Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 20:17

General

  • Target

    1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe

  • Size

    2.6MB

  • MD5

    2ff31c5997c4d85234886775fe0ab0fa

  • SHA1

    a12aefc6335e6604faba3e6de26bbe5050daeb52

  • SHA256

    1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d

  • SHA512

    16fe90c2ecb0f4efe32900e1d28a892c3637c7b833d782a88bb706023abb35fe27c39a9d871a18b791b23e14fa93739916a1df6468c31ee90ad41edf3421c02d

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bS:sxX7QnxrloE5dpUpTb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe
    "C:\Users\Admin\AppData\Local\Temp\1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2452
    • C:\Adobe09\adobec.exe
      C:\Adobe09\adobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5072

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Adobe09\adobec.exe

    Filesize

    3KB

    MD5

    b85ef880820ad2f02706b10170e533fb

    SHA1

    71378239fb161e35c8f79d7a951d7d09d4f45b33

    SHA256

    824b6d312a2dde817fb21948332f4b59c54118a25d0c2deb5bfc92aa1a9daa78

    SHA512

    f430b5b60b9ef1cf4efe9787c7b0f161b12f4212956a065e1f0b6a07907600fe307c8323482f6e6d85953fe9576ba09e3b9876d9c27e916f7ee62a9c3665a6d3

  • C:\Adobe09\adobec.exe

    Filesize

    2.6MB

    MD5

    4bcd56c0b024f85286a7b25c833420c8

    SHA1

    5653b493e3e6fa9e541a4979bd5223877a91348a

    SHA256

    ff7d3a1e861340eba7f1f8cc678d1cae1136e2f6b73abdcf13fb4ed08f670293

    SHA512

    638fdddba89c3ecabbb0708bef43b0763d6e4c86a51f449dd092ec9d905cada4d49504a3aa0451723eea56cd265001f48575eab0214a3a806c33ed05e9d0db29

  • C:\KaVBJR\dobxloc.exe

    Filesize

    336KB

    MD5

    7a6ccd051b149b4819712a9ca8954bd7

    SHA1

    4c192974df9de201ae81421b4f62f983e1778181

    SHA256

    f72f38204a58571bc57abc5403cc81f0a3948f7988e7a31064cc47fe6a1e7bca

    SHA512

    fa5667bfeb78f70a02e8934ef81ef5c81b8b469f7322d136c0211ff7acd6cd0249fc975a3b33ab6bc739ed2ea0ec1bfbd38dec15eef50e35a4a71648a2ef8c97

  • C:\KaVBJR\dobxloc.exe

    Filesize

    27KB

    MD5

    9066f9da2f6e14f558228b695e72cbf2

    SHA1

    91038a2a5cdbee686253b1163db1462b67afdc3e

    SHA256

    afcec9da3d6ab02251f8cfb55fdbb99d8a48092388bebeb354a5ecbedcca04c4

    SHA512

    41a27889d2f9e9fe12ceb02ebb86a9a7b9be8a9c8b34ddf510ffdc5876880d78e33cc31be4832bd57fa4af876e75459907f209f89f94d42328c4aa001f56117d

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    5c7bac193bfbc09abe0f9417f2d469da

    SHA1

    b552d728ea434118f9174a30b2f81566d5387ff8

    SHA256

    81157c6bd89dfe6c0343b2a2ff733a2d92c79335fc5d1fc890d31cd0629e0d17

    SHA512

    2c2731b528645056f3aebd478cd26f6e339e97a69d021e28755276becf3dd3910fac2398360afef79201e5571939eaa0e048dac59d239f53e0c2031286cbf431

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    170B

    MD5

    549856c44910ab30e45fe7fe1083ffb9

    SHA1

    06195baf8a35dc93ade96c133043b07ba7e8da6c

    SHA256

    3bc57ba1ef5ae459c734908388ade6f188790a79e07a8865d8ab22ab2fef035f

    SHA512

    93170cf6dda6c34b8e5f23af9e08831929b3665f3683c571ad92c6d532b1e9961167fb924a9c82211aafabdcd02a886f4738c345ea27ab0efaee7787f05c2fa6

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

    Filesize

    2.6MB

    MD5

    021eb4fcc749f28b9869ad1e92fc02f3

    SHA1

    5e803924990c1dda724f7c8677920fca84b92921

    SHA256

    bccbd021cc4bd90a3e9f8a7f46bd5f28fc8d06ab31db83cac12d906bc0c7f017

    SHA512

    5647ac3a37d13d48200c42b96177c0c04d3b512af6832504ec84a700ce22ade0a6555dd184f1130d5d9041c8463362303dc43670cc0074b666d66e53dbc5f7dc