Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 19:45

General

  • Target

    107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe

  • Size

    4.1MB

  • MD5

    b93004c132f8750522b7ef4097c3ca47

  • SHA1

    c97e9f8203ce5dc89db93e734fea64dd8330e81b

  • SHA256

    107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222

  • SHA512

    8bdc2c4bc22243b578e0f06538f7acadfeee2fc6aff998b2b694866ce614459df28dd666e5161c6a5dee5884b119bbe4c8b4afab772c63a968d12454c5c03bab

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpLbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe
    "C:\Users\Admin\AppData\Local\Temp\107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1592
    • C:\FilesQM\adobsys.exe
      C:\FilesQM\adobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2352

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesQM\adobsys.exe

    Filesize

    4.1MB

    MD5

    18c64931d62669fd19f74b4a069c4cfd

    SHA1

    9ac3c6b99c5224e66fb8630858cc64509c985af6

    SHA256

    e788ea16494eec598d382df1002c57d5de963a2356195157df284738a60a744e

    SHA512

    4300ab3891d106b74296c961ebcfd98970a18dd7101814f1f2a99155d0c114eca284e3e4d6199f5568d5e903006d6b4d8fcc29ebcb720d6be5473372695e8323

  • C:\LabZDF\optidevec.exe

    Filesize

    4.1MB

    MD5

    76476119549b06888b3a983537f38a31

    SHA1

    0a92623bdce7a9daed099b8625042bd4e3cfabeb

    SHA256

    2827619ea285784f62f965ae0fb30c9f5e38a0637a11c595e16ddacbdadadf71

    SHA512

    fc255ac116ad54275b2452493e1114e86115432edc7b0b0be100f1999f17ef656ff7b78eb728b337d339ba180db7dc0d1aab6838268773c764f36477081e5848

  • C:\LabZDF\optidevec.exe

    Filesize

    33KB

    MD5

    3421d48078becd2757242c799c1f76fa

    SHA1

    f712b81d8b836313c299781997e39a5f2a55b101

    SHA256

    903d682dfc442dcf9784154e15b1b6d129e7a7c43ac53e742d6a50faea2c2d21

    SHA512

    511e1f4bb429fad3d667d12a8c03ec79d63524461ae510626eb716d362347be711fdba7cec3a84eb383418fb8cdbbfbbe56c4144955c563df913650fd87fa5b2

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    170B

    MD5

    b6c02d1a4d457bb2fbf2c065e1949c4c

    SHA1

    225654c987afb8cf7f314b4fae5bcf99f1cac46f

    SHA256

    743789c463aeb3bf22ff7fda914a7abdbb7796bd8e7a71323f891020b07e99c3

    SHA512

    f96364c35bea997efaaadc0a41f2cb0b252f23bda11b6d332065e285aab7c4627a8fc1d145556ae680a77e5230f38a08a445aae7ebf6e8857f673bc30bf562f4

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    202B

    MD5

    bf2eeb6371d7b483bd3287e64e95df96

    SHA1

    9767b3dcc401453d243743c83a9bc450dbbf0f52

    SHA256

    190b7bd24f0a14a9d76e49994c64653c02d5e55e3a38eebbfecc37dbd13211e5

    SHA512

    205d4de35c7dd93457fba45e27ca239961d5dfc70973e80b9bd323d61af2089734f9e4b5ab315679e0edaea28d81e17f228fd1c0aa67ba915aa5ef0a22369ffa

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

    Filesize

    4.1MB

    MD5

    2f003592b102cbb9d6366e83a53461ac

    SHA1

    7212c674319c2b605c10c2c68ec705e7b01fab0c

    SHA256

    f1e00dede2ab76590a2f16a9566793d4c5f8eadb3464fc6a331398da65cdbaed

    SHA512

    3a0701b69e3679dc09561cba4ceaa35726c3809b6df7b2c7a90869b63ecd4916771bc8035f5992f0eccedbc10bd7ff22d1af47c2e57770c6bfb081c48c4b91ad