Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-08-2024 02:53

General

  • Target

    4b4bb546dd9ad7f18ceb6c2252e66d10N.exe

  • Size

    2.7MB

  • MD5

    4b4bb546dd9ad7f18ceb6c2252e66d10

  • SHA1

    7cbd6b8f616eafb381a701e1bfbd1139b5fc88ad

  • SHA256

    21888a0ed3dd718e5413f9dfee4965bd013fe1d4a22b08de092549c71c8feb1e

  • SHA512

    93fd0199381d389cd5416cfa48f7d27c3eb60378a050508b3b863f549d3eee77963130a2961c5827956bc5dc64147c53425542be9dad8eb509fd49d48a030c28

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBb9w4S+:+R0pI/IQlUoMPdmpSpn4X

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b4bb546dd9ad7f18ceb6c2252e66d10N.exe
    "C:\Users\Admin\AppData\Local\Temp\4b4bb546dd9ad7f18ceb6c2252e66d10N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\AdobeFG\adobec.exe
      C:\AdobeFG\adobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2156

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeFG\adobec.exe

    Filesize

    2.7MB

    MD5

    1e662b9cf5219c820407134c82b0e4c0

    SHA1

    3284a7a99f2e7cd09b3b0391b3d80268a742f841

    SHA256

    fb8a04dc1b737bea491dfdbafaaa278a05134f2676a007806cde3547ab91251b

    SHA512

    617193e883711571303c63885dcfd5e5f44f56f61a22f3c8bba085bc3c971e54e7fd4f674e0ef25ca8840042762ebac6524a76dcbacedb0a6f0386b6f695eb55

  • C:\GalaxPB\dobaec.exe

    Filesize

    795KB

    MD5

    2b313c77b3f9166b60cd4de9fba191f3

    SHA1

    43a017699c57a2f988b2f53b3fe78047557210be

    SHA256

    3546e2f8c6469310fb042f1b281e6e01ef0eae7864e0809a5a290a324a889e0e

    SHA512

    20750d1e5dc3deb4aa0e514a23fe217279c4b6994af218160cc180cb34c51d2cac17fb2cc5d663bbaee15d4a91ad65ff9ad728b0da494ba4d78d77850b69b3ea

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    189B

    MD5

    f164218d8d0912f26416b2b66e17ee35

    SHA1

    1ffac659c8be292fece2c7f31b6e7a1933aff9d9

    SHA256

    51ee169c3a5d540929babd3ee796d8fbbff5abcf986cb6fcd894a092477f2606

    SHA512

    d0619fde8880c9633f066200d28b9124139e4288b936e9f9fa18dc7aec713e86adf076dfc5223559e718ed802270396550704d0f2e2e2a0e3d7998cc39b0d8cb