Analysis

  • max time kernel
    119s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 13:51

General

  • Target

    778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe

  • Size

    2.6MB

  • MD5

    f24829d54377deba94bd4b8fde70b726

  • SHA1

    cdbc61b458a50d33cb68270e9b077a0a0af70fc4

  • SHA256

    778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb

  • SHA512

    4e644377691dba3b04413d3c35a1801aa207bc45cf1c04efa9971786541fd5a6629d332d2d230b16b1318d6ba49863bf21f85741767665240e8cd1f6a741adfa

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB3B/bSi:sxX7QnxrloE5dpUpMbl

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe
    "C:\Users\Admin\AppData\Local\Temp\778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2140
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2580
    • C:\IntelprocMU\adobloc.exe
      C:\IntelprocMU\adobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocMU\adobloc.exe

    Filesize

    2.6MB

    MD5

    a706c8baa8b0b12b7023bfd712e23f5e

    SHA1

    e262a6a517f5ae526cfb9797ef102ad0c419ce51

    SHA256

    ab294209a9f0f881fe9fb981fb2189a2bbfd1844d0118a468e564fda5b2ae2c4

    SHA512

    bb82273dc085745e6a1abf1703d4c314d7ea44a4250cca6920711723214a50e2aa1e589fe367669f18d319c83af67604e434bbf0c13adb3f3f7587bb585aa56f

  • C:\LabZAE\optiaec.exe

    Filesize

    2.6MB

    MD5

    dab8ff3571b3172ef4ef8e579a1c9ba9

    SHA1

    d1b6e8fc0b7f29944e3ece75e825eb91787c1b4b

    SHA256

    f6f8daf7fa8cfa4414bcc8d256847822d893b99aa71eba3a62042e241e8cf4bb

    SHA512

    d7c0f28ceddcacfa986a4e2785b999afde4bcb62c63406bba2b1eed682770ed28460f4606fb7b0270f54c4c85ef602f3bd432f994bb0829264e8ac2026e568b2

  • C:\LabZAE\optiaec.exe

    Filesize

    2.6MB

    MD5

    5d94eab258146b91f8f3a3e75dfc07c6

    SHA1

    c0aa13aa4ad0fba6bc5da7c968aad439b4103cc4

    SHA256

    121ac97b8a7a52a72df9039f6614b6b5f12f144ac812b0afa297972f7fdc0ff4

    SHA512

    e9ff0e9805be15e8cd9a3c2e722aba2208ea111b0895ace8d3fad165c0ea65ae0d50c39585a79af66906c5c134b0b332466e62d205345b489a146a8236a1f0ff

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    173B

    MD5

    52e4b03353bbe09174388d71a040476e

    SHA1

    18f5a7e86d84ce9e548bf669d6c69fa9ee9c0e1d

    SHA256

    91f56def559fa3778c6cfd79a512e06aebba0ef85a7743718ef8d97cf99919c7

    SHA512

    ce7afce8080d17c8d4464db140d08c9154f7c9399bd4b87207ad4e05d147c4ad87af51b0a91ed05d78773e5287b0cf2d8043aa3a60d276b842ef33ac8c0db699

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    205B

    MD5

    b3ca6af2db8208c473c801dfaa890ea5

    SHA1

    a8e476a3a1a09ac4dd79d86fb06f5a69516eac3a

    SHA256

    e0ab39870c696813f6da52f288084953051a5a9addcbbbf48e7b665f8a80de57

    SHA512

    bfe2a9c16d9b4f163eda4cfc9332adc58afe87c0fa26e073c6488eabdd97243b358c08baa9159937b984fbc1cd7f9564e5b1e30a013d896dc60c7596442daee1

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

    Filesize

    2.6MB

    MD5

    482e37d03a1881a5e4dcb1efa21ab11e

    SHA1

    137976633784ad76a06d229d67d823dd27b58736

    SHA256

    51ddd8eb098a2f84bb9f59ca4aac5bb3b18b2b2464d6eb8485c37749a7eefccf

    SHA512

    45266b00f66e1e83a39b243729547393efe162f97c64251ea2cef33f0d16261575ce9f473396f61b27b51ba61387315f5193aa5c4534f6c5f93f112320a16b81