Analysis
-
max time kernel
119s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 04:37
Static task
static1
Behavioral task
behavioral1
Sample
df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe
Resource
win10v2004-20241007-en
General
-
Target
df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe
-
Size
2.6MB
-
MD5
c34c3c696612aa793e3357bb84d187e0
-
SHA1
37a84a246d37673a35e4ffd90003308bd45c7c7d
-
SHA256
df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4
-
SHA512
d5e0f513da5d4c6e850e2f90ab7116061cd9a0a113981905c15ca4623cbe3023a8511dd944440d9e78ad91ed45ce39d30acd7347dc26d8b031505eb19f8f62ac
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bS:sxX7QnxrloE5dpUpIb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe -
Executes dropped EXE 2 IoCs
pid Process 3292 locxbod.exe 3604 devoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxPJ\\dobdevloc.exe" df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvFT\\devoptiloc.exe" df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3988 df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe 3988 df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe 3988 df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe 3988 df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe 3292 locxbod.exe 3292 locxbod.exe 3604 devoptiloc.exe 3604 devoptiloc.exe 3292 locxbod.exe 3292 locxbod.exe 3604 devoptiloc.exe 3604 devoptiloc.exe 3292 locxbod.exe 3292 locxbod.exe 3604 devoptiloc.exe 3604 devoptiloc.exe 3292 locxbod.exe 3292 locxbod.exe 3604 devoptiloc.exe 3604 devoptiloc.exe 3292 locxbod.exe 3292 locxbod.exe 3604 devoptiloc.exe 3604 devoptiloc.exe 3292 locxbod.exe 3292 locxbod.exe 3604 devoptiloc.exe 3604 devoptiloc.exe 3292 locxbod.exe 3292 locxbod.exe 3604 devoptiloc.exe 3604 devoptiloc.exe 3292 locxbod.exe 3292 locxbod.exe 3604 devoptiloc.exe 3604 devoptiloc.exe 3292 locxbod.exe 3292 locxbod.exe 3604 devoptiloc.exe 3604 devoptiloc.exe 3292 locxbod.exe 3292 locxbod.exe 3604 devoptiloc.exe 3604 devoptiloc.exe 3292 locxbod.exe 3292 locxbod.exe 3604 devoptiloc.exe 3604 devoptiloc.exe 3292 locxbod.exe 3292 locxbod.exe 3604 devoptiloc.exe 3604 devoptiloc.exe 3292 locxbod.exe 3292 locxbod.exe 3604 devoptiloc.exe 3604 devoptiloc.exe 3292 locxbod.exe 3292 locxbod.exe 3604 devoptiloc.exe 3604 devoptiloc.exe 3292 locxbod.exe 3292 locxbod.exe 3604 devoptiloc.exe 3604 devoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3988 wrote to memory of 3292 3988 df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe 90 PID 3988 wrote to memory of 3292 3988 df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe 90 PID 3988 wrote to memory of 3292 3988 df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe 90 PID 3988 wrote to memory of 3604 3988 df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe 93 PID 3988 wrote to memory of 3604 3988 df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe 93 PID 3988 wrote to memory of 3604 3988 df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe"C:\Users\Admin\AppData\Local\Temp\df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3292
-
-
C:\SysDrvFT\devoptiloc.exeC:\SysDrvFT\devoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3604
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5580adcb785f4c9d7fa7af2eba4b73288
SHA1dd1446e035ff646b25159a1b9d6352cb8c78ba4f
SHA256dc1206cf447efdadc029458d8426a799fd9feba020da4e33b840485a8ac234f2
SHA51232c1ad509780ee27dfae40a19188dd3d2995e4b59e9151c0a8fc426b29ec0c5f9cd1d4342b7de6a18704d08cf16f3e176729725c0943e9370c7ad3960b60aebd
-
Filesize
2.6MB
MD5d5c473000255f9842b989abcac1069e8
SHA1ec9b07cc872b4bef88dda00e1ea7808736a3fd9c
SHA25606e9caa7ae9ae632c13d0c646aaa1fe655dfebea8158ad82821d37df90eb6e19
SHA51265908aad2838a2af4c331d82a66f17997002c817506f27afe57c82336b3438c53df3bee857c048686efc5ecb1706f74f558b588119cb2fd653f18671e78898e5
-
Filesize
2.6MB
MD5f1439ca7f62955cea0a11fb3ce1eaa2c
SHA1cfb70a8e67e3d23f56cbe694845f9a4b76dd760d
SHA256bc80fa3fac51184be5787fdaea266bbd8ee08aa558cc39b8c48e1425216c8a04
SHA5122a1d04e77067180777cd68f50594e7e3d3041bdc9e5a15f443d071cd993a2fa0405e00a950fbca2c1e539ec41f43dd24d8e7873cfb672681ea6f7fd6d71c271c
-
Filesize
207B
MD5aab39225ae2a555248e3e417c63940f4
SHA15789edae92c854e555ba4771dd9e2fa6faac1e0d
SHA2565c4544f0db351afc886a361cae7c5e185a1f1b51833c2787513b2078519608c6
SHA512371d675b2aaff18181d6750ce6cc273a55d8737ec08216cf19953c21bb736c31567d055d98e7d010afc5dc8f0327ad1782aa6170e2b966af8d65195dd9d662c7
-
Filesize
175B
MD5c87521cac59dc8636cdaceeffff57f95
SHA12e9d96cacfcac9068bee7f9761441290e3dd6836
SHA256c954ce24cce760a33ff026afd004f993a89830cee13044408dce1794cedb25b1
SHA512ab8cf815f9c6d8342631276772c59fbfd1fc5408b6bf4ae17f4199351874b229b75073ee44fd0df673223c853d9e7c3d5b504f42e8075b87abba9fa4d6134642
-
Filesize
2.6MB
MD543cd4bc776276a934a84107dda664c37
SHA13c28aa5f0c13642db1b85ab016d3d675b71d52b2
SHA2562d935c69b3eef3171680e2860159f24ce81d35a73f7ef2c32e99e810b6fa4e1f
SHA51227eb8169b5e82da043a77f160f2dff0f414dfa661389e41824cea38679519c6a7d1c54f4d6ad07e46e3ae540f2e6440e1fc2e987700a5f11c289a3489b4e54cf