Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 13:51

General

  • Target

    d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe

  • Size

    2.6MB

  • MD5

    f39e661293c6eb02e1ecfe75608533cc

  • SHA1

    b3ed1e1afdc8d065fdec6be89fd2de7ffb865377

  • SHA256

    d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa

  • SHA512

    c69121d43574de34b9babfabaf6ae3eeba9b62b54f216cea56ae9a1c318c14e9fe71affac306061ab6dd319e10b3bc371a5848a92a32b50097ca6c9947da0a7b

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bSy:sxX7QnxrloE5dpUpKb1

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe
    "C:\Users\Admin\AppData\Local\Temp\d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1468
    • C:\UserDot28\devoptiec.exe
      C:\UserDot28\devoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4360

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintU0\dobxloc.exe

    Filesize

    2.6MB

    MD5

    32bbcbab3419e834435d02c0275fd37f

    SHA1

    98e418dd90c189398b5924e334eac4015c15faef

    SHA256

    d728d4abb6b71bc517348f4add2f8461986a657d58be8a825ab3850c40eb0b16

    SHA512

    b4f3c39a75f864d351e8a58232e203c1d06c2d32d0c94608d5ca27e9c93aafff543bf2530cc2d31226aaaf5a0f97bdcc00e104f58401714e65617241d601ffe1

  • C:\MintU0\dobxloc.exe

    Filesize

    2.6MB

    MD5

    db46af80db043749659c82918a3334b5

    SHA1

    65c7052a6b7d8fca322ecb61c9ece95246068ee9

    SHA256

    0adb23abd425fc6794de9cfe6a3cf74d43e37279cae6f134782bcd51c0068313

    SHA512

    5160e51941d2f0a098e98ed4303537654458434fc6fefa670104ea82a8c03f3faf8572179b71bc2bdc763551d50476f13007bb590ac491a0a97a927695817645

  • C:\UserDot28\devoptiec.exe

    Filesize

    2.6MB

    MD5

    b736750331a9edf63fe4c708b80662c5

    SHA1

    f5b3761b33bb51f28c30ee598f44afa419f678fa

    SHA256

    f7985d64f9f8b4884c89453da59ed970d1583ce1c0b69b7f25e9a78414ce58c0

    SHA512

    15648e88d4aa83d23a534c8223ddc6fb97653534704d42393f2519d488e63ac68f655fdc2182f91de15924f89b811bc7369efc1cf96b7c038f12eece37a70a53

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    9b3030154a2365989dd732c4b03c3fda

    SHA1

    6ddc70be610b9f14839d826db01fe84ebcbf5d86

    SHA256

    69e2c0c4e04a281a68a4a1e4662722825619ec1f37291b233ffa73b1872854ac

    SHA512

    7738221275bafc102c68ddde9cd3dafc870e7f0999c916e079b388516c1670ad1d3783f5df4a08af06d9d8151a1385ebf0394e3e16334e20bea5aca1fd416930

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    0189ea19fb1d2ecf1120e2f93e29b0c6

    SHA1

    318163923f0fe19a34b86c4d5528b8c5583a3d6f

    SHA256

    eabd56d9aa0d41130cf70db02c0304aca8f633d894cb3464196b408208ea56c2

    SHA512

    638634df4ad370fdb2dd3f657945ca35f01df649fbeded605c26c1418dd56819b1fb44c26f06cea93d3f0b2142df2cb3d1e4da0ce337c0155756dec50eba015e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

    Filesize

    2.6MB

    MD5

    02ad932016415ae33db41793b5de29d4

    SHA1

    580c7abeb0e3ac7caaa0abc8e8751682d44c4771

    SHA256

    e3f043f681ccf49edadf2ee4b765611bd5f4846e358c8ba0976f5c28c819d16f

    SHA512

    2a11be83d5339f5a7281f4918b695dc3cf7fb273474596c82d96f93de70ca74c8f5dbea569d51383a794c825fc3e058c1a1648ba46cbab247dbfac2ed0da7f69