Analysis

  • max time kernel
    120s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 00:01

General

  • Target

    42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe

  • Size

    2.6MB

  • MD5

    28059835fcef9aba9240ae90757e0290

  • SHA1

    a15d9d51328309f8bc59de08eaecfec07483e8bc

  • SHA256

    42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40

  • SHA512

    b4be8d2a584785d8092cec220f2b167977f9f53e49cc3a840843381a9ae69fff2bbc04a7b76e536dbe352bb5134e6ef1a9f612ae113a7d55e21600eac329d990

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bS:sxX7QnxrloE5dpUpvb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe
    "C:\Users\Admin\AppData\Local\Temp\42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:368
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:344
    • C:\AdobeCP\devoptisys.exe
      C:\AdobeCP\devoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3552

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeCP\devoptisys.exe

          Filesize

          2.6MB

          MD5

          c85958552ca53df5cfe3a431fe83c299

          SHA1

          6d4783ab0987d622e917c4ab4854a0bd92ba477a

          SHA256

          f28dcaca530aaf867d9c1adeead9a3407c6406b1a71bd72a430335e8585a137e

          SHA512

          6fe0dd0f1a1b10853248338f48b9b4acbeed0394ef075d2015f1a4b475432eb4baa311dd82ae3f4c5a2a1add4291aa4950fb5641ebcc132cca0556054448e2d5

        • C:\MintR6\dobaloc.exe

          Filesize

          2.6MB

          MD5

          d2ad1414c7fc881eedbb5658990ded66

          SHA1

          b7dbf1bbeda1b1fc9c5f315db56a43b99e1076ea

          SHA256

          e8315b492b9de26e1dc0656dc62a454d09fa582d7b8145fc8786265cb1cbe8dd

          SHA512

          f3f8db602d742ba3e9b9bd69d7583db65f05b07dbc81d82831820d7176948ac1cefa63574aaf037b2dd992f9d3ea1ca33c9a6ca0b856f490f73a633a0ccb401e

        • C:\MintR6\dobaloc.exe

          Filesize

          2.6MB

          MD5

          03e8d0a7f0c1c55f1931a8130f07ef4d

          SHA1

          e76110181ec468f257f780bd47aba2df414f0af7

          SHA256

          bc88bac0a2b82ff5e51b659eaeef6790bbddb60cb127c8cb2d7d1a3b410c90e7

          SHA512

          0f79d9e21842137e57e53f02823957a4eff4510db47ba8cabad8be86c0803517cf39f520c8de76e3db354726a9d95efeaa27a0e5864a70cd9b2a2979e74e0305

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          203B

          MD5

          eabde8b37200d12dd20e1df4709ba347

          SHA1

          72c3748eacbc9b2f3e6497d6ddaefce6c340eb5f

          SHA256

          3aa5d454c0ec3ecb6d1458c23c022d7e9fbc92cae5bd6305a661c6756594400a

          SHA512

          209db248e9feabe5dfc26f9c5f796f0d9e5d99e963513d4dffb7a1c40a397cec7bcddca61cbce92a166c7392483aa2b4f0ba2e53ef8738c380365dc774842136

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          171B

          MD5

          a1a0fbc24b7606890b5b396148d6d5b2

          SHA1

          200a965cf3ce10201fd38b186fdfe912df8e99c2

          SHA256

          3ca444291e19e1519a909bb4543b50e1342b6908a7b1a157df1f59fd04aab066

          SHA512

          f8f19d3526c49b7056d1c0cb442032dea2b7d2bd70d457504bc029804704b9a968b902ffc1978b9a7436b31773146336d6e7a778f5f0c9278066259828d81aec

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

          Filesize

          2.6MB

          MD5

          224745e89cb23cf387cec86bddd27372

          SHA1

          d2efef360ff41d39c7f0bd1f1308fb569c120913

          SHA256

          1cc08945310f6d2137110cdb3577748b2b71647285aaacfce5767495605f0252

          SHA512

          b4ed535866796d63efcb3f0a50a4a6e29169a698586a5b4a82c6a1e8a5862837a2dc7c4dcec03f772743289509df46817ded319d279bac9c28f0ae814917e749