Analysis

  • max time kernel
    120s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 14:15

General

  • Target

    b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe

  • Size

    2.6MB

  • MD5

    bc4c0a71addfe6f7740b88d9795c86f0

  • SHA1

    f576d9f33c789bc91515a2e5bd44770ad7134d41

  • SHA256

    b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3

  • SHA512

    4f2f047e03ebd4fbc8dd101f8592f7fd887252c39157bc4b9c18db2a7b5ec2a14197a36829d2d3363a6b7b13026b905175574643468148ab656c36321770a355

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bS:sxX7QnxrloE5dpUpZb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe
    "C:\Users\Admin\AppData\Local\Temp\b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2552
    • C:\FilesZS\aoptiloc.exe
      C:\FilesZS\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2816

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesZS\aoptiloc.exe

    Filesize

    2.6MB

    MD5

    f6a6da1ee10d407961de6dae3c567f92

    SHA1

    69747dabbc830fc934899d2f217cb5e1161ded3e

    SHA256

    6b2f8c6d6392c9fa6e25364a1db2f72238e76ad9a050ea7ddf6e735773a3cd2c

    SHA512

    c84e470de7b77d9fc4598c342ca11938fb4169df7b92ac687922b42d8310317eab2d4ee549d5aa40c301ca8e88368c79e35c9b36cf40396b57209b1e80b461eb

  • C:\KaVBAE\dobaec.exe

    Filesize

    2.6MB

    MD5

    00c4f0df4b227cc7266986a17dba423f

    SHA1

    072e0d165891e4ad54f3e87dde1b1598365abf2c

    SHA256

    be8c803c36847fc90b436a44d83c897e5a2d22d7d098db593ca9dac043e4fcbb

    SHA512

    796038910aea8e7e2208b7472a64ea886c6a709cd424e726c0e4c506b55fa938ffa5caefc9e3d3115e01b6e5ac16c20fd7a09198b465668aae6086cab8b7a1bd

  • C:\KaVBAE\dobaec.exe

    Filesize

    2.6MB

    MD5

    ad8cd1de15b4a888ac04a22c14b67a7a

    SHA1

    17a04b96d5a33380542549d46f70a4c1502bb376

    SHA256

    b8a269491a60c2c60de54ca8b2af2801b7545849d30213592d5886547fcc3e52

    SHA512

    79e650603f997dc90f26ce0e70ab4dcfbae38b7f265c8d86e56af7c943b0625ddbf3e3c798d94d833dad4b10eaafcda1bfc805bd20d160c6735ed56f429337a2

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    168B

    MD5

    9e31f4044e3a7375276bc2fd0970ea0b

    SHA1

    82c258c503e4cdef9a7f0ed5f7910a22a7093000

    SHA256

    77eab2ac6682f12a8724138d15e914f6a7679f21488200cc5f6c9e279c8e6f19

    SHA512

    aaec9160ff3df04e7478743df4089591749ea2a643a7b62ee2a95a401b7ce0f01090004b8396ae8c5f261c7bbaeaac61500f08be1899565716501bf27e7db370

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    200B

    MD5

    565a3f1561d34ab300e1a368c56049e9

    SHA1

    e773d968d88dff49415118bf0d9fd5eedea02428

    SHA256

    c3fed1e32bea6abc68227122382e445617b643bc2f57ac7067789948c01fe4c7

    SHA512

    a8d04403bea2d95cb14849bcf0968d0c9d81a4df4cf86dfeec7faa941761f2df3ce90708526a1b23885fdb04410933ab01c23147a03e41a8ee78cccffc2ddd42

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

    Filesize

    2.6MB

    MD5

    a824cc775fb2e33438a0fa0d103698ce

    SHA1

    a78a900b6a9e3e30414d071a61ca528bd33b6831

    SHA256

    729ee18e7f3197eec581cc2fc931c4cc4231fea523b0b2fce05203e3a5f8171d

    SHA512

    585f14a0a1b0586490de117f5d127c5cadc40191ade13d4bea45943cc2cdc2f9cc5397d1b8bb2667fca3c5d3c63691e71bb708b5de8e81552b2eff3a761ec0c5