Analysis

  • max time kernel
    119s
  • max time network
    53s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 14:00

General

  • Target

    43003b2252701a40d38f131a452391339fe14771b00a810312cd98150a951e14N.exe

  • Size

    2.6MB

  • MD5

    2d26cb2a559108a5c47694f74d520790

  • SHA1

    c4a5f881d83ba18e2b482481cfb2da0006219348

  • SHA256

    43003b2252701a40d38f131a452391339fe14771b00a810312cd98150a951e14

  • SHA512

    d74d2175b4640a9b5f495c7a72561cf5bee610162797b5a52b3e2f516de8ff1d48328683ecba0408721fdc3b83493ef790400f2994e47277c766d6b3ef2e7b29

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bS:sxX7QnxrloE5dpUpQb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43003b2252701a40d38f131a452391339fe14771b00a810312cd98150a951e14N.exe
    "C:\Users\Admin\AppData\Local\Temp\43003b2252701a40d38f131a452391339fe14771b00a810312cd98150a951e14N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4764
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2776
    • C:\AdobeDO\devbodec.exe
      C:\AdobeDO\devbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeDO\devbodec.exe

    Filesize

    828KB

    MD5

    a67608901df8317d8feb584893809d39

    SHA1

    0095f03dc9fe59910ee0ccdc5de8fa5938b95ba6

    SHA256

    02bec78a0ad5d331fb9b1a7cf5670debc725ee154e5b0943d3279b51ae7e9efa

    SHA512

    a28445d1a34cb592b6da9171f285fa63e91e785ef543bb8c1623535d1b5a088021c0bad62dd39e5d833a8327255edeb2cfc76b63c877cef1e7510e0f0e86af27

  • C:\AdobeDO\devbodec.exe

    Filesize

    2.6MB

    MD5

    9b673cb77f20ce0cbcaf29b690e598a3

    SHA1

    b86f9afbdf61316876d184e940d61c10e64ac32b

    SHA256

    e6c87f1681bf5af3b1d3985a01c56d7f26d9b26dbfc08a746f868713a4f622ae

    SHA512

    111a160348f081c04a814107b2890a94386543a71627629c5c74b5accb077208fbc1e00cb28e4f5064a1875c227b77784979cb04d9d099b984f2698f25271b07

  • C:\GalaxSM\optidevloc.exe

    Filesize

    2.6MB

    MD5

    ff9d010be3744d9014526adfb0a0bc4e

    SHA1

    1d28236f176ac8cc6ce496c66ac12ba565acbbac

    SHA256

    f791b070fb0f421291a9a7f144ffd37ae47b0f52d2fe33e3774a19ca68a83de7

    SHA512

    ce542c4a23d2f196b45b94793d316e114b7a94f682841eb81a285d988724660d543b94603812aa8a5779e3e8a197902aa61b2ec734f12ff650b9ef0ca89aab37

  • C:\GalaxSM\optidevloc.exe

    Filesize

    2.6MB

    MD5

    54ab0cafdff90f1336ae6e74591ac434

    SHA1

    4ebd0545d1933df278137483656f791c0a5bd190

    SHA256

    9dfd575e67ba00b56bc7eb0f6299e14e6fa17b7996056f24c0b5951da6420f4d

    SHA512

    ca14e95f5256f2f852a66dc5ea292100e1a3beaaafa7857c9b83a394e7280f477226a3702e96722a5685e6b25363ba7d3a13e770d7d34b2b486db61ed8eddef4

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    205B

    MD5

    eb23fb0691d5be39cc1bef1d515d5b34

    SHA1

    efd919013290c8cc5433801789c557badac31345

    SHA256

    2ab3431ba546a2ba596d80b9cfa2c9c8aec8fe20499ee563e96fb0c75e68ee7d

    SHA512

    a7bff44fbd2f9cb1b8c6cda10da2eac91e7e9a5f2628092953c1d49687459615acb83d75702b963902a11819a45bacb6cbc6d4a1b31f70baccd9963ef441afbe

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    173B

    MD5

    384a9b70ce458578ed7dc3201117957d

    SHA1

    246268d2aaec1b220d2ca04af171fb09dd67f22b

    SHA256

    22d8c2d93af75efb6de5e79b78f0f1df30adf50f961891139916f6a9e49e5bc0

    SHA512

    9f534b79a4615d88c2533cc920f43bf5c91b04ae5b7c8abe108fda722d5f59fe3c3b055b484649c87c368eafac79903ffcbad9d42577a331c2d5862ae2982b45

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

    Filesize

    2.6MB

    MD5

    2095f5d3ec4c1dddca144d06bb99f376

    SHA1

    130fb1b56ce2a52f97f447f10f72f4ff6df22cd1

    SHA256

    ffb9eb8adfe3dafec8658e4ea384d9f317284da628e34271723d8a9dead5da16

    SHA512

    11b14f795f50ccd3e22482fee827fc68cb07e79624e04bb315f1a8771ab331a0160484abcd4904aede0f88ff2fc8c575d5b8c7823b514ceab985b47c5d5951ee