Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 17:22

General

  • Target

    b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe

  • Size

    2.6MB

  • MD5

    c8e6cd3b257f0fbbcbe9d47e89be9380

  • SHA1

    ac72c5c60b9d1f31636772e7db3070cceb9c1353

  • SHA256

    b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7

  • SHA512

    d7111cb2a21ac5de9a89b875151a85a3d0233f7f9a84893407ed588702f2398c222d28c57954dac6a90fae2710daf597f6ef56e3e79bd09ca2f74560df747a68

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBgB/bSq:sxX7QnxrloE5dpUpLbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe
    "C:\Users\Admin\AppData\Local\Temp\b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2152
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2808
    • C:\AdobeE5\abodsys.exe
      C:\AdobeE5\abodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2732

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeE5\abodsys.exe

          Filesize

          2.6MB

          MD5

          d66bd7c008ad7b4a9e0b99df91de8255

          SHA1

          56f4d445d6605949be271e63451a4ce1fc6a92b2

          SHA256

          443097d91df09e6e212f658e688b56d35af92f4c01948b27c9a7be21eff3e11a

          SHA512

          a489ce8b5ea6fe84173f86eb294a75368e2aab67f3ac1590ea8daade4f8f26a04a46184f36a5c69a87acfb461e3db317e7db3fa776fbc11a372b045b8e05e589

        • C:\KaVBT5\dobxec.exe

          Filesize

          2.6MB

          MD5

          94ddd99007321bfd7b3af2f306793b30

          SHA1

          a7498f9f7c4ea7b223975cfec894ff5cae547170

          SHA256

          88644a1244ffc6bd3a2d865866351be61da1def38f6c5f5da063b94a08344c8c

          SHA512

          55171c6e499fad5a1eb59ebd6cb828d9b42283b440a2bddff773cf29abddca130d57d3f81016b125bbc2bcb7d14b298ab4754c380772e3c0bb72487604d57bd8

        • C:\KaVBT5\dobxec.exe

          Filesize

          2.6MB

          MD5

          03d3196e6be75996b8519a625cacde2d

          SHA1

          41f1d5353f6a69128f8a3ae685887ef21143b7a2

          SHA256

          4f970a4b2db3fb998bbc56f05b53ebfbda272db276e42706c072d44d4adc4d70

          SHA512

          de891583e53539c62c5034bfe0d493f21cf18ed406889ddcd56a44b351e42c1b4bec54fd74842ee5ddb415e5a1c7d04a22fe1c1efbf5fd80b846d1de1b6ee234

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          167B

          MD5

          5fbd78922358f922873cdedd5e25babe

          SHA1

          17b2332a5aff6ea840f6e455c77d8730936bc4a9

          SHA256

          482a3bbc58c100f10fbea2df7a1cc332be1484bbfc8039eb5a46e914cf9d332d

          SHA512

          7a8809dfff9d920c24656eb8e0c66b77893f75b54c12e750876d369cfbf44a0191b0eb3ff7755fc7cfad6c6a2e705c25e32d5e84a2090cac9ec1f90145d9adaa

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          199B

          MD5

          f8af5861a3d58cf8d90a8725c01b631c

          SHA1

          c75f7f7a74ac0f8c80409f73d84403fc94794aee

          SHA256

          3ef4ebe87a719a675b91e827858f3cf5803ea6341032d1c4c29c83a362b338a7

          SHA512

          c9b56f78c8a92cd29a7f50161816531a6b4ff3bf3baeea2b14876fb795cb8ed5ed02cfc785fff3fc9800fd619bbfb4b1917fba7ab2453291746e010b83057e4e

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

          Filesize

          2.6MB

          MD5

          1d818454819fd97802aa0746942d9765

          SHA1

          e00a1e210f2ee2f70a387d9e600b2f7babbf6eb7

          SHA256

          fce7314099fa1e4829cbeec1aa69b0b151cd5ee95dfaa3e987cbde4f034668c0

          SHA512

          0385d2cdaeba185bcb722212a943e630082dc701c5046933b5b21bf51d07de5fca462c3cee866a53fcdb585c9f0fe89e67334c81cc65e82636648a430c6a5d88