Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 17:23

General

  • Target

    6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe

  • Size

    2.6MB

  • MD5

    68f5422c68bc653dcb3fefafff35e6f0

  • SHA1

    4832c9ee6f9a496ca1f276cb8ad2d43859b29590

  • SHA256

    6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08

  • SHA512

    2c716aa216ad59dc720523fb2cb3476be208e9dc2a6f0be523084d929c0e39517470089236e6be060b500404cc091a8aa8c5efd0e72d2cc5ebba2af579fd95ab

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bSq:sxX7QnxrloE5dpUppbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe
    "C:\Users\Admin\AppData\Local\Temp\6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2588
    • C:\SysDrvZX\devoptiloc.exe
      C:\SysDrvZX\devoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2816

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MintLF\optialoc.exe

          Filesize

          2.6MB

          MD5

          d2cc5d9440b000c786335062ff447c9d

          SHA1

          81d58c45276a75c480e7103a3a349e8f3add6203

          SHA256

          def49d86cead7ec5c2d6c3dc92109956d0ab9d28d7b52b047f204059f8747510

          SHA512

          da0ea6ced2bcb7a9e6649d431b58e0eb8e9ca22db008696dc480147b40ec1a0aadb318422eb0284233eac865cf7009f5505e49d0a4246acf848cf70881c9882d

        • C:\MintLF\optialoc.exe

          Filesize

          66KB

          MD5

          25a27647d3870d56c20f82aba7a36e9f

          SHA1

          52c6035f13accff1ddb4e06e0fb71f86dabc25f5

          SHA256

          66a4a5a90cdac91c093c1fc624aab5a426d62aee13578a3775d36bfb165dcb14

          SHA512

          826856681439e70a392a0b4d06445a1475d98bae4437c38df216dc68ad0361f6fa6edeaf5d9e61797e4d9b35b2e6caf00a2d3d190a148f02adee08597796ad17

        • C:\SysDrvZX\devoptiloc.exe

          Filesize

          2.6MB

          MD5

          97d906ffa788f2ba8509d934294e4d52

          SHA1

          f1e5b7dfd1a4f319d5ece83bf52bdafb23ee4b5c

          SHA256

          c4fb901c3a274deed1a2132a019edd66b9dda7bcfa072f7fe6eaacf47d4a086d

          SHA512

          254cb4d453bbba5e87b2d091e8209ac5740023cc7d7d5678d2a976af5ed731df23cdeae4bc073fcd05591303d3940725357c0c844d7a212d0182c4e3c0b97ea0

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          173B

          MD5

          278ee6f9bcda58cc2218f55904c4a3e9

          SHA1

          87871fe4f8e96876cda5543a14781e939e749c6c

          SHA256

          2eac99da5a3f72e26d34eceb2fff638dae7bd988a3b5a500890644f743f2028f

          SHA512

          13d1a39f2e41b2d187cf3820efab67926d8f6df678b374a2d32a292c22eb3431b9e911805bbf3c5d291904ab221b987ca3864f539fde7f71ed83d83072407531

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          205B

          MD5

          55b38c6aca9d9e298fa7176b75e1b559

          SHA1

          26c601fa0a19713967932f2b86166f4d46fa1718

          SHA256

          a6c0048a17b9f3a0c1214a44067fa9770eef53c946d5bd3bd2ef1599924568ce

          SHA512

          a066c27e26c6630b26c44f4ec21b1aaa76f2d1a8dbfb74d1a0fff3845ec248168da3805e32bb04155e1bc6675e41b0b1696f2c2b59ebb683b6408b7c14af14df

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

          Filesize

          2.6MB

          MD5

          a585877f139c420ea57bbb243df44aa4

          SHA1

          9cbf167fcccf876df8385ce9d06a9044f87d56c2

          SHA256

          97fdf5dca5bb154d3944fb0260b51904112e8fec66c0ff189931c739dc1697d2

          SHA512

          20ca61d26620dc8418586d360aaeb7110bd1e07c53b6cf10aa8d2b4243cdce0918c6278f242f1c019fdae1b31cf6936a0e7de923c2266539a498a1f646edcb05