a7983f42b1a900f861a7e979c25b56960c8c8093d04dc7a971fd1170b5693575

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37eb0108c9c7c8578d2750ea751b1e20N.exe
Size

2.6MB
MD5

37eb0108c9c7c8578d2750ea751b1e20
SHA1

49f27712a40c88920e245874c8cac5bf962e54f2
SHA256

a7983f42b1a900f861a7e979c25b56960c8c8093d04dc7a971fd1170b5693575
SHA512

a8ec6c28490a7e839eb594dda75a944e0972dfcf663888c60b8d855999ca529f479d192b1fd2db64842eeaf7d2bb5769fda4529927bc84c1a63b4a72792b8283
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bSq:sxX7QnxrloE5dpUpYbV

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	37eb0108c9c7c8578d2750ea751b1e20N.exe

Executes dropped EXE 2 IoCs

pid	Process
3340	locdevdob.exe
3152	adobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesC4\\adobloc.exe"	37eb0108c9c7c8578d2750ea751b1e20N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintKZ\\dobxloc.exe"	37eb0108c9c7c8578d2750ea751b1e20N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37eb0108c9c7c8578d2750ea751b1e20N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4280	37eb0108c9c7c8578d2750ea751b1e20N.exe
4280	37eb0108c9c7c8578d2750ea751b1e20N.exe
4280	37eb0108c9c7c8578d2750ea751b1e20N.exe
4280	37eb0108c9c7c8578d2750ea751b1e20N.exe
3340	locdevdob.exe
3340	locdevdob.exe
3152	adobloc.exe
3152	adobloc.exe
3340	locdevdob.exe
3340	locdevdob.exe
3152	adobloc.exe
3152	adobloc.exe
3340	locdevdob.exe
3340	locdevdob.exe
3152	adobloc.exe
3152	adobloc.exe
3340	locdevdob.exe
3340	locdevdob.exe
3152	adobloc.exe
3152	adobloc.exe
3340	locdevdob.exe
3340	locdevdob.exe
3152	adobloc.exe
3152	adobloc.exe
3340	locdevdob.exe
3340	locdevdob.exe
3152	adobloc.exe
3152	adobloc.exe
3340	locdevdob.exe
3340	locdevdob.exe
3152	adobloc.exe
3152	adobloc.exe
3340	locdevdob.exe
3340	locdevdob.exe
3152	adobloc.exe
3152	adobloc.exe
3340	locdevdob.exe
3340	locdevdob.exe
3152	adobloc.exe
3152	adobloc.exe
3340	locdevdob.exe
3340	locdevdob.exe
3152	adobloc.exe
3152	adobloc.exe
3340	locdevdob.exe
3340	locdevdob.exe
3152	adobloc.exe
3152	adobloc.exe
3340	locdevdob.exe
3340	locdevdob.exe
3152	adobloc.exe
3152	adobloc.exe
3340	locdevdob.exe
3340	locdevdob.exe
3152	adobloc.exe
3152	adobloc.exe
3340	locdevdob.exe
3340	locdevdob.exe
3152	adobloc.exe
3152	adobloc.exe
3340	locdevdob.exe
3340	locdevdob.exe
3152	adobloc.exe
3152	adobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 3340	4280	37eb0108c9c7c8578d2750ea751b1e20N.exe	86
PID 4280 wrote to memory of 3340	4280	37eb0108c9c7c8578d2750ea751b1e20N.exe	86
PID 4280 wrote to memory of 3340	4280	37eb0108c9c7c8578d2750ea751b1e20N.exe	86
PID 4280 wrote to memory of 3152	4280	37eb0108c9c7c8578d2750ea751b1e20N.exe	87
PID 4280 wrote to memory of 3152	4280	37eb0108c9c7c8578d2750ea751b1e20N.exe	87
PID 4280 wrote to memory of 3152	4280	37eb0108c9c7c8578d2750ea751b1e20N.exe	87

C:\Users\Admin\AppData\Local\Temp\37eb0108c9c7c8578d2750ea751b1e20N.exe
"C:\Users\Admin\AppData\Local\Temp\37eb0108c9c7c8578d2750ea751b1e20N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3340
- C:\FilesC4\adobloc.exe
  C:\FilesC4\adobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesC4\adobloc.exe

Filesize
215KB

MD5
f7b3fdaac5be732119a9f7bcd48d766d

SHA1
a886dd58d6f2eb40ce35901507de4db9e3863cfc

SHA256
55825611f1c5a942659e54b35cc9635ad304e8293f36df9d184aad855b26ee98

SHA512
1cefa44572581bbf04519e7945b0a11c2ec53fbb7ce5caf1395a70cdbc46ccad6af8c7027e4cad6f27734556ca9991f0150859a77fa310beb33b39e122b2bc81

Download Submit
C:\FilesC4\adobloc.exe

Filesize
2.6MB

MD5
5e6e20b8462d4c446ad777f72746016e

SHA1
152a1b67ae5bbc15761e7e9cc8f85fee38fa0868

SHA256
1d3448ae38fc9015c7ad1db61b49789b0f18a837adf3bbbb14c23e9d6c2abc5e

SHA512
372fb194543d9d4f162250e0ba6398d5cec09cc5f8ac7c3c7d5228cec5144c06f0f344535446b71872ba9b14bad565b055ad5681b585b89847e5cbda177a009f

Download Submit
C:\MintKZ\dobxloc.exe

Filesize
2.6MB

MD5
d39f01b2a02d33eb7cc8ac71ece58666

SHA1
5ddecd82c7bdb5d8d42dd7ce48712420e4bdaa6a

SHA256
bd326984f9a4c1b71bc52e81b7aee718ae026aeb3cad18676603d44ef306b2b6

SHA512
95a737bba5b9147ce6b3db907681277bfc1312ab8c9abe90b7e8d219a2cce1019e1117b1d410feacacea82d14714e668f93d820e39c31acdf1ffe1cadc7d4ab1

Download Submit
C:\MintKZ\dobxloc.exe

Filesize
2.6MB

MD5
92859e9a617ce54ea24a994a9244fb86

SHA1
343dc6f5f2dc217b9c74b8d59c5b26669b07545f

SHA256
9f720e78f85930433b42962d8fe8789495acd81a642b4be731d1d584b4deb01e

SHA512
bc21ead68e041d7f2b3a9ea7d340da4bb9d93021b1e475d18cabe2d9ffab733de9b35c9e65b0f63ae0c7cddf5b0fc948cec73158e9326dda62378d63ff95f12c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
ed4f33db5297eb722788872b9de39564

SHA1
f3df26cd270216fd9f7501f7f5053cda3557dbf8

SHA256
1c44c36cf6c547c99cbaeabe4beec501c1cca1bf3f0953be91a934f324d58390

SHA512
a9a47b8f35164399a7f6906331d7379c5061bd013912a7b15f1a710489b933fa204bd86a0684fb15af7a0196b8ab550e2a3990b37629c654ca76e1a458058af4

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
7dad366e88d385535765baf6274d6c20

SHA1
53ba86daf24361dcb252608f90b7f9ad83e63aa9

SHA256
abb33f56319dc1c0deb2bf3b6e4f8425837ef6a3294076a8f0c6ad96873220cf

SHA512
658fde955b75faf7c59188b8caf8433b7168ba0208d38fa07a086d595e3340b4b3d6ebb19b541ece531d47fc5d8983f41bacc3595567937f961800762358e9e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
2.6MB

MD5
a614fc55a1eefd8462622da65f90fe43

SHA1
e20d3ebb5258fbf02dad9054eedd81af7e136f51

SHA256
ff4f9928387d441ea4e8a805ab4351704cecb317c50cb654d01fe0e892b79581

SHA512
3ff82b08886639a261277de5d6d675f4270a59379a64e76e90921c1a019893a33a582b195a869de465f34fa2ab31448304bd8579712d0bd3ba85e2feb1dbd055

Download Submit