Analysis

  • max time kernel
    120s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 20:05

General

  • Target

    db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe

  • Size

    2.6MB

  • MD5

    1804e3d044e72e1b2954bbc7c97cc510

  • SHA1

    9a0df2dae401ca018676a81265780def3eebca20

  • SHA256

    db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9f

  • SHA512

    de1065df57fc1cccdc4baf44a56e312ee9c3c0c7e1d8e543e21cb3292eaabdbe1591f17b608559231c089f64380c19386ae2cfbab765d7d93aefcba02d2d74f4

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bS:sxX7QnxrloE5dpUpCb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe
    "C:\Users\Admin\AppData\Local\Temp\db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3252
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4324
    • C:\AdobeED\xoptiloc.exe
      C:\AdobeED\xoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2284

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeED\xoptiloc.exe

    Filesize

    2.6MB

    MD5

    39927e8550afdf1d612706720046ae1a

    SHA1

    5d0edd26d4579c8f058764720f179c6992fe8d9b

    SHA256

    4a26bd814ea231d9ffb53f9c08c1aefbbf2484b74c95ab76c4b0f739b69c6927

    SHA512

    bae31135bf8e6ad2f4bc4bc50ddf791b9351c9966f1c3a1d7ca1f3c83033acc2bd61acce52bede915ca4bced642d1d9de9a0fb9392630aa0f3c7a3131d8fd1da

  • C:\KaVBU3\dobxloc.exe

    Filesize

    2.6MB

    MD5

    f87826ef3bd35c10d6d36cf0ec9d9818

    SHA1

    c0ae1913e6a0f3b2f8a78008bb015bf3ac8d862f

    SHA256

    c9a3ecb0e11bf714274e07e2d73467cafb582909fcbcd540880b1df8ae9c7f28

    SHA512

    1ab1bd1b1df96ed29027ab083f759c3d6dfc27bd77c42120e250aeab30d3925b9abf0c146a40efc8e6035e3ce6fefe12d58b4cd7c0e1646933e990ca5afbcad6

  • C:\KaVBU3\dobxloc.exe

    Filesize

    15KB

    MD5

    10e6df3619bbbd1a2464d5000a56fbb5

    SHA1

    9080f324c059847c04fbc434d62d8ab2e06140a9

    SHA256

    e437e0733cdde421f32dedbcb49fb69873f23116dc2523e2a45b18e005fd1559

    SHA512

    9cf956066c20f94e36fc21e8c536ef7625e51e279c3c9794d5029cac42d155db5a2e79ccfe4010364e50c34b0675745a5fc121a112892a31b331ab14427ac6ff

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    201B

    MD5

    27cc22543cc4eafe166fd15152f4bc5a

    SHA1

    ec48e5c55284e687143f7835d8af4748d29c18b4

    SHA256

    bedb3757c991ff3224f45a590154238956621152434086a08d6f1edc2872a550

    SHA512

    66ab1836b67715def83db0484b2f2491b4260b0791658646831db2b41fa580cda499175a499636cf524b9b5dfdd4124b6662beff617c661e017304d33b6abd4c

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    169B

    MD5

    1626df9605f1df0f9b4c924b073a3138

    SHA1

    0d6e3f721bbf30814b0b50f225fbc4b9505cb169

    SHA256

    a2a2c7fdbd9ed5dc0bf26a22f76b3437a98c713d1b2e3d4909147201ca252cee

    SHA512

    936b18aa155f52ac37af0fd6613899d7cddace26fafe5005f3beda7d01e8ffc969a37a57473245762254ec2ef57fc2f1d195de167708731cd089e6c805cab2a0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

    Filesize

    2.6MB

    MD5

    2074a25d2dfa523193cc405103af9770

    SHA1

    5d101ba203011b3ab6812d6a38fcda3726fd8769

    SHA256

    66f7659ca6005b9889023f4c06ef0ce13907bf9c6f9fab4f138594b2c800d5b8

    SHA512

    968e365e666a5df315041ea3ca555b368345dfd8e745f01c6e88eb4d76f422b01e5191d8295d70e7e39edec330cd7682a9bc201973a8e4b801759bea94488825