Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 13:30

General

  • Target

    1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe

  • Size

    3.0MB

  • MD5

    05b94f0a6f5415b0a78b17374bcd81b3

  • SHA1

    8733cbeabdc5cd57665c2733c4f4b60c34972006

  • SHA256

    1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc

  • SHA512

    7e5252f68867543e2ab382de72a844ef039d77bc6e00f4cde38c2986f50d8f0fb49d219ad5f33d820eb375e451825fe097c0c21323b9c30ad5a271774459c7c7

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBwB/bSqz8b6LNX+:sxX7QnxrloE5dpUpPbVz8eLF+

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe
    "C:\Users\Admin\AppData\Local\Temp\1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2344
    • C:\Intelproc2K\abodsys.exe
      C:\Intelproc2K\abodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Intelproc2K\abodsys.exe

    Filesize

    14KB

    MD5

    3d45b0eaee6cd60ad4f5568ac16ef258

    SHA1

    d7e11caa9a67cadd55724afe2d1d84adab824cea

    SHA256

    ea6a4772229675d6d0144ac1cf4f7831259b4edd25d7706903c3f2e2e3ca7243

    SHA512

    2d25a653389ee60d4d1a922b31cda5d7dac66d70cb6b72b1e60925b039a1066d16fe93dd478af6cc0fe4eb3b73c7cab86c4cc39eb4f0fb4da694adef8999708b

  • C:\Intelproc2K\abodsys.exe

    Filesize

    3.0MB

    MD5

    48e2bc270b37941c5f79c121c0547fc3

    SHA1

    e2b6cd60094087690a755eb095f71032ad983fb6

    SHA256

    4aa1660b4fdc54dcd210d80597773349e80f6988d65e0d330db6c8a37df97ff1

    SHA512

    db528a4cba8e8d9864d4cb4914c2d7399f6a9b3dec7617f6d80b553ca9715588e67a96c17349e1cb6e64ef50e82857faae782ec7966b55127e0d1d388740afc2

  • C:\KaVBQC\dobaloc.exe

    Filesize

    3.0MB

    MD5

    e29e0121f0682f53e3e8fc1782038fa4

    SHA1

    0f1cf27b969c8e591f60e5c71adfbf7a15d3f477

    SHA256

    bc4b66e9bf658f072df4cf4309aab1f49e5cf585187b17693acd10f8ffdc939e

    SHA512

    1b16c62cd8bce222b62ca3a193f27dff26289fbf563be95990002f7d0c6e6f97d11104ff195447e6529f3a5e50157e223d054a3eb2b776be27ecf4a6ebe74111

  • C:\KaVBQC\dobaloc.exe

    Filesize

    20KB

    MD5

    2873fb57ea06e0913c9b5dde7bd73c2d

    SHA1

    c2794b886d0f3c44e805ffe343756fd81b5c87ec

    SHA256

    08bfacea5ca3a11f935a3a68ac2abceac42a731bd3c8bbb834bb6471d43f4587

    SHA512

    9db7ab2c48ad7fd8125df8c24bb1613169cdf1b762ad2552a31ad27ecfb1c9fca9350c4a31f167fa663450d181ba96804fc03f9938c7eea125d4b5efde338d76

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    15227b891bc37a79788fd0999d0cc670

    SHA1

    d0b663c28a51ea37e8c2e1b5f51270e0ac10031b

    SHA256

    e78720b0afd818a1a1fd4a7779892bf1099b35be146f1dc5ab2e97a1993c931a

    SHA512

    15f5d7dce82991d5c948d5e2c9c83e5c112ac3e689429f4ab6da1af7f6d6b2ea7acfd0c93523cb1bced5f02267ca58f9ab7164044ec60aa4c7776735ab557a98

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    c6992354d2fb73eb86148f192569c7ee

    SHA1

    fa212fc9c3d595bb5e3ad3c4415ae8142859a12a

    SHA256

    0e39d9a2dffbac1b93a90d32470ee707f3617396638058ab65a5ba5b40d4625d

    SHA512

    f8dfc436f72421895e69750aec20828b04b4459ec3876431179d8f4629046766807e692e93ccfc728c2d8c939a7492b461a4d3eebb8a876b6684cd7453601fca

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

    Filesize

    3.0MB

    MD5

    728bdcea688eeeebaa17592ed50d65d8

    SHA1

    25f56ca18d8fbf4dffdee00309998b8e36d7312a

    SHA256

    ab662da369ca17d5a6058a25c6c922c898276275076a15ed50a5dc5626fdd7cd

    SHA512

    ea13cff3149f11a3f6dd64fc2997f561277ecfb67113de5252d0f895a167ff2ea0ef3698f83296bb757f4edcc0888fc02713a4cce92a9acddd2d88b0baa39931