Analysis

  • max time kernel
    119s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 23:08

General

  • Target

    88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe

  • Size

    2.6MB

  • MD5

    23d0af67dfe646f9e6e097a3acfa9496

  • SHA1

    9de285012d4eecad61214f49f0d85f0908196631

  • SHA256

    88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626

  • SHA512

    a80122dc354010325dce2a93abf27e6d9b40ddca1e1ddde96dfe1cd58e71e3e33fe1a00313eac94c478da1ec18fa30219b124e21600a73de1aeb06694c43c5c3

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bSA:sxX7QnxrloE5dpUppbR

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe
    "C:\Users\Admin\AppData\Local\Temp\88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3340
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4588
    • C:\FilesP6\devdobsys.exe
      C:\FilesP6\devdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5116

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesP6\devdobsys.exe

          Filesize

          2.6MB

          MD5

          e98461758ad6752a8a4c6d493ac275e1

          SHA1

          6c3e89ed39e13d5dd1192524815264835ddf599c

          SHA256

          be2fd500615531bfc19317944d10a960d17d0e6995f0f857eea944a3f73263bd

          SHA512

          802b2a73b7e88181f5002492397012923a3ed929e31769b252d8763a278545fa779812d61c5348dc04908effb9d2b34d619f2d193386ee52cc366dbc4f2f683d

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          202B

          MD5

          6a3aa751eee96442ba8c4eeab4f43ca5

          SHA1

          8ba3fa4039867e2f2087629b17f34bec154f8687

          SHA256

          401af69361bd5327e366a8220c9bc72c37891221d439e325bfc04d9973645ea9

          SHA512

          4b6eafe158ac411da008f11594db43bc982e879f5621c7a7014b2a563d21ef2341fe31801a8880ee1e3b31a99833f7e40cfe186ea633d96c06e7668796179d56

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          170B

          MD5

          e56576c996c34ff87ce0d543daac8e41

          SHA1

          210277cf94fe9c08e30c192b1f633727c6e68ee3

          SHA256

          dea8bdf86c6a79cc3877f612f5e8287a685e4803b02a44e654986b80163062ae

          SHA512

          33447621637d28e5bae11798b4e7e5333b230d9265e9ce8d6f592069b7bc507b4e847faf539b962fa26b38d1b70414d92403cedf5dc82c0c9bc8dbbf658ec881

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

          Filesize

          2.6MB

          MD5

          86ea4ad862503ff8bf6023b229250877

          SHA1

          12a2d8539577dbd4a3fb7f6244885d8f5a3bb67a

          SHA256

          72bebb7912531c33da792ae09c49ed5e29abe6437ee9977d3bfcece528605220

          SHA512

          fae7153856f508eda3e49b1e62ac0253c8a1c1901dd45b5ae9af8cfb0765bc41a7fd2de9082452523ca4fb5372a51dc409c5d93fd80ae41fb24d8c7ed3143bd8

        • C:\VidEC\dobdevec.exe

          Filesize

          2.6MB

          MD5

          6601aca06565d3acf05e2c873cb6fd72

          SHA1

          e78118ed5b2f92a8366f057d211b99c48506e779

          SHA256

          999fbdef4fc909c31684c296dd32be95aff027a0953830d64b277e6454e22ccf

          SHA512

          f550e4985cb88525f3e883e2e4da0235af3fb3f6bf0a8b2d9faf576818c0f2fff36598b85e77741bc6132e0149d1f6032931db8ad1ad0ce19281950ab883374f

        • C:\VidEC\dobdevec.exe

          Filesize

          2.6MB

          MD5

          02fc151485f0a22baabf5617e9c474d6

          SHA1

          02334cbfdaaaa383e40082e2d7c3c2f69ecfaea9

          SHA256

          1c4a06e04c9d2392b4da1db1ef81a4e1aae8e846a1431ee2ee32f4b796c3b550

          SHA512

          94e2ce10c58b331ae6466bd33fcca60bf23862829673dc7ed9b09e8adcc0342675475835e90bd74f8ed468c0e13c201f3f69a16b0077e752e0cc8ed8d0d14412