Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 13:39

General

  • Target

    84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe

  • Size

    2.6MB

  • MD5

    9bf4f468bf0478b72213306bda31c250

  • SHA1

    6efc0ff3dda70bffbb144d9a1097622a16113c0a

  • SHA256

    84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855

  • SHA512

    56e9c10e59c98b5813a31cffcd23a3c2e28af4a19c5f30bfd62ff761872300167c81e227343327cdc2c5c913bd435b77e14e1a262078acc2c84638512910b9b8

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bS:sxX7QnxrloE5dpUpKb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe
    "C:\Users\Admin\AppData\Local\Temp\84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4748
    • C:\IntelprocKO\devoptiec.exe
      C:\IntelprocKO\devoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocKO\devoptiec.exe

    Filesize

    3KB

    MD5

    1158f86a0845ee6fe9ce7b682fd51439

    SHA1

    caf9890ab05a6eef87827bb3ab60eaee3b254faa

    SHA256

    3d1f80bce336609701c74a291ec5f27ae76b198dfc51fe6615349996dcba8ab1

    SHA512

    3820fa06d8911561113535b4e01a0e4a3bcb87a566762f0995074fdd561e824454613a36d5347004f0370ff27867df4f962f498ca63e8e4b5e82c935860d3503

  • C:\IntelprocKO\devoptiec.exe

    Filesize

    2.6MB

    MD5

    7d947ac6e57ac0730960d5596aaf34af

    SHA1

    af45b18a78f9f3fe3d8a505b167d137acc41d324

    SHA256

    1923128e1cf75b23cd9ada3e493a628aebfc5e31f37dec27e5dde76028f269ba

    SHA512

    c68f0ac1fc1479d72b3a94ca0508cd820ab03e4b2fbb2e8867c51ccb5b5c0229befd0ae6ce6e9fb7509e77b08f16890b243415f848a626e3e3dfd000046408bf

  • C:\MintIS\dobaec.exe

    Filesize

    2.6MB

    MD5

    8f9f7b627add6f3a754ed22ff4b23011

    SHA1

    ba5682ee646fae8e19b380426cb82833d2478653

    SHA256

    8dc84ceb78c8d499f4edd8cee3f693b5cd1e8ca217f83b26eb245d8deddd5ea6

    SHA512

    c12be76524eed8b00d0a43f1f9112de169feb013f57b189d60a3013974bb12fc389139447da876a05f7ca8449cf55f516bdb9d4ca6916c1a43019913eb6d456e

  • C:\MintIS\dobaec.exe

    Filesize

    2.6MB

    MD5

    815707e9d21e33dbd3b5e23e10e9c3f8

    SHA1

    0e0b4c7554e5dcf0563a1642b84c5de9cd3b405b

    SHA256

    57589ef6a591e5817869287df50883dc76404650b9dceca07cd4d3648b12fb2e

    SHA512

    0cb334eafce6258c3e2ebc48bd676fdf4275a458c820f5acebc14979b791895603f0ef5cf95b618fe08f0786bb3ae66df23cf05ec7134f27b0b5f5a386649fd0

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    207B

    MD5

    a34208f6f96ed9c762187e5ba7716bf2

    SHA1

    da6792f9264ff6c326e6e17fffcb4c5ce2941955

    SHA256

    3029128fec2068bfc746445ee8d57a630d33b6fa035bddef2e08bef5139e97be

    SHA512

    cf4634af718eff51c0675df5b72c172453d531eb672573efdc307eabbc5a18b56b27a3ae9ed20539d14b9b958c651aa699cf81e0cdf656077cf37cdcac37828a

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    175B

    MD5

    158d8352e255d1ca9a49ff69faadbf10

    SHA1

    80d9ac37418cc0dfeba5c2191faa9396fea118eb

    SHA256

    1e8d5bd2966143d945dcc7d3902a90e9d6fb3dabd49727f75dd08a663efc5c15

    SHA512

    d9d56bfb06dda38e8b318b77f3ab35aa2a2c7b718c866b9377a8cbed2f17116783c276d2af2256dda50f851f2c2d1a8a9fcdf1c1b8c1ccbb23ac191cc0641e99

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

    Filesize

    2.6MB

    MD5

    cb3ce4d489f2b888c54f910dcf98cf63

    SHA1

    306dde41b9a3d334365df4f1b3dae07db5d1fe58

    SHA256

    45fbe833021c134c890756472a0988eced345424c4067a897163b383e1c88460

    SHA512

    e95c81237c6bf4082f37260e3c5340d79d14fbfb71e83e4f3175742174a821b80e7755a8691568b4c11d94e21cd2aff2eb93c58c452ef20bca8258bae0148c2a