Analysis

  • max time kernel
    119s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 22:58

General

  • Target

    8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe

  • Size

    2.6MB

  • MD5

    a8c23cf01ddca118253b54c8bd9c7c40

  • SHA1

    46d3a880fde7512b73bc768ebcfcc0e37b023fa6

  • SHA256

    8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823f

  • SHA512

    c1bace1db34362cc10b193f659bf57e9227cf0cc43b7da676c00af05ad94653ea527acdc6bc99c7282f61ef6c1d53c43b71a16bf72a1a1100e9ff8e92fd4c5d4

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bS:sxX7QnxrloE5dpUpzb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe
    "C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:780
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2036
    • C:\Adobe3Z\adobloc.exe
      C:\Adobe3Z\adobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2864

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Adobe3Z\adobloc.exe

          Filesize

          2.6MB

          MD5

          838e707fb5e4f816b0c784b9c7cc3de6

          SHA1

          c9b80d395abfac45e636abda99b1676456e01cf9

          SHA256

          b9cc4189c484e7eb3127c48b8ff3481c97d414012d31b31737003294dd6b5b14

          SHA512

          40091a6ed33d4e80faefd1d0c2f5114f1914b02c43fa3e92d31d67696f83c5bef23a19d8f01b2f8fa1009c893e770777f37187a112a17769887aadd077dd95ee

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          201B

          MD5

          d8dcd725e2f78b02fef756a5c0d6482e

          SHA1

          d8125c0e9f8b53c7e7094fe11e382c5f0c662842

          SHA256

          a4e60670029a919e38fe240f5722209b1687596f3a42a9697af7869f60fadf7f

          SHA512

          28ff1d5117437a62a89c096219f2de508a410cde0537267815281459ca5af4cd63740dae0c8e3972102231a39090e882fbcbf16a52d3d25bfda95e3bc7ea445a

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          169B

          MD5

          58fb11b5f050ef11db6049686b32450d

          SHA1

          5098a26155acf7baf54ba3a188704c93c6c59570

          SHA256

          bdfe63dba1e0b3dfe8c024d07524c52265f33a2fdf13ed29d63df33e197cd71c

          SHA512

          85ae1aac819580fc4de5806cc9c9cd6b15906a911935bb3a493de0b6cda0963792a49e3e704b10683be7a8a200ba5d7241e288996f09f0534ce5206063926882

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

          Filesize

          2.6MB

          MD5

          86c4f01180028704f1c5a9470f356552

          SHA1

          a523edf7789463e509a58e35b700a2375fc3f425

          SHA256

          5dfbdc4843a991ab1ede3bd4bc23cffaba8becc0d9bf6f6e4e6a8a80db437fb3

          SHA512

          08d303e20c76246635a343cf9df17de01b1b4c5219b02c636b30b934db7658168b4f390fdb8f732f10900fcf26a802fc5f8e3598ffd06e97251e80d21d216c69

        • C:\VidT8\dobaloc.exe

          Filesize

          2.6MB

          MD5

          f67875ba4796683f4cee41b943da23b8

          SHA1

          ea01d0133be069525c05cba3435f9d687d3d4f36

          SHA256

          9f10d28da9d7e5f7005e9ea0b67262c0601e12c0de44f54086765593be2b4953

          SHA512

          aeffc3ec1902ff17ab47622e88c27e554d0c410f1828c2d64b18e442853828e153d4b6f4512a1bef63a709e5f2461d212a1105ddb89e65b1e7aadc82e7855d2c

        • C:\VidT8\dobaloc.exe

          Filesize

          2.6MB

          MD5

          a48326df3e9f03af4efba04847a1aea4

          SHA1

          641f6ff2c62029a37c2423f95507af9119ff957c

          SHA256

          dbb8d656d3e9c5d826466eba74e72c6b62ff271896618a0c2d40a7d2ceca8c3f

          SHA512

          e7dbeb38ba60f41db7ae27a20398c1b40d45053240559da891f6573743fd9d163ea76b5d12e5c1c4a11e456e793cce38eb25ec08c975cd233a3c4b2a905f6b55