Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 04:02
Static task
static1
Behavioral task
behavioral1
Sample
e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe
Resource
win10v2004-20241007-en
General
-
Target
e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe
-
Size
2.6MB
-
MD5
5a24aab9c57efbeeeddf8a3ab6fa1830
-
SHA1
806fd05f97b00c41e8f22905e1b9eaccf8d75af1
-
SHA256
e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952
-
SHA512
841d09a3b7c3d91936b1574dc2264a9b54a0177d949836ea8944e9fa6f31a77df0a32b049aa68919cc7139ceba699f2449d2430d2e582363d7235a52530bf4fd
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bSq:sxX7QnxrloE5dpUprbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe -
Executes dropped EXE 2 IoCs
pid Process 2876 locaopti.exe 2896 xdobsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2740 e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe 2740 e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZ1\\xdobsys.exe" e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintZC\\dobasys.exe" e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locaopti.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2740 e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe 2740 e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe 2876 locaopti.exe 2896 xdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2740 wrote to memory of 2876 2740 e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe 30 PID 2740 wrote to memory of 2876 2740 e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe 30 PID 2740 wrote to memory of 2876 2740 e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe 30 PID 2740 wrote to memory of 2876 2740 e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe 30 PID 2740 wrote to memory of 2896 2740 e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe 31 PID 2740 wrote to memory of 2896 2740 e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe 31 PID 2740 wrote to memory of 2896 2740 e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe 31 PID 2740 wrote to memory of 2896 2740 e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe"C:\Users\Admin\AppData\Local\Temp\e88923edc85f029d8072bad8ca1a5057fecf9433e0b20b4797f4ac8cb80b5952N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2876
-
-
C:\SysDrvZ1\xdobsys.exeC:\SysDrvZ1\xdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2896
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD53ec1d1bcdaa42ac4ec33e2b600247ac8
SHA118ccdf5bdf5f55e8b609ef5cd06dd976fb21df04
SHA25674eb2d8041cb9f14055c30d5a44e0ab0a23bb1641ec38254a870110fe8f45845
SHA512ff60bb65d5353868713ba81b39e78ce5a743534267172123185e94001690c2ef3240adac1b5fd91919cedd99c0b1195410830477382d17cd065549cd9e6404f0
-
Filesize
72KB
MD5459618bcca750b5533666c7585e055b6
SHA16202619d112878a1bdf8014a2e696dea9752e00f
SHA256957265a8f281496de3480f04bbfb3a1761a968dfa4e3db5c51a5fdbffc90bf9a
SHA5129b436fdfa54f87123149c7209f9dbe92f1c4526c46d1d5a39762e96ef0a37835eb05478e6c37721ec1a1551e738149d352f9e678739621b0179fa5783ad0e1c2
-
Filesize
2.6MB
MD555f6d63e9987bcd3c926b8dcc4071300
SHA17ed0aefedf0bb37aad40cafcf20df05c0644eb38
SHA256ff8bf0af9d3fa8d8cdb3c8ddaf8aea9848d002b2a98aef3c757d0f70b003b771
SHA5128eed66201ce4ebff2855fde71b0d4c570ae7a818178bbd69c2319dc0b83a3efe106f8e485ef17b3d218265d3740836969aae8d07e07994f35d222fed073c078e
-
Filesize
170B
MD55aa64fd2bcd08426d7342564b406c46d
SHA1776f7d0b5e710cad5103edf8aec3e7854eb4753a
SHA25655c6d44cb71742b4c11a532f4cdd12a4315be3615fc2093fe095b87f4f382a4c
SHA5126414a25ebf7740921382af07a2a88f38edaded383771766e33d7dc1542042fbe4b55ccc142904d99836174271a041b169e340ea8d992c178ae378d2df680a063
-
Filesize
202B
MD5d524912ef9d14865f0927af6853ae850
SHA1435bb761aeb273092e26bff9f561ebc491c0fb7a
SHA25613192db81422c7648ba6327779d307f30d245da13deff141aba1407ba7648240
SHA512f1cfc291a59c61d87609a1625a1d6c2278e5953fa4175e3bf78567251fff2d9cdd0ef4bb84ff09c73be7734be4f553ab6ad69429825560e99a2f1303e55b9015
-
Filesize
2.6MB
MD52e5f48597898fe09321d5807dbf8d489
SHA14ae3772501b51e5b402c29ad77714bfe90d85257
SHA256cc41080cded98cd349fe187241143710a815dbb4803926268cbd17c55a5640e6
SHA5129644314264193b6d0b7ca23cc7b6ad9113dc817eedc33ba1dbb10d1f856dc4e15c7aa6d6a4dd770ee57b74e1c6659ec31dbfd26b35db46136f1b56346f4a563f