Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 23:06

General

  • Target

    64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe

  • Size

    2.6MB

  • MD5

    8b8953477fc1a7b1c477705dac753fa1

  • SHA1

    5d8eb49842577eb6a65efb20538f7bd3ce921abe

  • SHA256

    64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987

  • SHA512

    7ae486a1db0324e9afa38ed98256e59a23eb92806fad29352c7a211f7ee8354350982e6a72147d9ceca164c4a0b21658aa58bc53b3fd0d530f173814226a0681

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBVB/bS:sxX7QnxrloE5dpUpWb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe
    "C:\Users\Admin\AppData\Local\Temp\64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2708
    • C:\AdobeOV\devoptiloc.exe
      C:\AdobeOV\devoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2664

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeOV\devoptiloc.exe

          Filesize

          2.6MB

          MD5

          95777fab782070dc2ec47679d47b9ab6

          SHA1

          46ba610e563bdba0884ed6d2584dc063c77749f4

          SHA256

          3b938c41e168814fcc50328417f6ba1715bcf90ad841b98cd9413f580a6e5c3e

          SHA512

          0220b704d6b6c4936139cfddd380fb19bb868ea0859201a43af7533ef050a70b367aec02366429c495ef14e7ca2a8d8c3a70754d3413616e92fdfbbb0f75e125

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          204B

          MD5

          26e8d030a3324784a338e25db6b7bac6

          SHA1

          62685c1c13e5cc1822b7c3fb4ec71fee0aa7b7e9

          SHA256

          53184f4d0e20fc3053d996d5ddac5f6d0fb25f878b3a24b4ff2601443613c1ce

          SHA512

          8e13ff4e5a21e92f9b6141407034270c5703dca0ffc1c1b3cac0e80ca2aff98774f27621cc1e96254a25cb3bd5fe13127318d0fc2ecbfe05ad8d01cfcbaab9ec

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          172B

          MD5

          1167583ca639dd4c6e0333842c38ad98

          SHA1

          ccba52582f7e663356f937ce4c09d6ba6231f203

          SHA256

          75e5f9393e25d171d2d9cac28e174306dca6c3933d4b2a8037152809f4d5fdd3

          SHA512

          c9f2d29305bf401512aeb654b625c643f0c45a4cb1d619b165f7261c45009f66742b0aca507d61ce51736b45da6dfb50a84e2da2b952888af12a50cd5b5f5233

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

          Filesize

          2.6MB

          MD5

          fd02a0f11a69c3fba92319687544af7d

          SHA1

          c51a088fa1629a43cfe7dc4215f2549246e87c4a

          SHA256

          4b86defd01edc7cad4943700ba3e8348122d657386b4d7249829c0cc8ae19736

          SHA512

          03f1b9b81d1ae4c97098fa7a814f4458818a3e819b81a67a5c874de462e3fa2704e058e2b1b85bb17d7f19f0365601acbcbb1b0646d6d745bdad34eb0a0366cd

        • C:\VidNT\bodasys.exe

          Filesize

          2.6MB

          MD5

          98ed1a7a12bfac78414316f2691a9295

          SHA1

          b30aa7ea83e002a72c77a4fee3fb536afef6099a

          SHA256

          11e6e8fcc7031f183bc625f28ad4fbee951799b845c2a5d205e2afc087e53a0e

          SHA512

          398c9fe10f21ddf36d651122eb241cae7c8e18e0eab5c325659a912a4176a5eeb6cd8f176a39e12314fec6ab6d6b4e3ea523e05322b9caef62d86b1512f5d4a3

        • C:\VidNT\bodasys.exe

          Filesize

          18KB

          MD5

          f3611b180f53e7b766446f16c0eb47e8

          SHA1

          b0a5575b4fca6d2ca1ebf68f998124b33189a5e8

          SHA256

          da3c4283fe87c6da829e4d3b09eadb3c7290c393ca69be154a4623b54548802f

          SHA512

          80c0937e80f63fa08bcb017f6504125ff30072a3ed9a2185ea5271bf5c0c20edbe958b500cc16a99d3c0072a1a1468864aa5250c977a0ad30c63af750b7b5ca1