Analysis

  • max time kernel
    119s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-10-2024 16:58

General

  • Target

    fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe

  • Size

    2.6MB

  • MD5

    472bd8b04f1ef850d7444b945f4b4b10

  • SHA1

    369f37738c50768e1092c6abe618d6023d484e65

  • SHA256

    fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3

  • SHA512

    83272470b2d06ab3dc2e67afc7b224f6ba9df5b8ccebf9c3dc9f8755d1fd9d3d7b4eddac4f18d145cdbb57dc8c479316bdd87df09dc5325ef2b45c1420b9c117

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUp2b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe
    "C:\Users\Admin\AppData\Local\Temp\fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:744
    • C:\Adobe5F\abodec.exe
      C:\Adobe5F\abodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Adobe5F\abodec.exe

    Filesize

    2.6MB

    MD5

    d52314e5823394ce339e1e43dab187c0

    SHA1

    3337aab4f387e1e3737cd3c9893250e3dec84832

    SHA256

    afbef5739a14ca7354a5799950cfdfb49a779b47b9b175b2da9e85618d4d3dc0

    SHA512

    a7e24ef31f2bfeed62b54a5b35e036bd1832fab7e3872295b94daa45b2f8c6d95791f7634045e2c62c94c5537991155632a4c1119ac155725913cab8eee04544

  • C:\MintZ8\optidevsys.exe

    Filesize

    2.6MB

    MD5

    456b280f9c2701618aa90b66b9316033

    SHA1

    d644b5f98013aa34c901096748ec2ae6919e01c6

    SHA256

    eb207498d5a2a4937d739f9a9709d25f6d517d1b5c82481321391c4c4243624e

    SHA512

    6238b5580bbada1789f4f0baa3708dee16de56515575cdf2c2de5e61b969d933ff78c4ddef13c92ae2d3a5c7c56d8df37c882f1c19772199dbe4e8e100002d4a

  • C:\MintZ8\optidevsys.exe

    Filesize

    790KB

    MD5

    a9a38eb9e2b2e4dc3f46ea60c6eaae25

    SHA1

    25fec12e6bc90517b9051b368b8bc3d3f6aaaac9

    SHA256

    68b1b34b41cca8bef09b39d7003bc6a367ec110fd36b3ddbbd41ba5112add63c

    SHA512

    f218c1efbb4099b741c86089a307525857e03be9e0127c2dbaae355a01a02db9da34dad10aa8f102b289485c113d86a01ecf8a51b5ceaad1f5b6f4c7d249695d

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    630b3ca2827422f20e5cc7bf924cbb91

    SHA1

    a98a98173d7fa0804d1880e03ab82c9baffbe3d5

    SHA256

    246ccc16fb01609fccf72fa0afb32d883b55997253163bb2ba4697b811120423

    SHA512

    5e11cc35a08eca1e23566bd3445b071f8ed898ede35900c1b752f3d61731669004d8bd59a0822988176d7a3c93f9035d8fedb58a8ccd001277739624eb35ee36

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    170B

    MD5

    f4832135c040d5c29bbf1e9fb758be16

    SHA1

    cc91a57b58eec1104282e8ec503f0d232dfa6ca9

    SHA256

    b7cbf73e3b451d39cf471cde2186cec4c9fc9bc51fdf41f4da3f84eee5864d6a

    SHA512

    870b201cc3069392631b9a7f3d0d795ae1c6d9fb60e00750be56c55d45b5d7a7f0d65a9b454619cfedde3ea022fc224335897381c92e8c8bb956642528163f67

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

    Filesize

    2.6MB

    MD5

    0a31595e5f145bc00299dbdcfec031b6

    SHA1

    f4af53ebfec6334c72d58941318f9252c9856ac5

    SHA256

    608e9c97b3f562c3c41de51160c83765c2e93c456d613758ccb2b7b1cbca23f5

    SHA512

    a0cbc680418c3d33b67caceaed1d14d59574ae0c75b2a19c13e67f8a4db3adb077876b94a59f88c2a32995fffc295b76214861b71a4e4a9a8d339353a06f04cc