Analysis

  • max time kernel
    120s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 17:21

General

  • Target

    f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe

  • Size

    2.6MB

  • MD5

    b02acf8834d13c489e9d68c88e408a00

  • SHA1

    1138f824f9ea808c7c7456c09168672f04a6a07a

  • SHA256

    f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59

  • SHA512

    6dd195588b647e254b454d6017c20c22177e912fbe7280fd0638dac9496ecbe323c90b64577f1879634d1ae75493326636a2ddd74f33dd6a00a1e22d6e56bb89

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBkB/bS:sxX7QnxrloE5dpUpDb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe
    "C:\Users\Admin\AppData\Local\Temp\f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2156
    • C:\Files8L\abodloc.exe
      C:\Files8L\abodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2948

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Files8L\abodloc.exe

          Filesize

          2.6MB

          MD5

          89ca8e830854f8012259773a61dc967f

          SHA1

          4b1f18f8884a4386f9c1d3f783e64c0ce5465b4c

          SHA256

          5d31f1cbd39bdcc27c869391feea93cb3196b358d1840342cd608f924c30c35b

          SHA512

          b27170accc643bb635b6ac658e7c4d9e60b9dd84218f8df34f467f70e836f398a18b32957cdda68a460310069d765b9b6cc8054e3328456e6687c875260d40c2

        • C:\GalaxGU\optixec.exe

          Filesize

          2.6MB

          MD5

          33696980be08d5cdb6dcee573706ba56

          SHA1

          83a39601efa6bfa2ba8411f1163bb79cb9e70e7a

          SHA256

          7698eb111cbf3b2cb8b54316741983a72def0d0a5328fe04178328bd727a8c0a

          SHA512

          1a468048aadd7b4269b5f4399a4609b9471fbb2e66648aefe1dc981214f2a4c0b733f677c3b2302c08889d9f59a6a3445df528a779288c7aee7417be0c1e0ba7

        • C:\GalaxGU\optixec.exe

          Filesize

          1.8MB

          MD5

          dde4a13fa75a2b5e813b5ca62b1ad98c

          SHA1

          dcf35fac07d7c9c4f286b575647b71fae7d6988e

          SHA256

          3fbbc23426607535e589c5bdc94808807cb759e33b2a943ed1b532f6c0e1c643

          SHA512

          6f43ecda17cc5a3074a9ace8333a848829b60254ee71cd953b0263334e7a25bb34e7424bd4a8f995127f9d7cb973daa5fc36573e68a9f2836758d6ae0e1297ba

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          168B

          MD5

          a4adcc1d879c6d2ed5a199b9f2e0695c

          SHA1

          11221ce860e6460d14327a7fd260afd843e90d26

          SHA256

          ef1516b072fd86c047980be60a7d836b2ca3fb0521dd69c682aa878f17df779c

          SHA512

          4b3413f7c256758b8fa6eebe9e431e4f9c4af0e1c1b3aed579993fe1919cecedb892daf64af0f8a24cf84e41ada4a7dcae02eb2129d840da137ceaa55dcb4c44

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          200B

          MD5

          49e043eab4cd37be3bf7196f5b57dfe7

          SHA1

          067094ade56f3a914e745549b74e4b46ad28f46f

          SHA256

          36df1efce577221afa9e2f48587406af339b87cc8d3ab49b723a798e4215607a

          SHA512

          7eb611245db2d4b1d5d98f82da53a51e3ff7395bed0434c7d9b10a8d6bb4ea466dd425bef2b4ad63be468c776e17e9f3a4bbf719c0f2f19a09529ef49860b798

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

          Filesize

          2.6MB

          MD5

          82fcae6015a681b350226948f5e3f935

          SHA1

          1a32d4f9702fa5822e14a579e59bb13062a0b6ee

          SHA256

          152d10d2e6a0290b3a7ed08c777a089baab1709e8f2f5d8e7251d1a90f55a173

          SHA512

          9803b951c9f66747e80de51e7a6fc400f29b0ca24478619a59dc904f5e21ed4c7ff7d184f118d1fe658fa54d0ce2e4f42d0590a503f1ba2bf4f8eaf631a5ee13