Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 00:21
Static task
static1
Behavioral task
behavioral1
Sample
941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe
Resource
win10v2004-20240426-en
General
-
Target
941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe
-
Size
2.6MB
-
MD5
514f35751c767a1c308307b8ab16582f
-
SHA1
5b43a258c112ebccb311f32777ccbeaffaa7bbac
-
SHA256
941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987
-
SHA512
62d2f0425ec4a306bb35272e3530fd911085df47a384a4f9d729866a36bf56ca671a80ebfa1f192e0272ee7e8f0f0cd1ce5cddf9abcb51caa8a9272382eb7536
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bS:sxX7QnxrloE5dpUpob
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe 941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe -
Executes dropped EXE 2 IoCs
Processes:
locdevopti.exeabodloc.exepid process 808 locdevopti.exe 2384 abodloc.exe -
Loads dropped DLL 2 IoCs
Processes:
941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exepid process 2408 941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe 2408 941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotST\\abodloc.exe" 941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax2D\\optidevloc.exe" 941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exelocdevopti.exeabodloc.exepid process 2408 941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe 2408 941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe 808 locdevopti.exe 2384 abodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exedescription pid process target process PID 2408 wrote to memory of 808 2408 941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe locdevopti.exe PID 2408 wrote to memory of 808 2408 941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe locdevopti.exe PID 2408 wrote to memory of 808 2408 941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe locdevopti.exe PID 2408 wrote to memory of 808 2408 941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe locdevopti.exe PID 2408 wrote to memory of 2384 2408 941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe abodloc.exe PID 2408 wrote to memory of 2384 2408 941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe abodloc.exe PID 2408 wrote to memory of 2384 2408 941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe abodloc.exe PID 2408 wrote to memory of 2384 2408 941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe abodloc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe"C:\Users\Admin\AppData\Local\Temp\941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:808 -
C:\UserDotST\abodloc.exeC:\UserDotST\abodloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2384
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD54b3bd2484fd59ba0473df68d0d7f8a1f
SHA1c4d7b4b3b65db233515e3684b773e4d6232040fd
SHA2560620fef7d51d97a3d260a1b2b3acbef836002afa52a90f1a54a15a30e389d545
SHA51276f797e74f5e8a805b499623a079c61964682b4af238b288c56c388fbf7440b6c5e86d09970d8ba90bca853b4dd59144a1d1c961bbeae39cdf952b8077ff9504
-
Filesize
2.6MB
MD5dbf5aa1f644df3c27d8bbc36e1056871
SHA15e10f05c7a6a10c456b0be9b38c751a2967a9c5e
SHA25675bcf13c8a274457f05112e09f702957a7f541c8760c10bc86d3a1ae77679793
SHA5129b132bca4ec19f898a62e5a53b74711a3c11fa3f71aa5cae5419be39ddc6d3738aaae75a3e35bbd01f2d09b9882aac11e1deedc2a8ed8b56fa05437fd1499fe7
-
Filesize
2.6MB
MD5fc5ef04b2995b69640cec1f071f7926f
SHA165b3d5c360f0f2a4f8a64992b021144b0bba4979
SHA256ae4ed96b635fb8663aeddee18e3bddb7ce3581e9e2ac021bf2470b59fab93ed8
SHA512afde463e64baccfefd830f183b113dab6634f699af9000d86cc28406ed78d5475ac918240ccd834abe6d4b16be5a08853293c60ce96be22c993ac02806f20308
-
Filesize
177B
MD5a4889691ed0a42d9f82e1d115ae6b0e4
SHA10f7700dfbd856756ce5b06962356006f23deefab
SHA2568f8ddaeb127bc861671cb51ffa5c23e080f53d455b0e2db7e874e4a3fef9915b
SHA512c4ee342bd97ccdb293f91eefabee641ec74db3b1ea9c483e94a43eda9485f325efe3f47f5d78d38d660bd7fd152f694b5ea519e2ccbd4661ffece6c6a9e137be
-
Filesize
209B
MD53face50e47f9e3c9ede0355b9c722292
SHA1199bc25a99f8e984e6c6a307d8fced55d97fa37a
SHA256c4e6a0742c97caca46c1d4a94e51d0a8af368ffa309b18872644a7aaa0797e91
SHA512555e4efd9f2566f19f80f3453cd790e1b7fa7327f00f35380848a0a24cac998d5efb75a11fa8f4f2fefe7df8569fa47e15a120671cddd44d7591a1953933780d
-
Filesize
2.6MB
MD58b979d17b1e31c0d9a6508dcaab6ea8e
SHA149ef3dfa7e35188a43387c5cf73372d46d6f4135
SHA256056ea282f20d6e328f17aa225b37109be19dbd5d701e99684101625a78129e46
SHA5120ae2d4163a510376b46806744bbaa17df57fc6a850c6a89067ace610ff990fa9bd6b41cf05130e8d6bf6029204e4b92b30a17a6d1d959e12cd31caf5d2daae9d