Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 12:45

General

  • Target

    f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe

  • Size

    2.6MB

  • MD5

    a3875c96399721e33b1ea6180d7f6e50

  • SHA1

    ee29ca8862ccfb321c3cee04d6564dcf41d56402

  • SHA256

    f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3c

  • SHA512

    7681adc3c525607a6bc9fcc33d39c961a0eb0cd95deffcf9495ccd447ebbedfe026bddd3dc501b9ac61f057f82237125558869a5625482f21f116efd67912670

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bSq:sxX7QnxrloE5dpUp6bV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe
    "C:\Users\Admin\AppData\Local\Temp\f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3764
    • C:\UserDotMC\devdobloc.exe
      C:\UserDotMC\devdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1772

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\LabZG5\dobxloc.exe

          Filesize

          2.6MB

          MD5

          858c814a6660013bb5ab014a288e8d5a

          SHA1

          5b4fcb43a8893e4ff71b817c592ddf2e0945dfbf

          SHA256

          15aab088d7b1a73c8cfde4d78f272340e34545f6d593c44082a2f56cb53c5126

          SHA512

          33dbd76747562b75809186a6e8ffa0beffa50b622cd61c7a5c2aa69657b5137fbd17bfa6bd5e235b1ec442482d5fb19fae5261695d933b4db3a3462d13f69c51

        • C:\LabZG5\dobxloc.exe

          Filesize

          256B

          MD5

          bae5eb085a9f023b8d36e2a083933bdd

          SHA1

          c8f3b383d6ce74e8606027a03db4b0ae08c513b1

          SHA256

          b505b72bbec0ac5ef11559a9e1cd5d9b176f6b03b0dc9296023c144e105605ab

          SHA512

          93d15b5bec81644cf4030f24c5941cb76efb1e539e47e25ee9c722db4b1b52b8ec129fef26b9080ad23fe6b7d1f0752e3a263040aa5557656967acd4d5e485f3

        • C:\UserDotMC\devdobloc.exe

          Filesize

          2.6MB

          MD5

          12388a1d28c3f73f09d093fa650f55e2

          SHA1

          5d8a98fe71749573fcb94125d182018c18161533

          SHA256

          a165cfb9793f8caaad87ca126c94e168f76ab6be0f8bf4562fe9f050672b88c2

          SHA512

          aab9b0f407c164d8f1a16280112d977196b966d14297f352597c6e214cc04175f9c0f5f4b9b5bf9ae99b11b704be65a5688cd2db03bdccfab0bafa278d9cc487

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          206B

          MD5

          a3ea100a13cbc201a1103478b0eb0f0b

          SHA1

          b48679f64d4e6f243cf724dc5a427e034b5908c0

          SHA256

          fda351f1812515d59aeaef74a2c0f1f6bf1f3bc246f4b5a301aa6aa5aae44df4

          SHA512

          13bb5cd325a4b40aeebfc6426a6717d78f6351f71cccb35e36f3de992f9d3603ccb70cc63ad147c52873ee2fa2bcb8fb9e4ab375bb10399328c0fb66563bbc40

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          174B

          MD5

          0a70ba75a803446a0dd9b69a9d5b8b1b

          SHA1

          3bf821b50d0faddbd23199fd84f23da34c3a7cf2

          SHA256

          86b3d5a61a4d865f4494a7e55595644cb96ed83f2854cc578b961a52fbf8ff1a

          SHA512

          5623a64e3e57f6792010092aa9058d88a836eb019f019ef491b220e722aa2e68aa83022b63d3cfc618c4e5f6304f77435cab0882d73c0b0e14ff8f44a50f3fb6

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

          Filesize

          2.6MB

          MD5

          c0032b5e1e6bb4cd09131791351f1c64

          SHA1

          3beb56afba04d39d660f321b28edb17cab9d23f5

          SHA256

          fe56ce5895ea379e18a1e8a8f7c5d9a45f738b3f5594492801c4f616479d4c39

          SHA512

          93d0979667f22fd91b5bfddd24f778824a682997093639dafa923e55355ecd1633d1020019f5b502c7b868e680b5a0c56375bd78cd3bf1ba669520551b4118e9