Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 13:19

General

  • Target

    87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe

  • Size

    3.1MB

  • MD5

    1cc4fd9074b31a840dc9915f9442bdd0

  • SHA1

    f2fcd902e7097c95ac5391331d85aba2b4e6cc6c

  • SHA256

    87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7e

  • SHA512

    24d2c750c38f24c78d3ab58f03481a3cfab1666be113aa317bd9dbf94ebc46d157308d35f24c0df9669221e3a758d528dd304cdaffd83be456103da7552d1088

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSqz8b6LNXJqI20:sxX7QnxrloE5dpUpCbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe
    "C:\Users\Admin\AppData\Local\Temp\87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4068
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1676
    • C:\AdobeE4\xdobsys.exe
      C:\AdobeE4\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2336

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeE4\xdobsys.exe

          Filesize

          299KB

          MD5

          141fbb4f200db924e182b31df937dfc1

          SHA1

          b9e778f1dfc9c7abed56a94a7d55f19c31ce049a

          SHA256

          930d4d6dc926b819e0023b980aeb726d7facbc647d9331a1db73d84a4da411df

          SHA512

          dc620aecdfb5242dc09900c8bb73cb01c9451e4cfa0dd5cd9ed4d4fb8189d5e219545099b2571316c121216740ae4c229dfdaf65c1050d2e5c4ab2d39592618d

        • C:\AdobeE4\xdobsys.exe

          Filesize

          3.1MB

          MD5

          ea2070c0b2b2c3741fa083bd651dae76

          SHA1

          52c66c3a6fd4b135ae861fb29a0853b7be6fc47a

          SHA256

          2cd35a85ccce0fe694aec806169b60bc06354a9fa0523ae766b43b1d7c18b9b7

          SHA512

          7b1a1735bfe7b8a4432997a80d2e32e8b8e74d5200624e2eac32de0d265d7a58126eb40073d8c9fbe7d01d325b414be3534cee6520e71a3938463a666975b1cd

        • C:\MintNG\dobaec.exe

          Filesize

          3.1MB

          MD5

          5d7c52949a65f525baa7c871a4755c89

          SHA1

          3749205b8babafed57ebe0244de922cc0d918db5

          SHA256

          522640076b4946a999cb2d5624f029688fec4ce6ad8222d83b7a3dca858cb9e5

          SHA512

          422ce3e477614957e621741184a4e2a998686c0739667419220b62bd7ab125d7da533d7b2dcbc69b334598b92566f2d181009df8d84c14bcf93c315e091c96d0

        • C:\MintNG\dobaec.exe

          Filesize

          3.1MB

          MD5

          0e0c92fb52ac15ef34204fbb95a38468

          SHA1

          063ce6e25197dc1d11eb52caab37e6e7b3455afa

          SHA256

          eac90185a0f5816328da27e75a62bd773b24977ebc39c2c9f1d8f1f1c89769d2

          SHA512

          04247c473552384847a32f9cd54104cc69749a2a191bb83275968f921ae9d5ed0b337f209931d54c538bcded3c3f00de16f2a858ac0ccaa54991263bdd0f139a

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          202B

          MD5

          c7ffb16836cb698bb60b2d9dccdb51c5

          SHA1

          d1d293d7c28bd33ce02b26692556a52de979e376

          SHA256

          6229c9808003ed478b4374cdb0bf0293c358e1d17dc3b557d4cc8ca2840c9414

          SHA512

          5cffa016fa494b246f0fbbd510ee2fb8323d7cf111ca768fa6f452b18adf885d59cb72ecef0166f40eaecbec0ac0e5c52c0d3672ce6d4d5b594d026d88ac2afc

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          170B

          MD5

          980efc9f74bb529f762cb3fb90d03644

          SHA1

          0bbf8584cf6b2a9e26792b1c90ab05e69049ed0d

          SHA256

          596671ff7e69be370b3dd34a49411861b8b34911db5b57015d7765120d80d809

          SHA512

          5ebfc10ce89f96512cab9fa3840f8302765b2a18534e2de0282439fa20eb025f29d5d60ec73ab6fe4c62db2a2e97a0014974da0922fcf2758870b9a253692286

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

          Filesize

          3.1MB

          MD5

          21c8429f4521e0cfe01f1eb67e9017f4

          SHA1

          9215e6e30faf7acc9b2a354371b7d658417e8cfc

          SHA256

          e2db10aba2ee0815bc60bbd54d9cdcbf599202b86ddbf089c8ffc2b204bf4936

          SHA512

          ee9cb6c2ee4f01ec54570a31e4497ec2a647a6be3193707e382cc3243bf8b3e4b64ceb20cf8602bc095ecefe72cd1bdbbc059fba3af6c22f1e93807a9071bb77