Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 20:04

General

  • Target

    f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe

  • Size

    2.6MB

  • MD5

    bd630a9ba2c922e4babf7a3500ea6147

  • SHA1

    dec4b426fed27ada83c55fe2d396ddafe14110b1

  • SHA256

    f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121

  • SHA512

    a90ff75ef556aead376959100774cddf3f3594b0d592f7be7f061604da065f02744c06e0c98e97e256e1ff323b39cb12477288641f31567054333b4dca4a69ae

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bSqS:sxX7QnxrloE5dpUpobVS

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe
    "C:\Users\Admin\AppData\Local\Temp\f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2856
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2668
    • C:\SysDrv5F\devbodloc.exe
      C:\SysDrv5F\devbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZTH\dobdevloc.exe

    Filesize

    2.6MB

    MD5

    5b98d0c89193911274755990d5dea2e5

    SHA1

    f422d0ba046b7b507c750b06e866befb5ba7e356

    SHA256

    2cb14d5c01c5e9bb48a20a9c60953b644519c7cda394b48922f08d3d955c592e

    SHA512

    9bf80a83059d139004cac4e9da525de1b3eddb16b31945d1109aecb8255999484202b2c2bbba1ace8fa5fb0d18a26eed04fca6e349f5b3a2a4d722f784137711

  • C:\LabZTH\dobdevloc.exe

    Filesize

    2.6MB

    MD5

    136ecc167395b0d9639b9584ba09db6a

    SHA1

    7d8d4263ff96ce49e77f350dae872c9aaf52fea5

    SHA256

    ee9243b37980a8b75dd505dcd93cf6caa883160c73be4249836bc28d4107c4dd

    SHA512

    17ac7a986530c0ffbd2b105ace8b18ce318ade618ba003002e1e81175fbd7d40330721682e81ac07ce37a8263abdc9dc3b6e14f0459d5cd939283db083172592

  • C:\SysDrv5F\devbodloc.exe

    Filesize

    2.6MB

    MD5

    43817318a2d1b0a33a694c07491442ae

    SHA1

    fe9651e3ef6d87b61ba50a813e0572c52d417841

    SHA256

    647d28d27e6a2bf57fa96f0b3e561b696478b171d08c66483772dbb495831a6a

    SHA512

    6f6826a862300ef7e44b3f21aef0cb1bcb8b79b3c77b9808c31f6d4b2fbb52fc424ff704e6748cd3c351f870c9bcc4e4e3d0d702281b598ab4415faade148072

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    176B

    MD5

    ebf263d2e3b73cd0a739d6c8e73cb40c

    SHA1

    e2dc08203e02df75d34333462055b1018dcea041

    SHA256

    1c859a8657866dd90b93d7b72073646bec9d4984896bd032e8e40032ddceee58

    SHA512

    f94abe0acd23be33f790d9521b2ad14e2d97a1acd29fedd1a4d85b17d511ecfc8b2f2826318b15fb484ba94bc5927f4bc441781a5ded4bfcbbaabcd9bd5635b7

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    208B

    MD5

    5a739c774074ff59bc5ab2b0bf5425f7

    SHA1

    ffbb2ab5b54d79d91a927972ba085a6889ee70d7

    SHA256

    4418574c7e1d776445e8d18ee75a2d93652f6bcbedb814f5f1f69a6b73fd2be9

    SHA512

    e180c2e2731b24240996a78179d3bacdfddec9989a1371c3f14c29e7e8f3348998890569ce89d12a1d0d753749187c49a06bf7f9957a117f2c2f7060823eecc5

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

    Filesize

    2.6MB

    MD5

    7884e479b90646cc42e17896891a7717

    SHA1

    ffa6844e624fda632fe0508f7630b6ff1f862eeb

    SHA256

    3ee04ab6be3a84928ac60bdf0709514b52443a60e5cd19b3bf5b723c9f364b88

    SHA512

    e0f2cb89c4a60393593a7a31861fec8325562923e0deeccb1d3040059221e107c5fcc06d0417c22d5a0425a92f628af2d5471538a3ba83351207c6cb3f8994a0