Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 22:59

General

  • Target

    c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe

  • Size

    2.6MB

  • MD5

    640fec66562ae3fdeec14844e2da29b0

  • SHA1

    c74620f93493cfdbcee93b10c4c821fb55739241

  • SHA256

    c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5

  • SHA512

    d736e38c9b366dcc2da152a889e7062aa0066dad57ddaf24839892a0bb19d9a33eb5a894b1c5bed38a57383aa288e0508ad859a81ddce968edf355ce1816b0b7

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bSq:sxX7QnxrloE5dpUpybV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe
    "C:\Users\Admin\AppData\Local\Temp\c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:672
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1016
    • C:\FilesC4\adobloc.exe
      C:\FilesC4\adobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3476

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesC4\adobloc.exe

          Filesize

          2.6MB

          MD5

          19e86b221b1361b9b6f22a6f1c35b620

          SHA1

          b9e86c7b5a6a7c2ac7cf522775f4e7b5f7854db6

          SHA256

          9a128eaa4cf8574d2c0ea3aec79bc1bb2c6af2f803ba4dba6eac243f3f101f38

          SHA512

          6152845389a4fed6199483747de9a7bd361581fdddcb8011a8ede4ef4eea7de3e3a8793fc879b1cc026f11feef3b4c0360f015eb4215108a160e2e3e77d7512d

        • C:\MintKZ\dobxloc.exe

          Filesize

          1003KB

          MD5

          a2aa82493782fb58a49875a59843e969

          SHA1

          8aa1821c18e62193b89ef167083b078f4f480012

          SHA256

          66bc97b44901da8f8d3c7e1cd8ef6abfd72077711a8059cb3508fafa299610ed

          SHA512

          8453e6d474c6f352353bbebde0efca0e1c0f1dc7820dd95f9bf844656c5f319bef5650d1c4d5d4037d07db0bed094ffee0c00708ac82d0c5c075ae0e6e5ccb99

        • C:\MintKZ\dobxloc.exe

          Filesize

          2.6MB

          MD5

          2ea609a9118ccb74fd34f76d801b6448

          SHA1

          c8f8bd5a4a3f5681768c7b3d74a34f83be139ac4

          SHA256

          f74739ed382e5ed008d88c6709d9999eeafa9fa34882248307ce346223d0f138

          SHA512

          11937a3eedbfb7b09b2847a11ff67ef918c5c6618c2c0eda6316744ecbfd3009ec05a6aa969fd8c6e082f75a2d6405f0888983a69d4d393cff72b670dce91fe3

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          202B

          MD5

          ed4f33db5297eb722788872b9de39564

          SHA1

          f3df26cd270216fd9f7501f7f5053cda3557dbf8

          SHA256

          1c44c36cf6c547c99cbaeabe4beec501c1cca1bf3f0953be91a934f324d58390

          SHA512

          a9a47b8f35164399a7f6906331d7379c5061bd013912a7b15f1a710489b933fa204bd86a0684fb15af7a0196b8ab550e2a3990b37629c654ca76e1a458058af4

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          170B

          MD5

          7dad366e88d385535765baf6274d6c20

          SHA1

          53ba86daf24361dcb252608f90b7f9ad83e63aa9

          SHA256

          abb33f56319dc1c0deb2bf3b6e4f8425837ef6a3294076a8f0c6ad96873220cf

          SHA512

          658fde955b75faf7c59188b8caf8433b7168ba0208d38fa07a086d595e3340b4b3d6ebb19b541ece531d47fc5d8983f41bacc3595567937f961800762358e9e3

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

          Filesize

          2.6MB

          MD5

          eaba6178a71755b2ed2178b8b622c66f

          SHA1

          e0d7ab105f9901bb30be040ef0d2e55e2e688edb

          SHA256

          927216629f7dbf9c40feeaaf37107d18e16fabb62df6c7bc9aed013df9b7f2b7

          SHA512

          75c9f9f8ab90f6a8ba9db8ce70f0c5879bc415ab301c190ab9bfb526398aebe3d852ac08d4c207ba25f3264228cb2805632e61c5b1d31f6b036a7a4ef80220d3