Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 04:26
Static task
static1
Behavioral task
behavioral1
Sample
931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe
Resource
win10v2004-20241007-en
General
-
Target
931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe
-
Size
2.6MB
-
MD5
2ead6a6da90bc4921365d428319a4d80
-
SHA1
8c5ab884a871c1901a8223c9295db1b6125a26dd
-
SHA256
931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6
-
SHA512
4de06daa51637c60fd04075a5ad690a7443102e55b612171d05149242236653f9617164b56670bb0bad703816063d4aec24e1cf08d0624e1be369659a8e04f85
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBzB/bS:sxX7QnxrloE5dpUp4b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe -
Executes dropped EXE 2 IoCs
pid Process 2160 locdevbod.exe 2736 xbodsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2408 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe 2408 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeM3\\xbodsys.exe" 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxTQ\\dobaloc.exe" 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2408 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe 2408 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe 2160 locdevbod.exe 2736 xbodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2408 wrote to memory of 2160 2408 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe 31 PID 2408 wrote to memory of 2160 2408 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe 31 PID 2408 wrote to memory of 2160 2408 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe 31 PID 2408 wrote to memory of 2160 2408 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe 31 PID 2408 wrote to memory of 2736 2408 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe 32 PID 2408 wrote to memory of 2736 2408 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe 32 PID 2408 wrote to memory of 2736 2408 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe 32 PID 2408 wrote to memory of 2736 2408 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe"C:\Users\Admin\AppData\Local\Temp\931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2160
-
-
C:\AdobeM3\xbodsys.exeC:\AdobeM3\xbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2736
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD59b4697f98a51dbcb5e776336c3add935
SHA1a67be0a45bf12f0b683ff3d4e0ade73fa3a030d4
SHA256e450087ec4200f7ffff07aa7a8ef0f38c4c1e1ad556b0add40a4ff1214f1ae40
SHA512fb6d3218a1a8fe09b72abe6ebcbe51fe9f3aaa37d417bcfd5a4f83ab1f719ff16cf2b8797048b5a5abd8447082b06ec511a8b0249d761d253926013f4c9b94c0
-
Filesize
2.6MB
MD5f199073bb1aad26714da31ce7d05c566
SHA1a1fb63adb9c24f23967112ade629269d5f24b9f2
SHA2569ec63096a8cb9b3dc094bc560678cb63b34eaaf84f4969593c4eecc2f98956e4
SHA51243f86021a35266c5613aaedfddff82a37bb7f5b2b6805bcf3fdf5d5923b2bdb23ec9dd12c5879a5cca3c0f8a06385a34c1645a057759f6e16aa95f8c318c0aeb
-
Filesize
171B
MD5108120861b264c297c8ee6901c695155
SHA1e5386c9b91504be5d579f3a40f141ec81a0ff4ed
SHA256d05ba070693fe159225d5667ff3251381f292b8e1dfad5f64ed101005e0f13e8
SHA512b31168ba5d1d06f435f7f3c5b5054f4a79834540229ffe1c81ac150dbccd75bb7e704de7f4aaf2fb4edafed1612da701b99ad4f2473377e575365e62ba2fa4d1
-
Filesize
203B
MD5812192a0de9b53732cbba5d5d4a93fc0
SHA1c6687a7dfa746d966a1a172363901fbad4abccf8
SHA25670bfe1b747a412be640de2750a6a9be7e021f1eae249c859108f4c96ec69642a
SHA5124654f17cbb1de06e01b8284875751fa9ba11d61a629203db7bd2b9a5e39c28f29c5bc5e0c3651903f871493adcad75a7059c99cd6a1ace45ca00fbe675d6c0c6
-
Filesize
2.6MB
MD55bfa0ea5c4ea84b08a4168e71942ca75
SHA1c1cd53fd45ac74f4702db1feb96a154bd37af93e
SHA2561d702c27dcee007db646d69e6b0d7985a0f2a322de1f50f6223e6a95608e0a83
SHA512a8753cb0ba5e5e86f9e57837ce898b7acd5fcb87bae71b422f7ba3d873d3f2348a6df8f46237e4f61db195275703f8cc27849ceb8b7dc0223163c0b3e4192e47