Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/10/2024, 13:43
Static task
static1
Behavioral task
behavioral1
Sample
54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe
Resource
win10v2004-20241007-en
General
-
Target
54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe
-
Size
4.0MB
-
MD5
14be2a9e768c5f9b271bb6e12c719800
-
SHA1
296d5bd1976aa5a7c4171a877fb03a99ee7b0c82
-
SHA256
54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904
-
SHA512
c43f39c3c8aa961f320f4d47d3b42afeb81e5eebab7f29730f919ef354fa474cc46ed5b854816d0731cb6118027370efdcf6e4cb487218229ac953cda1ac3468
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpZbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe -
Executes dropped EXE 2 IoCs
pid Process 1832 locdevopti.exe 2468 xbodsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2168 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe 2168 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot0R\\xbodsys.exe" 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxAG\\dobaec.exe" 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2168 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe 2168 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe 1832 locdevopti.exe 2468 xbodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2168 wrote to memory of 1832 2168 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe 30 PID 2168 wrote to memory of 1832 2168 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe 30 PID 2168 wrote to memory of 1832 2168 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe 30 PID 2168 wrote to memory of 1832 2168 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe 30 PID 2168 wrote to memory of 2468 2168 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe 32 PID 2168 wrote to memory of 2468 2168 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe 32 PID 2168 wrote to memory of 2468 2168 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe 32 PID 2168 wrote to memory of 2468 2168 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe"C:\Users\Admin\AppData\Local\Temp\54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1832
-
-
C:\UserDot0R\xbodsys.exeC:\UserDot0R\xbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2468
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD5ce2193fd462b020f43065dec4150ca1f
SHA120b76b4dee1c041d30fa754a450e3e6943404851
SHA256334dd85d89773c53f2593c3ac55879135c9dbdb0fabfd649b07c3e2165fd5717
SHA512376a85554f74ee327734d2a4e56470bf736f5a2574a848825ac658be842c21de4c2a8b77230064ca73ba80338c18714a7e811e20ff2921fab28c1a76f403dc5c
-
Filesize
4.0MB
MD515aa7b0583c526fc67ea17496d518d6c
SHA1dcb514fb3bb989f25ea8c458226ca1d7137940fa
SHA256b0fa3c69e11fec50de5fd2aabdc24820b75631d2726fa79025b058d0b3656fe3
SHA51286bfa3c7aa18e93742a879e2db5f7814ea95d0a26cafbeea5587f25aec274ed6fbe141ffb2dc15514ddd8c4d486719d663c3c386f58dfbb900fbfb4200c54075
-
Filesize
173B
MD5740a8cd29c1e649f9dda8bee73f7fd0e
SHA17a1702c103210c15f76c9c283179a80ceec2d8e5
SHA25695f36d908c2177dff251c410f5217e9d48c85c8c5dd70c2a942ba19d6aea4925
SHA512da263b67494f2c3e2936ba1b44f6ccc9bfccff5751ceadaa144f69709f405e4b59411818810d7134c8785984b9f817f6279c78484d956c25a32f363943120284
-
Filesize
205B
MD572385154e7e9f3e5d957a23b99ce2409
SHA10d690556430fc576f3d74c0d4b703981e6d2e807
SHA256aa65798974970730cb2e416ce0450316d91c471a4bb0e0905c8dd5fc1a7348d5
SHA512bd9f4bfbab735e5a6c906a703a6bc46c0901fc1bff6ee5f62847cee6c1cab0a5d3e74e198fa0503813bc5116f2f2b80445478c6aa974b6f0409f18e58ee29e5f
-
Filesize
4.0MB
MD5a9873b76a82278cd3bae5209187d41c5
SHA1de6b50075229d88fc6d7c8da8f912dd91be81db6
SHA2566578b2929ed78b4e3311559adcec4f66af5a0c167c6727c32ef9336a1b462f6d
SHA5127f5a2db98aa3fe2354d20bbbe7e84f2ba74984058a3f4962a59b38bbda1309e06d224e5b2327dfbc4f5dc2adb673a23ca5523cab3a78597cf22db137a34c6aaf