Analysis

  • max time kernel
    119s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 14:09

General

  • Target

    e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe

  • Size

    2.6MB

  • MD5

    8783f6824ec21bbc49a9b9081cbae892

  • SHA1

    85a63c5c1c7a7a14a8c8a090e1e648b1eb770433

  • SHA256

    e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499

  • SHA512

    e59e0b90b56a77f9c206059baebb95ac9cd7eda3c9516fa72b093eb225039604d1c2c998f246e98c7560e8ad25b7506e8b975ca27145435cb4afe2c396d494bc

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bSy:sxX7QnxrloE5dpUpvbt

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe
    "C:\Users\Admin\AppData\Local\Temp\e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4564
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2620
    • C:\IntelprocEO\aoptiec.exe
      C:\IntelprocEO\aoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocEO\aoptiec.exe

    Filesize

    2.6MB

    MD5

    6ce45a97733bbe6763252b964cc91f79

    SHA1

    b00dd2850e7884d3105487877c1a421c303673c0

    SHA256

    9c1f967816fdc708bba981ec90558960bcce292a6e74ad899f4e761861689777

    SHA512

    8aaddc0217002cf114b6285dfba1e2117774be73fe08622baed49519255022202c99d6067270006f1453567c5b714d79d35cac8894ef9db187eaa23acc322b96

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    c1613dea6b42b88fa54d1db6e7a50a31

    SHA1

    f5db89ab9f3168dc6630e16e523dde738bf48b4d

    SHA256

    1e28fbdae9405765d611a311c9b491f591256a245e062e401ba2abed6e5f6ac5

    SHA512

    ebe743b30df05a4928e42d2e01bd0981b121eec4e743fdef531fc32b9cb370beb1e2b1a869778cfae71dfcae8e0cedf6dd36d09e5d8788eefe01362cf0eb5cf4

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    54b3f6e9cca19a5852516703391596b6

    SHA1

    c815af9a7af8799cef3e7e92c5a25b3c7b019056

    SHA256

    27b4d1977ae0dabd01b4ff34871cc939819e019d0a23fc8f1f39d7d3453a3cfd

    SHA512

    68e356dd620b3efef0f69ec0438cde28193358eee04ece30bccbbe2a0f454d50d3a91448bec5596bd43cdf0b6662ed70afa4274850a770f707542db09c6b8659

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

    Filesize

    2.6MB

    MD5

    9da79e5abf6f685eeade3c8b008ab144

    SHA1

    0a2fb053cf719271a1db789b37950aab10c730dd

    SHA256

    be0546b5e970545604633720785db9ce9a1d5bc8e7b4edfb13ea0daba3485694

    SHA512

    376c3883f67e2649c9508dd5b5130d3e0bf3ce0fc6f088b41bc5f68c93e14aac4bb6ffcaca91c5a4d22b7f9434d0296cb9d8b98d3b725670243fffc58c78ddba

  • C:\VidR0\bodaloc.exe

    Filesize

    2.6MB

    MD5

    67167edbe9379130277de18ea74d6170

    SHA1

    47f2289285c3c35ff15c60a923d76b904c23bc7e

    SHA256

    369a0a7a5e2c74b99c51b43fb0dd9cb7f0cdfc2fc67e35c0065aea29d128418a

    SHA512

    97e043ec6602bcae6d1a0727e5cdb3ae219c4918b569b2c92ce1b04c95d21fe8fa607ed1bffb9544de4a7e88effe1e4b9a3bfee061068712635c713c54ca0763

  • C:\VidR0\bodaloc.exe

    Filesize

    2.6MB

    MD5

    9a3ebce8a284ff6bb17819c4d73f8313

    SHA1

    e287bb2909283ab208c3d36444f0076bda6f9660

    SHA256

    388546c781f83af433a03a0a0fac9d19929747bf07b6b53d3a07da283595942e

    SHA512

    21456977e3a5941d71228843cccc3e19f3e4d93033a8c6c7d0ca786f4a972f1bba5b7a7b89ed006b6baea8841b5e2b3c5b14d17da1f34ccf8acf81235894356f