Analysis

  • max time kernel
    149s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 20:07

General

  • Target

    18c980a274cb22959851ab98a3cf43229359b3e98eb74f2c22497a940d6cdf3f.exe

  • Size

    2.6MB

  • MD5

    c5c77506dd0ff5ad3334e7af84c379d2

  • SHA1

    e333f436c24b53d8a5f09afa8ae4b759c01f1dff

  • SHA256

    18c980a274cb22959851ab98a3cf43229359b3e98eb74f2c22497a940d6cdf3f

  • SHA512

    a2939bb6f40b1036fdd02e9c683581de21d36422f40f6f53bfffa131ca634078021f8d1cee22ec0349374c4654206071d764ac96d463238548662e6530a1c82e

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBpB/bSq:sxX7QnxrloE5dpUpubV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18c980a274cb22959851ab98a3cf43229359b3e98eb74f2c22497a940d6cdf3f.exe
    "C:\Users\Admin\AppData\Local\Temp\18c980a274cb22959851ab98a3cf43229359b3e98eb74f2c22497a940d6cdf3f.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4720
    • C:\FilesHI\devdobsys.exe
      C:\FilesHI\devdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesHI\devdobsys.exe

    Filesize

    2KB

    MD5

    d0c1cfb1bc751f796263e7f6ddb68f7b

    SHA1

    e35ef7c594cb6baa90f3b77146b71e296e56c4e9

    SHA256

    1a6c015cd3f38350b98a4f16e42869a081c8c2b12faf73546f606cb722413f4a

    SHA512

    cae3f67e99cde353b575ad9336db1f03f0a932d3a54e204190c32c3ac66e11ce387b2173bee5874627fd1c416b95406b774b630d0f3a6fd4b69f5987598a54cf

  • C:\FilesHI\devdobsys.exe

    Filesize

    2.6MB

    MD5

    b22367070085175ea5bb9a668b97597c

    SHA1

    b2bd3c12d3868079c082db71868be46b767ed552

    SHA256

    4374c661f4c7a7e6b8a8ad1345e52a107a2b79fe97290def989e578da19af856

    SHA512

    8bbb13294969e9ec32dd561959d9647191e729abb55c7f0a71152df39e705b59d15fb160eea71b857681b6f6d0002e1c3f0a572d2225fd9ebf9a4411f7f326f8

  • C:\KaVB0K\dobaec.exe

    Filesize

    2.6MB

    MD5

    8a0211a3abdd5be0f116a99aa0d47595

    SHA1

    94052b238233594006ea4083a68e50c92a4772bb

    SHA256

    e5eebbb46ca0ae7781aa7ac9a9e1d8ea570dbc57303b77056c9dfe587058e016

    SHA512

    890a9263f03eef23f65da930fe7f0e2762ae583c90234b5d00200448eee7212bb961f1135599722d9ad8df10ef4571752111e9df56ee7ea271ac575a1a06a39e

  • C:\KaVB0K\dobaec.exe

    Filesize

    2.6MB

    MD5

    0ae881b5f09b9047adf46903243637b0

    SHA1

    15e5da18ae7b8d5fdef94ea189eb42cc52f7eddc

    SHA256

    45835d391f32e2bb07b7cfce44634dd2eeb035c5a8a21f82b552072e5968dd60

    SHA512

    360beb83df4f16e824b7960283bd2d84fb1a41ccc5f16ad9854df5d4a8252e9cc8f1c5ab30bf0273d9203dd6bfdf01224c1fce2d97bc86b0ada870d6a32ca82b

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    202B

    MD5

    ab4d393d3bc1a80a039116e114c5c2e9

    SHA1

    d7977b9f62432909274dd229fe81e758e9522417

    SHA256

    8a69bec2ed97fba52dc0f72e872314e788bf4c7fb090f9aba98ecbe0a1fe2a12

    SHA512

    0192ec1e4a4a7602b29b6b9c07061f727ce2dbc2ec0aa6446ad2df022f966fbc3662e12f904de5cac0d8f6ef3e15d3a522410769f228f3d3dd9c35fd60628660

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    170B

    MD5

    5516a4887a90702389fadcaeaeb31119

    SHA1

    8cf3ef56c7bb67d4247c30f57328ab2a5b5cb958

    SHA256

    18ce44bfc6e23814f74aea17eb25dcb8bb60f9cc9b05f4cba5d9a17fcc97d533

    SHA512

    43514bd15a361eb767f8c4a46bb87c80912b7065cc52a4aac16f8b9bd0d53c2d82560c89475c99d27a11fbe69c6368f8c217d27df7f7e7dd7a34e90b32baf473

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

    Filesize

    2.6MB

    MD5

    53f25dd70f4861b14d9b8dc64f27e542

    SHA1

    edb27e6af506b8538bbf2fb70bf61ca854b18ab8

    SHA256

    cf34f19f70e2221d7651722e7540f65957d0acef4f35a0350d177bfabbb031b0

    SHA512

    78d50918b8fc45e78a1b32cc366b7730f11e9d4501be783a06b05350791c2daaeaf029ef1de83cab309275b72a4b5205a3da5788d884ecb2f5210f0e2076af78