Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 13:53

General

  • Target

    a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe

  • Size

    2.6MB

  • MD5

    de0b5782de12cab93f8325f9473888ee

  • SHA1

    83b4ba6493642200f175d76bb53659eeedd6dba6

  • SHA256

    a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7

  • SHA512

    21012aefb971bf05b5090f74375bb436d1294f227662efe661dededd5355d381f7f26195abc28db6f96b5d0dfbf27206aca5383b54c6111ffd225a3992f04341

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCzB/bSm:sxX7QnxrloE5dpUpfNb3

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe
    "C:\Users\Admin\AppData\Local\Temp\a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:856
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2340
    • C:\AdobeZ8\aoptiec.exe
      C:\AdobeZ8\aoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeZ8\aoptiec.exe

    Filesize

    2.6MB

    MD5

    57d83120f986ca9db08459517b2ec14b

    SHA1

    7f0549bca047c32d241e8a88b92fb3ed21c6ca9e

    SHA256

    06d9affc0cc0cae90248361fed1694f6468e4191f6e976196d6dc55371ba4f9c

    SHA512

    23b8a6342f365916d086291a01f6956c45ab44f3ec3776dd8e678061a5f05740fc5b2c3c95787a39642913ecd4f8ab467cf50165ea3c3ae6c25a78d41ab74191

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    79ded9a225e5edd59586437c91705a83

    SHA1

    00927bbf3b312deb041294619a0ccc9f3a261b84

    SHA256

    07652b862ce06b991990bd2ab8a6aa7dfe41013b7012b22c4ad76c68fa4dec64

    SHA512

    b8342ed13cc81aa04cccc92924fd868161b7d9e329fc82e744d181ae8e5ec377798456f86e60a8f3c1ca6872d37af44cd6f3f32b75489181114d91649d47a4f5

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    170B

    MD5

    735b4c1bcf04ef7b3323004f295a1c6b

    SHA1

    abdc828f6118b8e54d88f9224089c44a51a208e3

    SHA256

    320c2bfcbeb829195d7ab157ced953b631e0a6c5d396ce26a52fcf70717f0ed3

    SHA512

    0c73f0088abbe809ec161c54ad8dce624affe04816e2535dbaabb6fbcfc726b9ec5cdcc7d6112bb81c1eae96cf39f9ef49317d967892a4bd72099714f644847d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

    Filesize

    2.6MB

    MD5

    eb17d93a7576dc57780dae8b2d83809b

    SHA1

    489bf164d26a985968c59bbe134a1b69ccddc243

    SHA256

    086edbba1d636aa7bd2ded459f11126af8f294506f24082fade630de62c9eb4c

    SHA512

    6ffc3f104b1aa30bcf52d7372177aa31e24f0d182b0d988076cf4570eb157ac29cae74e24ac36dc8ea09d1e1f9368554c8b765742ad14c16e5ff2a281b633f37

  • C:\VidY7\optidevsys.exe

    Filesize

    828KB

    MD5

    a67608901df8317d8feb584893809d39

    SHA1

    0095f03dc9fe59910ee0ccdc5de8fa5938b95ba6

    SHA256

    02bec78a0ad5d331fb9b1a7cf5670debc725ee154e5b0943d3279b51ae7e9efa

    SHA512

    a28445d1a34cb592b6da9171f285fa63e91e785ef543bb8c1623535d1b5a088021c0bad62dd39e5d833a8327255edeb2cfc76b63c877cef1e7510e0f0e86af27

  • C:\VidY7\optidevsys.exe

    Filesize

    2.6MB

    MD5

    af5578b726edee5612a9b2bcb9b6a54c

    SHA1

    0ac385a233e5a40d00a8f6753c3705c05dd55c3f

    SHA256

    025d5e9378bd62d46c115e16239c85643bf1619c564f344fd90dff0743a13f30

    SHA512

    f63a1ef166ece21b2376518f434c4f3497a4e8cd162cff1530457a93ed88b5cc3571cbb68705175ed14c2934881a5c3956d571c640f9f913c9528dc7a226369b