Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 13:06

General

  • Target

    8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe

  • Size

    2.6MB

  • MD5

    33b4e30ee96a5727bc4493aeabd22780

  • SHA1

    e3afcfbe56f525706e317b6eb6d0a14c7da21f04

  • SHA256

    8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39d

  • SHA512

    b4ad73297d7a865b0b50f6e4ee51281e7279ffd47d3baf0af658cefd80b2b94d1c99993e6757a87a06e099f2ca801a20e1e35e6dbe5172df2c025c509e528e73

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bS:sxX7QnxrloE5dpUp6b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe
    "C:\Users\Admin\AppData\Local\Temp\8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4976
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3724
    • C:\FilesNW\adobec.exe
      C:\FilesNW\adobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2680

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesNW\adobec.exe

          Filesize

          2.6MB

          MD5

          f1313f3c640b9eba1e874109252a649a

          SHA1

          5933eabdda64aff5d456eafb95f7df8f7ce79e70

          SHA256

          2cb02b444111d8c3a4374b496e0c281033db3de0246ed9af610f0f105b72f9d2

          SHA512

          3f41f7089d262bba0f9190c77202793eb995bb0a6df49d839ef2161f1f00c0f3627ddfc778101cc6a7f8466f5869540a19248e98768e809b473eadbfac37e095

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          201B

          MD5

          ad50c09de3db7f654a6e88d0bb8c6cc2

          SHA1

          377f1b04623782900e42dbd5d6aefe498a6e82ca

          SHA256

          d4339c6fbbc6e3f9ddd601da2cc99336513f25843da8e54554eec37528568654

          SHA512

          123b4880bd70b4626cdca82d5e2f25587275b47743fb7f1ae581886abcc54c0fcb33f571acafb25426de3bccc11e997afaf69f53de1d1c743fbfb307235070e7

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          169B

          MD5

          6a2769b475f6a6c6d6f8c5edbe10f092

          SHA1

          14ffffe226ba4b1db32f629fcdc32e9c8bf19a8f

          SHA256

          d1e282c90e0b4b91b82725664010c26af3fb5d3f688fff429dda4d0cfdb6816d

          SHA512

          bbd84d7b6156702ca525065fd49b2e6ecf8ea8542507e6e979ebe2c8f4ca021884002b2d3d229b5a1547e3ff3fbd68394482185a84b407100d3ddab192d68824

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

          Filesize

          2.6MB

          MD5

          dd8bef981f282930a034f83df8367903

          SHA1

          a88362c114488c4652f87523fb3e3fe809eeabea

          SHA256

          49526c4b10a69ba358521d798c1bcb9499fd0c9f0ba5c5765f31ec2fd6cd6451

          SHA512

          863a9c2865264d9c76d43711acd64a7a924620bfc60d361e67106e7b4ae338f75d345cdc8b692c6450993390f547026faf515436c596a16da4c649a0ee4b92ab

        • C:\VidSG\dobaloc.exe

          Filesize

          279KB

          MD5

          9d1ab53997f65bc5185b49b6e2479ef2

          SHA1

          cb532aa628a2837e0752bd57d69b4451291e9f2d

          SHA256

          833d0577c3514dc8d97bc71854a30666efcc5ad75334cde6ade2f634c6ca0416

          SHA512

          68ff0256151067ddddd4d98e0d075a3b5c7197dc87c2c65a12e0de39931c65a5d9b8f70f0c35857130625c6c4b51d2f212f5c74864e5f8a3b52afca76ecec0cc

        • C:\VidSG\dobaloc.exe

          Filesize

          2.6MB

          MD5

          09d44ca6acac043781be969fc6687470

          SHA1

          549362fc10dd11e2a7341b1b1b2492aad1912e85

          SHA256

          440da96083dc9dae8f390d4bebb56e9fc74f4f468d1a810fc008711786160e93

          SHA512

          b12b040a7cea753ff80d4ec43bd316b59d88e852583e6831da09dea06927d91a5753c3963bf8e57d03206d3c47b93375d6194621574b62b347cb20620b8741ea