Analysis
-
max time kernel
119s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2024 16:58
Static task
static1
Behavioral task
behavioral1
Sample
fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe
Resource
win10v2004-20241007-en
General
-
Target
fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe
-
Size
2.6MB
-
MD5
472bd8b04f1ef850d7444b945f4b4b10
-
SHA1
369f37738c50768e1092c6abe618d6023d484e65
-
SHA256
fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3
-
SHA512
83272470b2d06ab3dc2e67afc7b224f6ba9df5b8ccebf9c3dc9f8755d1fd9d3d7b4eddac4f18d145cdbb57dc8c479316bdd87df09dc5325ef2b45c1420b9c117
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUp2b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe -
Executes dropped EXE 2 IoCs
pid Process 744 locadob.exe 4696 abodec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe5F\\abodec.exe" fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintZ8\\optidevsys.exe" fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2544 fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe 2544 fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe 2544 fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe 2544 fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe 744 locadob.exe 744 locadob.exe 4696 abodec.exe 4696 abodec.exe 744 locadob.exe 744 locadob.exe 4696 abodec.exe 4696 abodec.exe 744 locadob.exe 744 locadob.exe 4696 abodec.exe 4696 abodec.exe 744 locadob.exe 744 locadob.exe 4696 abodec.exe 4696 abodec.exe 744 locadob.exe 744 locadob.exe 4696 abodec.exe 4696 abodec.exe 744 locadob.exe 744 locadob.exe 4696 abodec.exe 4696 abodec.exe 744 locadob.exe 744 locadob.exe 4696 abodec.exe 4696 abodec.exe 744 locadob.exe 744 locadob.exe 4696 abodec.exe 4696 abodec.exe 744 locadob.exe 744 locadob.exe 4696 abodec.exe 4696 abodec.exe 744 locadob.exe 744 locadob.exe 4696 abodec.exe 4696 abodec.exe 744 locadob.exe 744 locadob.exe 4696 abodec.exe 4696 abodec.exe 744 locadob.exe 744 locadob.exe 4696 abodec.exe 4696 abodec.exe 744 locadob.exe 744 locadob.exe 4696 abodec.exe 4696 abodec.exe 744 locadob.exe 744 locadob.exe 4696 abodec.exe 4696 abodec.exe 744 locadob.exe 744 locadob.exe 4696 abodec.exe 4696 abodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2544 wrote to memory of 744 2544 fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe 89 PID 2544 wrote to memory of 744 2544 fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe 89 PID 2544 wrote to memory of 744 2544 fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe 89 PID 2544 wrote to memory of 4696 2544 fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe 92 PID 2544 wrote to memory of 4696 2544 fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe 92 PID 2544 wrote to memory of 4696 2544 fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe"C:\Users\Admin\AppData\Local\Temp\fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:744
-
-
C:\Adobe5F\abodec.exeC:\Adobe5F\abodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4696
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5d52314e5823394ce339e1e43dab187c0
SHA13337aab4f387e1e3737cd3c9893250e3dec84832
SHA256afbef5739a14ca7354a5799950cfdfb49a779b47b9b175b2da9e85618d4d3dc0
SHA512a7e24ef31f2bfeed62b54a5b35e036bd1832fab7e3872295b94daa45b2f8c6d95791f7634045e2c62c94c5537991155632a4c1119ac155725913cab8eee04544
-
Filesize
2.6MB
MD5456b280f9c2701618aa90b66b9316033
SHA1d644b5f98013aa34c901096748ec2ae6919e01c6
SHA256eb207498d5a2a4937d739f9a9709d25f6d517d1b5c82481321391c4c4243624e
SHA5126238b5580bbada1789f4f0baa3708dee16de56515575cdf2c2de5e61b969d933ff78c4ddef13c92ae2d3a5c7c56d8df37c882f1c19772199dbe4e8e100002d4a
-
Filesize
790KB
MD5a9a38eb9e2b2e4dc3f46ea60c6eaae25
SHA125fec12e6bc90517b9051b368b8bc3d3f6aaaac9
SHA25668b1b34b41cca8bef09b39d7003bc6a367ec110fd36b3ddbbd41ba5112add63c
SHA512f218c1efbb4099b741c86089a307525857e03be9e0127c2dbaae355a01a02db9da34dad10aa8f102b289485c113d86a01ecf8a51b5ceaad1f5b6f4c7d249695d
-
Filesize
202B
MD5630b3ca2827422f20e5cc7bf924cbb91
SHA1a98a98173d7fa0804d1880e03ab82c9baffbe3d5
SHA256246ccc16fb01609fccf72fa0afb32d883b55997253163bb2ba4697b811120423
SHA5125e11cc35a08eca1e23566bd3445b071f8ed898ede35900c1b752f3d61731669004d8bd59a0822988176d7a3c93f9035d8fedb58a8ccd001277739624eb35ee36
-
Filesize
170B
MD5f4832135c040d5c29bbf1e9fb758be16
SHA1cc91a57b58eec1104282e8ec503f0d232dfa6ca9
SHA256b7cbf73e3b451d39cf471cde2186cec4c9fc9bc51fdf41f4da3f84eee5864d6a
SHA512870b201cc3069392631b9a7f3d0d795ae1c6d9fb60e00750be56c55d45b5d7a7f0d65a9b454619cfedde3ea022fc224335897381c92e8c8bb956642528163f67
-
Filesize
2.6MB
MD50a31595e5f145bc00299dbdcfec031b6
SHA1f4af53ebfec6334c72d58941318f9252c9856ac5
SHA256608e9c97b3f562c3c41de51160c83765c2e93c456d613758ccb2b7b1cbca23f5
SHA512a0cbc680418c3d33b67caceaed1d14d59574ae0c75b2a19c13e67f8a4db3adb077876b94a59f88c2a32995fffc295b76214861b71a4e4a9a8d339353a06f04cc