Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 22:59
Static task
static1
Behavioral task
behavioral1
Sample
c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe
Resource
win10v2004-20241007-en
General
-
Target
c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe
-
Size
2.6MB
-
MD5
640fec66562ae3fdeec14844e2da29b0
-
SHA1
c74620f93493cfdbcee93b10c4c821fb55739241
-
SHA256
c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5
-
SHA512
d736e38c9b366dcc2da152a889e7062aa0066dad57ddaf24839892a0bb19d9a33eb5a894b1c5bed38a57383aa288e0508ad859a81ddce968edf355ce1816b0b7
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bSq:sxX7QnxrloE5dpUpybV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe -
Executes dropped EXE 2 IoCs
pid Process 1016 locdevdob.exe 3476 adobloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesC4\\adobloc.exe" c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintKZ\\dobxloc.exe" c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 672 c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe 672 c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe 672 c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe 672 c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe 1016 locdevdob.exe 1016 locdevdob.exe 3476 adobloc.exe 3476 adobloc.exe 1016 locdevdob.exe 1016 locdevdob.exe 3476 adobloc.exe 3476 adobloc.exe 1016 locdevdob.exe 1016 locdevdob.exe 3476 adobloc.exe 3476 adobloc.exe 1016 locdevdob.exe 1016 locdevdob.exe 3476 adobloc.exe 3476 adobloc.exe 1016 locdevdob.exe 1016 locdevdob.exe 3476 adobloc.exe 3476 adobloc.exe 1016 locdevdob.exe 1016 locdevdob.exe 3476 adobloc.exe 3476 adobloc.exe 1016 locdevdob.exe 1016 locdevdob.exe 3476 adobloc.exe 3476 adobloc.exe 1016 locdevdob.exe 1016 locdevdob.exe 3476 adobloc.exe 3476 adobloc.exe 1016 locdevdob.exe 1016 locdevdob.exe 3476 adobloc.exe 3476 adobloc.exe 1016 locdevdob.exe 1016 locdevdob.exe 3476 adobloc.exe 3476 adobloc.exe 1016 locdevdob.exe 1016 locdevdob.exe 3476 adobloc.exe 3476 adobloc.exe 1016 locdevdob.exe 1016 locdevdob.exe 3476 adobloc.exe 3476 adobloc.exe 1016 locdevdob.exe 1016 locdevdob.exe 3476 adobloc.exe 3476 adobloc.exe 1016 locdevdob.exe 1016 locdevdob.exe 3476 adobloc.exe 3476 adobloc.exe 1016 locdevdob.exe 1016 locdevdob.exe 3476 adobloc.exe 3476 adobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 672 wrote to memory of 1016 672 c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe 87 PID 672 wrote to memory of 1016 672 c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe 87 PID 672 wrote to memory of 1016 672 c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe 87 PID 672 wrote to memory of 3476 672 c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe 88 PID 672 wrote to memory of 3476 672 c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe 88 PID 672 wrote to memory of 3476 672 c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe"C:\Users\Admin\AppData\Local\Temp\c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1016
-
-
C:\FilesC4\adobloc.exeC:\FilesC4\adobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3476
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD519e86b221b1361b9b6f22a6f1c35b620
SHA1b9e86c7b5a6a7c2ac7cf522775f4e7b5f7854db6
SHA2569a128eaa4cf8574d2c0ea3aec79bc1bb2c6af2f803ba4dba6eac243f3f101f38
SHA5126152845389a4fed6199483747de9a7bd361581fdddcb8011a8ede4ef4eea7de3e3a8793fc879b1cc026f11feef3b4c0360f015eb4215108a160e2e3e77d7512d
-
Filesize
1003KB
MD5a2aa82493782fb58a49875a59843e969
SHA18aa1821c18e62193b89ef167083b078f4f480012
SHA25666bc97b44901da8f8d3c7e1cd8ef6abfd72077711a8059cb3508fafa299610ed
SHA5128453e6d474c6f352353bbebde0efca0e1c0f1dc7820dd95f9bf844656c5f319bef5650d1c4d5d4037d07db0bed094ffee0c00708ac82d0c5c075ae0e6e5ccb99
-
Filesize
2.6MB
MD52ea609a9118ccb74fd34f76d801b6448
SHA1c8f8bd5a4a3f5681768c7b3d74a34f83be139ac4
SHA256f74739ed382e5ed008d88c6709d9999eeafa9fa34882248307ce346223d0f138
SHA51211937a3eedbfb7b09b2847a11ff67ef918c5c6618c2c0eda6316744ecbfd3009ec05a6aa969fd8c6e082f75a2d6405f0888983a69d4d393cff72b670dce91fe3
-
Filesize
202B
MD5ed4f33db5297eb722788872b9de39564
SHA1f3df26cd270216fd9f7501f7f5053cda3557dbf8
SHA2561c44c36cf6c547c99cbaeabe4beec501c1cca1bf3f0953be91a934f324d58390
SHA512a9a47b8f35164399a7f6906331d7379c5061bd013912a7b15f1a710489b933fa204bd86a0684fb15af7a0196b8ab550e2a3990b37629c654ca76e1a458058af4
-
Filesize
170B
MD57dad366e88d385535765baf6274d6c20
SHA153ba86daf24361dcb252608f90b7f9ad83e63aa9
SHA256abb33f56319dc1c0deb2bf3b6e4f8425837ef6a3294076a8f0c6ad96873220cf
SHA512658fde955b75faf7c59188b8caf8433b7168ba0208d38fa07a086d595e3340b4b3d6ebb19b541ece531d47fc5d8983f41bacc3595567937f961800762358e9e3
-
Filesize
2.6MB
MD5eaba6178a71755b2ed2178b8b622c66f
SHA1e0d7ab105f9901bb30be040ef0d2e55e2e688edb
SHA256927216629f7dbf9c40feeaaf37107d18e16fabb62df6c7bc9aed013df9b7f2b7
SHA51275c9f9f8ab90f6a8ba9db8ce70f0c5879bc415ab301c190ab9bfb526398aebe3d852ac08d4c207ba25f3264228cb2805632e61c5b1d31f6b036a7a4ef80220d3