Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 13:27

General

  • Target

    c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe

  • Size

    2.6MB

  • MD5

    182f21b27e16563b886f80ef812443a0

  • SHA1

    6a9337e726f7b69933e635a8110a0cf514a77c8a

  • SHA256

    c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783

  • SHA512

    bb15152bd76248bc351705e741a412668828333bb175747b953bfcbdf3a5c9057026497acf997e23fd549ecd31fe5958256a9cc12477bc025791f2947b636190

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBoB/bSq:sxX7QnxrloE5dpUprbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe
    "C:\Users\Admin\AppData\Local\Temp\c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2300
    • C:\AdobeDO\devbodec.exe
      C:\AdobeDO\devbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeDO\devbodec.exe

    Filesize

    2.6MB

    MD5

    da021311a877ad92428dadf37b62effc

    SHA1

    208eac6390b879473ff82902156fc17fe51ec5a5

    SHA256

    87b5ba3764a9c636815a3958141b01bcb58b3bf4dad3cd664070330f9096a0be

    SHA512

    ad2d2df65a9eb7f7e3f9da8c5e0fad4f7778c1cf5e480bae9dcb120d44590eadba96a9be506273b081e637f9e744f041065cf5e05ea2eafa001e77056a9a00de

  • C:\GalaxSM\optidevloc.exe

    Filesize

    2.6MB

    MD5

    8173e9adcc429086444ee929a8cd8b97

    SHA1

    f8e88bdbb67203b3d601586119945ec615ba73d4

    SHA256

    223dba21fce6654e1d4c3994e18d42bedc8fc466e81bb99970deca48a840ebff

    SHA512

    5316c077f735b6a0b5abceb8aa07279a5a95bd7fb1a13f62b9d7b79a0c8a1cd83abd11e4bdab4429ac0cebafc71776c045e8b01068d0cd584dd44e9081c3a23a

  • C:\GalaxSM\optidevloc.exe

    Filesize

    191KB

    MD5

    c003ad024f7a20ea22a7e854edb21a28

    SHA1

    0802eb527b76e43f3fb6152ae1441bea475f4f80

    SHA256

    b7db689568c60d34cb2a6089105b0e15aa241524bfdd1168e4d93b2976c98574

    SHA512

    7331d783c9650cfb44470322ebc00ff2d28c322c6fb7ee6ebd11c28ecb3d817621db908f683360426842f072f84b46e38909b1fb3b10ae473d84c26b5ccd29d2

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    205B

    MD5

    eb23fb0691d5be39cc1bef1d515d5b34

    SHA1

    efd919013290c8cc5433801789c557badac31345

    SHA256

    2ab3431ba546a2ba596d80b9cfa2c9c8aec8fe20499ee563e96fb0c75e68ee7d

    SHA512

    a7bff44fbd2f9cb1b8c6cda10da2eac91e7e9a5f2628092953c1d49687459615acb83d75702b963902a11819a45bacb6cbc6d4a1b31f70baccd9963ef441afbe

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    173B

    MD5

    384a9b70ce458578ed7dc3201117957d

    SHA1

    246268d2aaec1b220d2ca04af171fb09dd67f22b

    SHA256

    22d8c2d93af75efb6de5e79b78f0f1df30adf50f961891139916f6a9e49e5bc0

    SHA512

    9f534b79a4615d88c2533cc920f43bf5c91b04ae5b7c8abe108fda722d5f59fe3c3b055b484649c87c368eafac79903ffcbad9d42577a331c2d5862ae2982b45

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

    Filesize

    2.6MB

    MD5

    3becd49dd4617a5ea68af95f3504433f

    SHA1

    b9a1ae8882c68dd40d2fdd62aa5696452564172c

    SHA256

    0d7be94a58b6355020875bb5076b30dbcdea4c953e17ad36e375f6c30cefd488

    SHA512

    7b90d6b0ff94fb88ac551fcc4f84fb3daaee8f58a57a872a7058193ba1175215cbf8c17cd07ee8ed4fd6f09518a5ac93c667c60c0d1d5cf2305570f7a6d4e546