Analysis

  • max time kernel
    120s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 17:22

General

  • Target

    b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe

  • Size

    2.6MB

  • MD5

    c8e6cd3b257f0fbbcbe9d47e89be9380

  • SHA1

    ac72c5c60b9d1f31636772e7db3070cceb9c1353

  • SHA256

    b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7

  • SHA512

    d7111cb2a21ac5de9a89b875151a85a3d0233f7f9a84893407ed588702f2398c222d28c57954dac6a90fae2710daf597f6ef56e3e79bd09ca2f74560df747a68

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBgB/bSq:sxX7QnxrloE5dpUpLbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe
    "C:\Users\Admin\AppData\Local\Temp\b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:776
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1436
    • C:\AdobeWO\adobsys.exe
      C:\AdobeWO\adobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3152

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeWO\adobsys.exe

          Filesize

          14KB

          MD5

          5ffab038d17d47771c031d3b701e0cc5

          SHA1

          74d331d26e5210e7e523c750b0080e1641bb61f5

          SHA256

          1b2bb8b0c13c9e1418b1e48501e2a62606e0e890934e027d746c196943068982

          SHA512

          fad3e0cee5656b4fb350050395b6d8039f870087a145394dfc2eab77587a10e53b2e421be937a90a9a80244cbd3096e07f785a35d7df3b5efb0e258ca75678ec

        • C:\AdobeWO\adobsys.exe

          Filesize

          2.6MB

          MD5

          c96dc72408f960e75ef8a6138820772d

          SHA1

          3dd72e937c15158cdab3b4ffe00aca12edebd60f

          SHA256

          f3ce1349895b9d7eb03506e83faeadc291aecf7276ff9bf565c6985bb3bcc6e6

          SHA512

          a08648bc812a7ea103f0bd2e8908b1bd63da2659e1ddb7d4cae8c8981597ed58e4856c9657d01bf97214b50268f7571e98ba16f66f3145bb9f10d23c113f4353

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          200B

          MD5

          c44c6677df279fa89b36e1da00cd0dba

          SHA1

          5e115c4e02a879202d4ce534339526324e26600a

          SHA256

          578af5eaf313f387380ac03b18c8b3c3351072dd1b7aff73cf20288d1451d96a

          SHA512

          8a3f07b88fc6638cbe0593b44920b7702c74c47a12dc738da9d67df853da84daf27417725eaaebb3e0ad42b2e7257dbad2796b13dbfc8467e2db0752a0e03d2b

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          168B

          MD5

          6d30d6f5ea332597da6acb08d8717e25

          SHA1

          cb68bda2c8d91bca756cf017933ac72229297a42

          SHA256

          bdfff1edb63e88961a83075974d0d391b0c4452e1184ffc9882604456f6370e7

          SHA512

          fb0a0476bbb13c6c9f658e9a44692c0add81a899a2b3a6130cc7d4df7d0f2fcd90dca907350b2b2efe106fd408b42a98ce0f215c2d7346e068685e197dfc66c0

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

          Filesize

          2.6MB

          MD5

          5f04dad6081f60786100da8710df08a8

          SHA1

          2646731d5cbc33323aafbe7d9a5d54c3a2baba46

          SHA256

          14f4eed85794cfe1b9e3ee3114012b974fdf06c12830f332f8899a60058623e5

          SHA512

          970d0423ba88b46f2342ecfeebd2c4fba7b3f5eda657faf60dffeb9ccb0da70c558aea6bdb9904c5c6adcc9823c0001412eb89cd000b0c9e0107887267ed1cfb

        • C:\VidDZ\optixloc.exe

          Filesize

          554KB

          MD5

          92c97bfb8cc7475e4f1c3e33de026bf6

          SHA1

          99ea6e9e089849197f004b7fa08f6814440a4b63

          SHA256

          0c387b7d3108e0ae782f62c43808c86147736720709fb884b45776064efa41bb

          SHA512

          42d0b1e0206b7a2d020284d3bfb89850e931359be68057134dae0a1539bcfdfa198ec470d85786e7a077fa50913dd28833e4912a69bfa522df718ca4b073c5a4

        • C:\VidDZ\optixloc.exe

          Filesize

          1.7MB

          MD5

          faee513dd743d3b3ccd609363833fd30

          SHA1

          499396fe99172ba38f27cc9739c744e96b35078a

          SHA256

          53e08c514c6373f5158ae7cef7322b3fc4703e369ea67e3eeb527cf4ae6124f8

          SHA512

          f120134684300c7cec1196568d5185bf25a7b154e40a966c5333fe259531028c00aad15bc961c5be153964c6a0e2f8a4637f8dbbc8f35257f6289b6ce344bc9e