Analysis

  • max time kernel
    119s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 17:21

General

  • Target

    d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe

  • Size

    2.6MB

  • MD5

    b4479cc4f5a9479b5d4259b7eb25d2b0

  • SHA1

    8d575cf4883182cbf288c7db009ab72ccc086968

  • SHA256

    d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825

  • SHA512

    070db49fddcfae383d9d7e30c8a86a74f666de352f9033c5056a7a75bfa791ae60093236d35ed8e2e313e30afe76a882ee108c8aa19db91d3daef665136881d0

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bS:sxX7QnxrloE5dpUpZb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe
    "C:\Users\Admin\AppData\Local\Temp\d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:536
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1188
    • C:\Adobe65\xdobloc.exe
      C:\Adobe65\xdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3208

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Adobe65\xdobloc.exe

          Filesize

          2.6MB

          MD5

          95ab4c216dfa422e2f9bfe7bde8097b2

          SHA1

          d351bde01c0a05ec2766bad5e34d032524ec681a

          SHA256

          08fe99f5d793b308d1e437223ec27ef58cc1f745c52f6053d9d703fb6caec87f

          SHA512

          dd2e6491d429861c21fe92233b843f182f2a0c2b15014f756a9c8a252d7272831104fd8dfe8735a960049b903d3ede1aa7a93b54903dda954de3f58ab54d6ffd

        • C:\KaVB24\dobdevloc.exe

          Filesize

          877KB

          MD5

          dd441a90b3929e379b5e687c40e462c1

          SHA1

          ed8fd1688fe952f3c4139bbd554a7dcc9e4fb617

          SHA256

          398c41f2868f122743f609b0ee2e6e0e4ceb264eb56f10b8426be5607653aeda

          SHA512

          a37d5c21bc1ef4eb8a29e0a73193794141403a89133fa7bad9236123025a080b130191fb93a5f915e0fe79f1a689c67eeaed99ba453503ad3c6e7fe0f4b0855e

        • C:\KaVB24\dobdevloc.exe

          Filesize

          2.6MB

          MD5

          0f44e2a3c0551a5e4fe9193d05c1e0ef

          SHA1

          b4850d426fd963665b1cf1c478c7a11f0e1398c3

          SHA256

          b15b1fb7549e37e66632af877cf9154f8698d790ef00874bfe4367901dd09586

          SHA512

          508be8d3b425e7d30b214b4b76c029abae2a2bc344af4aefc02a66e714eb932fabedb34cb0a4f8b75195a5ebe0c02d8feea35c8f593996d417e65bbe49c6a611

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          204B

          MD5

          d0dd4e5183a95065048e679331b77239

          SHA1

          c8f719c7655ca9c1128d54287c2743358d14b9df

          SHA256

          ff7ba338ee00acdb24699b9b4e9870af905fe493a6d689c7e7b268dd56a58186

          SHA512

          893c73748e613acd97eff565cbc9d4d3e4ac619f704999ba41b398975c14dc8db709e45e3c74cef189a0d20a2eb0a4d9c0d4f2fdc2ee8e74a58aa51e80b4085d

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          172B

          MD5

          8616775d1b303f9c7cc6b6697e26df13

          SHA1

          98883ea5281dbbc790c8a31352a388ae53cf4b44

          SHA256

          b1110957034016e38f3a124ec2c1fdfec861793d3fc0fd306d20972de0cd0805

          SHA512

          aecb5fa03c56abd2a259ee47a2291234549ee300c33c6899844ed7b7579c066de861153b05735342cc7a7e1dbda15d0b055c0dd37948a0e1999a658ff1946095

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

          Filesize

          2.6MB

          MD5

          f74a6cf39a57abb3fdb5b0cf1f03afc5

          SHA1

          282e6330df78bb548ccf58378b876eea51a93c80

          SHA256

          d9c1a96eb49a9ae315b91457dbb607bdf51e406d057dd7a1f6bd09a4530dd14a

          SHA512

          59c412a6125c4459a41be4e8b231f3f838385a76f6b5449a20e92a7d8a5f8f8eb9cd19f0ea28809b7b7c8ff66b18d6264367733c1e1efbb363f82c0972d68cca