Analysis

  • max time kernel
    120s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 13:30

General

  • Target

    1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe

  • Size

    3.0MB

  • MD5

    05b94f0a6f5415b0a78b17374bcd81b3

  • SHA1

    8733cbeabdc5cd57665c2733c4f4b60c34972006

  • SHA256

    1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc

  • SHA512

    7e5252f68867543e2ab382de72a844ef039d77bc6e00f4cde38c2986f50d8f0fb49d219ad5f33d820eb375e451825fe097c0c21323b9c30ad5a271774459c7c7

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBwB/bSqz8b6LNX+:sxX7QnxrloE5dpUpPbVz8eLF+

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe
    "C:\Users\Admin\AppData\Local\Temp\1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3696
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4744
    • C:\SysDrvUS\adobloc.exe
      C:\SysDrvUS\adobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:32

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Mint3O\dobaloc.exe

    Filesize

    78KB

    MD5

    1b91b320db05ed7bd8446440dc1fe864

    SHA1

    f03dd0f0982725cb145df8ae53c78e7c1814a38c

    SHA256

    c71731811d4117d109eb550e79b53772c4db1a05134b8c257b8210e55ccb11c2

    SHA512

    8634786bba669a1a2ab5c07bb6e6da0e1b89ca5e1afe7ff3676b93e091b7f06091f69734aa1f766ea99c124e0662c0dc9a3cccfd385903c24ca945d7c0010ef9

  • C:\Mint3O\dobaloc.exe

    Filesize

    680KB

    MD5

    e8451cfb74382c321402065f87d84364

    SHA1

    fcaecce9c3817fd433d750c5190307d3a5818e6b

    SHA256

    380f86d2899edd011ce19c6e4aeb638d8e5488edf22a8bd5fd6bb51fe2603472

    SHA512

    6f4ccca17db3a08b805b12b2a42bc34433fb177e72f3f5bfe1c0e4a9541a761aebb8e5653b53e3b0ef69ec7ff64c8a7478dcfb7906ed8deefea93d3a596fb82a

  • C:\SysDrvUS\adobloc.exe

    Filesize

    1016KB

    MD5

    6043dd9cd5c6b338d047dd7e2e16b5fb

    SHA1

    4547ce34bc9dca5f4f36c00a1d2bae02f98ddc0c

    SHA256

    bade16afc7e71cb128baf089c0675b5cc414abdf58b4efa6d8abd5e4b19c843f

    SHA512

    54bcbeb430fcfdc433ddb2d3b6f96223b8371563e4b278c44759868fa1684feae074b425952503f724cd1356b8dc6b11c6f3a833cf225d529fb7c3f5a6c41ca5

  • C:\SysDrvUS\adobloc.exe

    Filesize

    3.0MB

    MD5

    300d3e87ec0c87eeacae342a007f1372

    SHA1

    8519d557d2a13193505d04fe5b8d7c0d75701e91

    SHA256

    d1455fd5471ddf7053b1f713a6694b278fe16e5cdf0977c26f7c718050aa494f

    SHA512

    c78837ad9fc8b0427d62d1be4aa1458df1f4d42339657d59920c38215f9b2c00f127bc89905c39889090a7c3bba82c701135faee57597fb90035125dfe763a0c

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    422b25f47efab423615db7ad016e2c7c

    SHA1

    3f29a9fc192a1f9d82eccbff0f853f6459482877

    SHA256

    b570292331de687d7f638e71aa2c61ec1cc121448dce4100d09ba0cf787e15c6

    SHA512

    cb502c52dec2e26faed2b91e08aaf68f885c577502a5f261e324fbec9d69a7efabbe4a4d01b8090d7c28429a39acc428e7317df09286f996f1626654bda28945

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    feb535f55ce5c65a5c424547164f9fb1

    SHA1

    b4f141e34534a6bbf7093391c7ab9eaca5df1a93

    SHA256

    a2a9be8cd6a38d61b9dc73290a8be34eb85ead56843841cf75bca44d5c83fd04

    SHA512

    10e399d33bae128118eb73fba0e11360d20c6cc7dc16cc83667c09dd053e9e5beae330cc7fb6219a58a7c4e5627a41812f9ebffc48a2f452605eade7f2df61ff

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

    Filesize

    3.0MB

    MD5

    a659272f7cb6c6fc86ac0b1f17bab79c

    SHA1

    0ad51457949d222c4e1ad90db10061ee776d1351

    SHA256

    e4adb1d8d7f7f4b8aad71e03eee538c2afe16800012dc05d83c2ceb294800805

    SHA512

    ed3fb4410417833473e8bce9efcde4501d88757ba95e20478b986c557992b6cb6c8f5b0d25ba984077eaaeb040db1816fd8a1b3404d122824eb5747abec820f8