Analysis

  • max time kernel
    120s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 13:59

General

  • Target

    1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe

  • Size

    2.6MB

  • MD5

    c36ab471590b1748155fd280cf12245c

  • SHA1

    b2536fb5858b058629ad1fd9a3e2e1caed757f71

  • SHA256

    1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2

  • SHA512

    2f053d576b94cedc7a704c6ba10a50a74f462d9bc98194b04b520b1ae4a185324491fd75f9e38011f069b40cd1b24d8f87a87267cfb8748cd04037f7ae748ab9

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSq1:sxX7QnxrloE5dpUpUbV1

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe
    "C:\Users\Admin\AppData\Local\Temp\1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2532
    • C:\AdobeWY\abodec.exe
      C:\AdobeWY\abodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2176

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeWY\abodec.exe

    Filesize

    2.6MB

    MD5

    79c1d0ffd19c6b0daa00acd02f9fd6af

    SHA1

    b296cbb3f67e84da56231b87c9b75b6c1e35f7be

    SHA256

    e159097b9821ccc3c0e9cb83ab94b83b362011ccf5e8df06b51ec96b09cb02ce

    SHA512

    0eb80c58a306a15911be284699158e3f06962dcdf605305b4c7c0cd5f1b83a6bf71e78397c212ae2b56e96ec611058c1bc3a71782ebf1d293dbe7520a00f0f94

  • C:\LabZ4Y\dobasys.exe

    Filesize

    2.6MB

    MD5

    708932e6ae8cdaf469effad64bb6eed3

    SHA1

    601e30e4950ad84519ec8ce5338c3b2836532c78

    SHA256

    37502e81349981825e41e7ef01b573cb99675fa369858df75464d676947b4f18

    SHA512

    25d7b9285cbbc479c3a66d07bde5e84dd2d268e33ffa9bd02f587225ca5930415b677a4debc7c9cea3d858ec06c927b757190ed934f1b2dcaea3821741911214

  • C:\LabZ4Y\dobasys.exe

    Filesize

    2.6MB

    MD5

    9916434bb785eb16d7ce86fba8a7da45

    SHA1

    fda3f8dd493adb0b7ac243f159baa0c367788af2

    SHA256

    6a8a4313ec147e22f3c44e1601125b05b42de7b9be5e816b37bf8dd28db008f4

    SHA512

    b1439c4f5c269f9588f91368d88eb35da535694727c58218e639e27fe99a4904e1f9e092492cf1f718be116f362230edb642b900e447da3b1cf56f83d3745165

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    167B

    MD5

    07063418c10263ca3c058f8cdac66369

    SHA1

    fd2c6f995e4848ae14ad452664b65b17a5400433

    SHA256

    4b42773b6cab7dbaa5e54e512b652c9a1c6a2a6b3a015846276150ede1cf64d7

    SHA512

    9e0b4aae1e5f595143697859369f09c6e49a4c9e8e27a835e4d0829e12cbe5369308f4f368bd3b426561c04710e88ff85825553486f3f4e825f95791b785a35a

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    199B

    MD5

    26452f54233da6f964b6f36f10bb841a

    SHA1

    3b9151d63690177d6a4bb7d6534568ecb9c4ad0a

    SHA256

    371616bb1bb39a6d70ecb9febc9c813c4a73a2523be4362a9f65240e278a56e6

    SHA512

    1bf72208e9a31eb3496d276e2ed2a0649baec983c584141140bb41c45c3a36488f309d09159bb91a5c4619ce405418d841c31f849e04e6432848e5b441b9fa8a

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

    Filesize

    2.6MB

    MD5

    c5f4f454d930578c2b2e5f2888216f34

    SHA1

    d3c331d34db7d28970662c50582a32594338c175

    SHA256

    89af68403bee92e321882e3b6c9db43f2bf1f02e1bb3493edf37a7d787d1ab3e

    SHA512

    2c7728b2877d5f4e1cc3d07953a94914fd3b6f03f30f65e0b1a34fac896193c1caa20ac1ed8081e1612f0787d45d7a9ab4cbe692023f07012503cf51de34c9da