Analysis
-
max time kernel
119s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 04:37
Static task
static1
Behavioral task
behavioral1
Sample
df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe
Resource
win10v2004-20241007-en
General
-
Target
df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe
-
Size
2.6MB
-
MD5
c34c3c696612aa793e3357bb84d187e0
-
SHA1
37a84a246d37673a35e4ffd90003308bd45c7c7d
-
SHA256
df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4
-
SHA512
d5e0f513da5d4c6e850e2f90ab7116061cd9a0a113981905c15ca4623cbe3023a8511dd944440d9e78ad91ed45ce39d30acd7347dc26d8b031505eb19f8f62ac
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bS:sxX7QnxrloE5dpUpIb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe -
Executes dropped EXE 2 IoCs
pid Process 2276 locadob.exe 2872 xdobsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2172 df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe 2172 df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeME\\xdobsys.exe" df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZWA\\optidevsys.exe" df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2172 df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe 2172 df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe 2276 locadob.exe 2872 xdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2276 2172 df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe 29 PID 2172 wrote to memory of 2276 2172 df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe 29 PID 2172 wrote to memory of 2276 2172 df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe 29 PID 2172 wrote to memory of 2276 2172 df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe 29 PID 2172 wrote to memory of 2872 2172 df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe 30 PID 2172 wrote to memory of 2872 2172 df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe 30 PID 2172 wrote to memory of 2872 2172 df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe 30 PID 2172 wrote to memory of 2872 2172 df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe"C:\Users\Admin\AppData\Local\Temp\df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2276
-
-
C:\AdobeME\xdobsys.exeC:\AdobeME\xdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2872
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD569dee9b0499519eb49a78f78c6ffd5d9
SHA159edd61b2d48db78a1c15102ae134e8efa60f37a
SHA2567fd98ab0bd7b37193b7daf6fd688f554195547124f7cb5bdee95cb9709fc88fe
SHA512218cf1d5b63edac196b431c1498d31f6a942dd0da8ca0eb3a8146f35759b2a11b41c56bf51e5eeca24584af5c08f12d8aa079e9bca4bc18ce2863fa18d9792b6
-
Filesize
2.6MB
MD51575cfb4f611d2785a974b7170114e7d
SHA1350d5d3135fb1c2ac32c52812ea3202f298dd9ac
SHA2564d9c304ed16316b6dcc75f053392cb37eac472bcd86bf9cfd86129c5aade1eca
SHA51246449ee439d1be25f7faf459f220b885218c504bd8494d9e2fb274225f98bbffe1a420186388f7a5ed037e9954a8c7c3cdb6793ccaeeaf448c541391e090bb37
-
Filesize
2.6MB
MD5883b5aba3589da711279e73b00e6a253
SHA10d51181257eae531f9d61ef1ac1a3e8b92a9b611
SHA256f54909b6f2c4b2f8247629452d31fd68550375dc0fa6484c899dc46e26afeb43
SHA5121d9490015d640e63bab6d48722cabd2db524f6d87c2378b83cd314d6193113ab8577463ef25bf46adac4ac446ce2f4e834be62c3ca6df361d21b3eeb5269d551
-
Filesize
171B
MD53d1469a357d788b44132488f5bd36995
SHA16b5efe735b5e3aea4dc28bbc8bcd73dc6bdae3b1
SHA2566d9544e1a5e1103c69a1182712759b4e0d5fbe45252d7714754e31a9294ce154
SHA51206fbe473ea090dcd2cfad9dd3be2dc103a4d9fe978215b127a4464e4d46c1811f4f934992e83f8e15d252022b1c76f2757c14e6a3fea3153a27237bdb3605ea5
-
Filesize
203B
MD545d30f1d988caae27135b5e45e18eb29
SHA1a640fb336e0498eb66b4b58fb22e3b8a48dfdc56
SHA256819e1fe703ba024f672dbf2e6b164ca0cdcfff7604d35ce62239aa5b3917c822
SHA512e0eda8155aa264c87891b1fdaf0cb1ee8150e6f323ca81cf42785d434b3f1291137b7fd69691e52fb6993356a6911c32bc3ba1c2240a058bde58ef48f65ae38f
-
Filesize
2.6MB
MD53c3e3a5b6bd052d4bcf1561f6a194148
SHA11a4be5cee2f4ec045a11d475f46dcf103ddc595a
SHA2564efdfe152139003f07a30de795b0e76e3699a5b332ed3aa6bf187b95c655bae8
SHA5129ba397e8b9f32312f93cfe44319345a238357faefe273dc081a40fb900098581daac834243bc00b15f0ebcc7c115d8a365f92408ca639569be3555e041b025c2