Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 14:12

General

  • Target

    9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe

  • Size

    2.6MB

  • MD5

    f84e858ccabc63dd0f5f79eb455065db

  • SHA1

    a621c1cfe9238e5138a6bc1fc5f49f006d188382

  • SHA256

    9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8

  • SHA512

    b15d3cb494230583380f16f4e7dd2335d6a07afff3392321c71364a31ce501fdc12bfa06a4a3c404a86643d122cfac32b1e0831c61e6c4ce7ab688b361d03759

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bSG:sxX7QnxrloE5dpUpPbv

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe
    "C:\Users\Admin\AppData\Local\Temp\9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2236
    • C:\SysDrvD6\abodloc.exe
      C:\SysDrvD6\abodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2420

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\SysDrvD6\abodloc.exe

    Filesize

    2.6MB

    MD5

    cf485e8f2dfbbcdc727649b814ce6009

    SHA1

    be25bf08941b727811b3c3869724ffe6559b6784

    SHA256

    e65bd37d9e10694914b984aba11237f2c81ac295d2376c7c9d367d353a668201

    SHA512

    8713baff7ddc0c7bf215ab2f688541ab163be755964daf625b03e4987ef99ca39ac301c180584d41e21f6fc34bd529c644d3c377aeff18b9b02b8166830898c3

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    169B

    MD5

    14ddf585d2326b219ca483194e186d24

    SHA1

    0dcca9af7bd1e356efd1cb2a47b17094bfb26bf0

    SHA256

    e866141ec4c79f9694641116f0b9a7718334b29efe831dbd569308f94138c5ce

    SHA512

    fb83205bd3b1c0b95ee78e0d5b97b2c61973a39f48e0a0b16fa0a83313de61f305efa19bb0d8b29f8291aa1583782a3bda1e12c4c777e765c9df408fcf098391

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    201B

    MD5

    0c95a78b46278919aacf185c0a858b0f

    SHA1

    c2d8832181787e1b99dcb91b750ee260007cf3e2

    SHA256

    f0eb09bac52799129d955c2219ba21ad8d9472c28b4ea71d690b92d357fb4544

    SHA512

    eafe67739e42014e3a356485a4dcffd42b491e74e662db4c427e04c027c1648a6e88712ab1476b39d3fcdf92668a7e52b1fbd53f8b107ecf0d490c34da991e13

  • C:\Vid26\dobasys.exe

    Filesize

    1.7MB

    MD5

    cdd97b53b5ff1c4c91ddadde33a72d19

    SHA1

    e874795b48a2225d7a2708576fd4d0606378c736

    SHA256

    438c7c7dea5c73e6703f67772e6ae3226277177616fe6469e4a85d7a37eb1fde

    SHA512

    e74bbb0f1a6c70a85e4a19f9210eb0a23ba0e66948a6e4ed7d84876eb2015b382eddbad1ef6992eb2581bd54de559a61e47b322cd032e848d367ac45a3f59cc0

  • C:\Vid26\dobasys.exe

    Filesize

    2.6MB

    MD5

    f2ede176433b9afe7462d3dc28be0984

    SHA1

    ebc2199e4be45295205040763d322b96b79b1468

    SHA256

    2551163c11631adf2f126b8cf1b63781a1dcdb3e8dfdb67af0495bcf883e6061

    SHA512

    088e4b7cfb59dd6a90dad69cd2719578d328f76d9ff64406692a519873883c494754bd95e94808f24f68506a52df4f9e948ae4242a54082ede2bfd4415d637bb

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

    Filesize

    2.6MB

    MD5

    feab632b01632bd5a299bee40d2a721f

    SHA1

    4e48fce3e61aa5c9dd0b2c4a18d7506f72dd9fec

    SHA256

    8e9c76dc56465b32585952e351352025d432ad1fe9401ee1975e9462ef6e44b1

    SHA512

    a0381625f37786a94634956afa44a7d46e7d79c7992a5b76513354584a374304aca27c47f59fa9b7c0130bb7caae4c8e63fd8d7d75b1c8d5de65998e4042ba4d