Analysis

  • max time kernel
    119s
  • max time network
    83s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 13:59

General

  • Target

    1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe

  • Size

    2.6MB

  • MD5

    c36ab471590b1748155fd280cf12245c

  • SHA1

    b2536fb5858b058629ad1fd9a3e2e1caed757f71

  • SHA256

    1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2

  • SHA512

    2f053d576b94cedc7a704c6ba10a50a74f462d9bc98194b04b520b1ae4a185324491fd75f9e38011f069b40cd1b24d8f87a87267cfb8748cd04037f7ae748ab9

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSq1:sxX7QnxrloE5dpUpUbV1

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe
    "C:\Users\Admin\AppData\Local\Temp\1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3632
    • C:\UserDot8K\adobloc.exe
      C:\UserDot8K\adobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\UserDot8K\adobloc.exe

    Filesize

    2.6MB

    MD5

    23b9af3c82fd8afb5a068bcd3e08ae51

    SHA1

    0f8a490aaa15a6c8eed665b94185710a49f46974

    SHA256

    13adb7641b1b2c5e910453141fd0d4761f0f27dba808e3fce8e6f28ea023a751

    SHA512

    8c4c9cfe12b8b459df21bc287da4d6e06ec33cda49e032e4193c61a4bc68cddf63653afefd2735cb408535472e13748e28b2b512e3a43f93484a9497740faee2

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    e287b52e70cf2f5bd68165cdacbcfb39

    SHA1

    ec3f4eef38c2b0d950473f94ca2d6381674b6f2a

    SHA256

    74e280f6b13a488084568df0f0a1eaf4df9bf6915e023785915d0aef2d9f3960

    SHA512

    3d5c642a9a4c6f9ca7f8d14123ef8c19e3d547549b260583e9066b4fb6f0c8c5440cebd973e2ae4509370700e8b6659b2974c0b645e70d2355fe6956e0a9acad

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    170B

    MD5

    c9746e30437a669d3615def2c0d93464

    SHA1

    f9d8b2b966363f5e40f0b70d3c92cf7c8919c414

    SHA256

    9bfb29a7cbea7740ba18516db524c41d2c5d753054ea6564136b76f8b2372552

    SHA512

    737c2f9913a5a296b9ce1029f2b4eb086ee29fc17bc40c6a3df7e56c3a0dc316898b525d64ae1ea95664f38ce44e7dd4b719cd1120850c6e6a3b58034e7e32ba

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

    Filesize

    2.6MB

    MD5

    ba5b380699cf75d1987acc20e57ab57b

    SHA1

    afb20df2599d590796229ee07e30c2cef33904c3

    SHA256

    d12733b58317ac431a012c427779d5df6a5036812658866e92c38a2f07e3fcc5

    SHA512

    cd0b33387fc5ac15521afb1ff3b1054e0a6faed58374f6bfbf8a4561b7f8f1e697eb85d095d4056121dfae86da216b663a3e1ebafb62ce869db49c96ad451e9c

  • C:\Vid7V\dobaec.exe

    Filesize

    2.6MB

    MD5

    a1feffb4cb528bf0f07d30f4be398441

    SHA1

    d23fd0af780a9db09190af0428e2ab36f6c47232

    SHA256

    577faef1e0ba9560582a739dc644b77dcc82342c8634def81fdfb009e202d00d

    SHA512

    52ee2ea3ae237321770408381e62a488af29741af0f0e7fb62378b81ed4aebcc7914c8282548640320e05d310f21a5e8907624e2f2f533b7c91985967f57d524

  • C:\Vid7V\dobaec.exe

    Filesize

    437KB

    MD5

    2b50093d6627fcee545e6990d82f9c4b

    SHA1

    2e37331732f0e4ef9c52c719f672b02c5f4c8b8c

    SHA256

    3301bdc72e896d08e5ac823ab3ba8ddc39c9f5614f5289a4f8f7d3199d7450be

    SHA512

    814b6e92697aef4370d379a2bdc0537f3c49481e0dc1a1c620143c201433fca2cf64ed8761b8fde0da719cb7a33af7e5aa38bd61e3ac638b54b49be8797988a8