Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 03:13
Static task
static1
Behavioral task
behavioral1
Sample
b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe
Resource
win10v2004-20240508-en
General
-
Target
b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe
-
Size
3.3MB
-
MD5
1fb36ec40b8dac633f226b941c5c9ed4
-
SHA1
0efdccfb197b85637eb475fed1fa218ce61a1149
-
SHA256
b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e
-
SHA512
591b6de05eb65b818eff346e201bbc4477aa162b7018efa2c1ea7cf2abc7b286b18d90c3fe5395f7852ca063ceb7528f1acbc4b8b18e1081a70a8aa4f0a0e9d0
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bSqz8:sxX7QnxrloE5dpUpJbVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe -
Executes dropped EXE 2 IoCs
Processes:
locadob.exeadobloc.exepid process 2252 locadob.exe 2848 adobloc.exe -
Loads dropped DLL 2 IoCs
Processes:
b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exepid process 2288 b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe 2288 b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocDR\\adobloc.exe" b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZXT\\bodasys.exe" b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exelocadob.exeadobloc.exepid process 2288 b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe 2288 b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe 2252 locadob.exe 2848 adobloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exedescription pid process target process PID 2288 wrote to memory of 2252 2288 b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe locadob.exe PID 2288 wrote to memory of 2252 2288 b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe locadob.exe PID 2288 wrote to memory of 2252 2288 b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe locadob.exe PID 2288 wrote to memory of 2252 2288 b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe locadob.exe PID 2288 wrote to memory of 2848 2288 b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe adobloc.exe PID 2288 wrote to memory of 2848 2288 b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe adobloc.exe PID 2288 wrote to memory of 2848 2288 b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe adobloc.exe PID 2288 wrote to memory of 2848 2288 b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe adobloc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe"C:\Users\Admin\AppData\Local\Temp\b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2252
-
-
C:\IntelprocDR\adobloc.exeC:\IntelprocDR\adobloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2848
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
522KB
MD534e55fc830aa4dac25e00e94662d581b
SHA17a15601395c1b074a34d60fc889b210d307f2498
SHA2568a7216a18c65163f1556a77fedc0d5afc9b67cf41dfd2d6044f7ad44cfbc2408
SHA512904df8f603b98a7365b99584d38645855d596d7b99ba55827b61c2fbc53a7fb2c6f6a8f6f541c4486066b05fd8dfcbae6cc25ed1610f3bba46100224e31ed434
-
Filesize
3KB
MD5b85ef880820ad2f02706b10170e533fb
SHA171378239fb161e35c8f79d7a951d7d09d4f45b33
SHA256824b6d312a2dde817fb21948332f4b59c54118a25d0c2deb5bfc92aa1a9daa78
SHA512f430b5b60b9ef1cf4efe9787c7b0f161b12f4212956a065e1f0b6a07907600fe307c8323482f6e6d85953fe9576ba09e3b9876d9c27e916f7ee62a9c3665a6d3
-
Filesize
3.3MB
MD590845a76e15095f7342010077c8fb40d
SHA127cd7bf49776828f50334dc358293ceedf8e14dc
SHA25648b270e53ed6aa45cdc072786ebd7003e5d0be58d76916467196252db9301e77
SHA512f5da0656c11786c1c3e35ab1302c3c78c9a75c88f5ccc4b1e5e94d9627002f6234cafbe5b43acdda25d5cf6c8548c7b54951b5ffd8a231fdf27dedf18f3db168
-
Filesize
172B
MD5b1db7a664897205c73c197e1599b19e7
SHA19dcb0ccd281d749fcba265b8993f7467c204d6a2
SHA256ab997b37462fa216e7b06b1a1c11f994bb891273573b6341458a23966c5c5563
SHA512553fa92c5c9548f4dcdfe65544bec18f940836e7f7d8c4b29f44d4005eed94acb58e9c2052ea9d48373c341793363dcb73559dd95642583a44ef8637656c02c7
-
Filesize
204B
MD5e2256f5c835a2e2dbbb6e3fd8585fd1a
SHA11435f95a17a3116288f3de770c41e0e56c1d0c16
SHA2569337a3b0b8c614674714cf812f124609c6167d30f49d4b9604ddac30e1235d95
SHA512742d6d5b7586346a7e41e2226b1c77859e8c7ec1fe480b066df70688d00d9adcd877e5ca89922cc17fefbff0bcb9b3f49ccffac9f60d6c043617b2ca4f392ab4
-
Filesize
3.3MB
MD563f47d33ea49b7a5de5b4aff11803314
SHA1f87e873c6f67c610c88edae9c333c706467894ec
SHA2563fa786d81f3683d2b54116b105290b10cc996e166c1de1980a036c32bcab853d
SHA512d21ac3d78b3f8f4f6eba15c584adb49a22e2e41fd097902d8aa85a0c824fe4655bed3ce294f1784b3c9a91213f9110d4f60f45009f91db3d51aeab8fa5eed622
-
Filesize
3.3MB
MD5a055abe5acfdb90937ea0c702d68601b
SHA1d87d3e523554be131fec534a6b7336d8c65ffdbb
SHA256e2ded75e96cb032b7424fff79076346a3fd64fe4d6e0b96e36222c850c672d38
SHA512b4587140e3c7a8b852464842a15dc652278071cfb780226176ec0918d5b78e4c1400f36e469e3e029b3d605a46ed6a447cc41216b59788ce974b90c40ef54e9f