Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 22:56

General

  • Target

    60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe

  • Size

    2.6MB

  • MD5

    06a8ce2ed29c283efd02f9ba5c161c33

  • SHA1

    e837f4f40a14ca7563c207c9d29115a666a0fdf6

  • SHA256

    60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1

  • SHA512

    02b1250c811b50b4d027d559e52fd1969defb177665494244c6c18f9078c44c525c7a029c16ca35a9a65949386258df7057386393bae096b3a3ce71e73dc46d2

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bSq:sxX7QnxrloE5dpUpvbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe
    "C:\Users\Admin\AppData\Local\Temp\60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4996
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:696
    • C:\IntelprocDD\adobloc.exe
      C:\IntelprocDD\adobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3660

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\IntelprocDD\adobloc.exe

          Filesize

          1.7MB

          MD5

          6e2e2ae06d4965f9ae7e4f6d61d39785

          SHA1

          5557808b1ec9f94485115a5bd5dea041c85fb346

          SHA256

          cba157ad63dfb08c88245c7791db8dd4c670fa782d3849d6fc2ffc54a51c84e8

          SHA512

          43e32faf52b264423328f9802f2ed336d8e45b30e676305ff0eda27e4dcecdacfa8d0ffbb7edef908078fb297a0787d5ac8155f7ae4012aa66c1dfa387371234

        • C:\IntelprocDD\adobloc.exe

          Filesize

          2.6MB

          MD5

          ffff156d86136d0d3aff1fd02be3a5da

          SHA1

          1783a766011fce713e23aba621d5598e748baf23

          SHA256

          30fd6b54df04d58c3027f09e512686972e9530a14b176c37e65450f8f5850abd

          SHA512

          d88a6885910bd2e6236678462d6dc0340de32fd2c9dfd7f84bcc75f734659354cb8f738bc6651f7134d22db189dc6c5be3eda906f97df1f82a50b2d1defc0fb5

        • C:\Mint6J\bodaloc.exe

          Filesize

          2.6MB

          MD5

          d5502f1df8d13b8b0e87be198f8085a9

          SHA1

          2b96cedf210867a0077934dc884d375f5f293d5e

          SHA256

          2c226d4283aba2a14323a347774b1048b57f570f6a3b8d8772a3024ee25b26c4

          SHA512

          666e660aecdb6d50d2b66a299696fe2275bdb965d601ac88a1f86200b00849461879df1c35a1ae3e63e7340c9da40480f7d0e1187cb3081d2f956369cf9ba1bc

        • C:\Mint6J\bodaloc.exe

          Filesize

          21KB

          MD5

          be6bde58cb6cf4840bf2f369216e6ca8

          SHA1

          bebe32f42ee735ab61615b73aeafc8ee34bd033b

          SHA256

          3ad7f6033f2b1db728c3a4b5c97696b4937d8a8e6f48b2fc59fe0fe3b42b1125

          SHA512

          2cac71141edb08665138751ac2e4c07afb181573db67b4fb52e2fcff3eb94639225e88eec03aefeddd29debf271a301297f474744cb4daf8107395735533d1ba

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          206B

          MD5

          6fa69b52149d1b706645cda60606ba9e

          SHA1

          a0049173fe2add3d31985a0b5d4061845a415d0d

          SHA256

          8c6dcc1a7a792189f5b0673a16c7bebbbbee54e30fb5c69ab6adb7db5afe6784

          SHA512

          4196d3820984f9ec1a2a632908801b81f2ec2b16acb4194f51bac965ab048b1a40813afa20dee21cd30d72d267686a72a916f1d165fede41e84df9d798dc48fe

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          174B

          MD5

          404a763f5454dffc34c87c5843c6e2b4

          SHA1

          f7b5715aa668122315019bfc34c0405ae0e03f68

          SHA256

          905def7c98c67f454c831ece74e600c9c7c869474b5113da0a05a1aed63ccd3e

          SHA512

          a597ef4cd67a2357b416ec2649b58489959372d45e433f5e79ff8ffb27f945619b2a3c78d7e2b4d2071e5602458b66d84a98affd40971d1f4af71172aa92c997

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

          Filesize

          2.6MB

          MD5

          77f7f1198b96b71df5200a3f564a7435

          SHA1

          65695c0ab25a4022d9edc6194f3deee92d272ef4

          SHA256

          41e4f47ac0a499d9d560e56f11204e09f873afa695da1990d53037cf246f5f7c

          SHA512

          4563de6460fd2cc052a398bbdfd6d2adb510aee6979a0f5f4e84d163f4959e4c17379c557f397031804e725aa33e447832abc3fb8082a3bde7237932dbef07b1