a9adcd30bac9865e90388

          SHA1

          20e18ab441b57953aff6fe2db3652a43ac17b3d0

          SHA256

          ab5d5ff420bc351cf77b49ee8eb6cfa815bddfe0ad8bfbd4270cab194588dfe8

          SHA512

          ee7d59ee9f6d0d8348254581998fd6da0bc9a5aabf9583b0b386a34efea57340bc48681d77d27cea07142b173e0977d3cd9cabbb6d3f13c06ed5558deb802f15

        • C:\KaVBR8\boddevec.exe

          Filesize

          2.6MB

          MD5

          fdd12b5bcf5418f38e20f4d111d0156b

          SHA1

          20b668176d325aa3418f35846f50d85d71f0fecc

          SHA256

          d116ca6dec6255354b4eebe606e1d493fff41a32832f0cc2f018e78e30fcd612

          SHA512

          a530ae673933eb717d93b0c177bebfd415bbc4f05624b45cc7a13029d9ce09c6df4b5616f0b0b319464150fa2eb44d08692ec058de40c84e9b3d56587b2be49c

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          169B

          MD5

          6379803b6c7947d428bb7b3f0d77cdf5

          SHA1

          0b6eb8f10afc95a812f2ca9b7cf67dd7dcf7e110

          SHA256

          f894f00eb30d5552e5d07250152894dffce784096c243d2cea16f80234772045

          SHA512

          d540f1dd1d1e0635b1abe6651390a7b873884e7cd601a3af3faf3fc3317063a9018cb93c133ac5bd77a6971186a70764a577f06098d81148bfc14d4b503bbc33

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          201B

          MD5

          11914196df9e2415a5cb2585e340c77a

          SHA1

          8bb5a29e362e6b04922b61842cb8dc18c258bf01

          SHA256

          6ce17b0ad5ce838b37e65df833f3d652b2f64a9b1706e8e66072790f7772209c

          SHA512

          198d860cea18cc2f90e7c52f64308d8016ef249108f5a7f51feecf8ee51b4961e12792e953d9532b0ff694debac5aa4ca98d03b053213cf3b0f8e222954f5ed3

        • \FilesOI\adobloc.exe

          Filesize

          2.6MB

          MD5

          1cdbef1077540e31855151dd38884ade

          SHA1

          085dc85aa80590c63e538176424493eaf388cddf

          SHA256

          c065420606b281cb1001dc7e5ef19062b4d43ddc83fc2e3bb7ab13bb7febfe56

          SHA512

          38e9f888d3e356443b5d8c65bfc4031017f55230b26a9f0cc02870626f2062fccf6c36c6d16128181c9f9fb6afceab8641a4a6efedb70bd77843b32203b2b1f4

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

          Filesize

          2.6MB

          MD5

          4482bd1d66ece96f6ca1219b0aeba55e

          SHA1

          f4f72da58a1629dd21b684ef1cba102ac3428d9f

          SHA256

          2f1f7808701c24a72ce5ccd0505896509cc7217ac5da44b8a0bf0efff2185455

          SHA512

          8b17e32675f01a374b6ed21f0ccca39172b173f1db021559cf7b7e9d9e60750045c0b5e40ebcb567e5d82dcd43005f4cdd5d0b98dd3c7b3d6e14af7fbc94ae50