Analysis
-
max time kernel
120s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 21:57
Static task
static1
Behavioral task
behavioral1
Sample
a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe
Resource
win10v2004-20241007-en
General
-
Target
a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe
-
Size
2.6MB
-
MD5
9ebc951d9f3d04ba4d47f1505fee8b90
-
SHA1
e0a79e1dd7d32d225df7099fde992c04bfd4c97c
-
SHA256
a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2d
-
SHA512
802fef0c5e9258932e1d4e973edac26d60cfb1399c38593e15a2a484a6b75aa6d15c3a874762d805ea86e6ad7cb31e8141753b9bf053ad06596f5b67edf0b7e4
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bS:sxX7QnxrloE5dpUpJb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe -
Executes dropped EXE 2 IoCs
pid Process 2060 locdevdob.exe 1676 xdobloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocFT\\xdobloc.exe" a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintNC\\bodaec.exe" a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevdob.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4424 a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe 4424 a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe 4424 a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe 4424 a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe 2060 locdevdob.exe 2060 locdevdob.exe 1676 xdobloc.exe 1676 xdobloc.exe 2060 locdevdob.exe 2060 locdevdob.exe 1676 xdobloc.exe 1676 xdobloc.exe 2060 locdevdob.exe 2060 locdevdob.exe 1676 xdobloc.exe 1676 xdobloc.exe 2060 locdevdob.exe 2060 locdevdob.exe 1676 xdobloc.exe 1676 xdobloc.exe 2060 locdevdob.exe 2060 locdevdob.exe 1676 xdobloc.exe 1676 xdobloc.exe 2060 locdevdob.exe 2060 locdevdob.exe 1676 xdobloc.exe 1676 xdobloc.exe 2060 locdevdob.exe 2060 locdevdob.exe 1676 xdobloc.exe 1676 xdobloc.exe 2060 locdevdob.exe 2060 locdevdob.exe 1676 xdobloc.exe 1676 xdobloc.exe 2060 locdevdob.exe 2060 locdevdob.exe 1676 xdobloc.exe 1676 xdobloc.exe 2060 locdevdob.exe 2060 locdevdob.exe 1676 xdobloc.exe 1676 xdobloc.exe 2060 locdevdob.exe 2060 locdevdob.exe 1676 xdobloc.exe 1676 xdobloc.exe 2060 locdevdob.exe 2060 locdevdob.exe 1676 xdobloc.exe 1676 xdobloc.exe 2060 locdevdob.exe 2060 locdevdob.exe 1676 xdobloc.exe 1676 xdobloc.exe 2060 locdevdob.exe 2060 locdevdob.exe 1676 xdobloc.exe 1676 xdobloc.exe 2060 locdevdob.exe 2060 locdevdob.exe 1676 xdobloc.exe 1676 xdobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4424 wrote to memory of 2060 4424 a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe 89 PID 4424 wrote to memory of 2060 4424 a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe 89 PID 4424 wrote to memory of 2060 4424 a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe 89 PID 4424 wrote to memory of 1676 4424 a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe 91 PID 4424 wrote to memory of 1676 4424 a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe 91 PID 4424 wrote to memory of 1676 4424 a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe"C:\Users\Admin\AppData\Local\Temp\a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2060
-
-
C:\IntelprocFT\xdobloc.exeC:\IntelprocFT\xdobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1676
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5730de6f3c43df5ce8b4e5f87faa3cec9
SHA176e7a53a073936a5bf252bc93521df8fa12a189b
SHA256c96f597439ba77c0b88eab7848946ed2adfdc50f7257ca2e857e827c1c820322
SHA512a173e50570a7db3c4771a124a1d2018ef7fa947f79d9cd1513c8e2d7b7ff89536915bc5d7124c24a19b6888846fcff80894cf5efcfe21f04156a0c6c90b05b15
-
Filesize
2.6MB
MD54340c5af6e8404038ab5805015895c05
SHA1c00d24afad04cfd26e3dfd544f67e8e7ffd47759
SHA25671c1adee2c548c270f834b22d949916130eb8485183d664458182d440a7157d0
SHA512bdea9a4321ad8065e4d2306f28c85f62c362400987323d2a1b7db845b041f8ab252c72a73df0d7dff5f3c1bcc1661f51995b28f7d8ed0638636bcb9f5e1092dd
-
Filesize
1.2MB
MD51626f324fa76ed86c3814dcca605b817
SHA16ba221c51a418fecdf56b3277123fcc908e7593a
SHA256d707cbac79a9ab9fa4e4101c71e673b5b4fb13276cc58cd2a7fabdb5994eecd3
SHA5125979cde95fe4b98963df21a664dcd4ea7d1f3f44b353030b9a7d024d4710af23fa8cf7ee277fca027e2725aa603238d2f4fb552887d27727d824a991b7598f47
-
Filesize
205B
MD540878f1230354d0fd041f4f470710fe0
SHA111aa86d24de207762e1e586688f64e3cadc9d37f
SHA256b51c926cbd19bd14caff6ec099db0b349fd836209df5cc7debd30b693d9cc9ca
SHA51245007ad39d3b11c202caa8a86c8326933ff528c269fcdfbd7ccd1f08abc276d3a3e97b58df2141dfc451468b778f0ca59c0a76b7f4b224992c4767fb81bf7a97
-
Filesize
173B
MD5701dbf1ecd0054eedb47cd021b9cc453
SHA1162423eab564bbff4240251d14f2f0b698529519
SHA2567b89d3874842d56678d158e12aa922e0239f2ea08a454aa0de41fbe8283ef578
SHA51217f94b973e2749df11bec5b0c84a621bfb2d8431aeb417741d1441ed0112e3197b3d78e7e3f890471031080c23da8dbe473c58a5206083ad06a97617645c7283
-
Filesize
2.6MB
MD55b82cc106f7bd815d82e2bc95ef2144e
SHA19daec5d99925f8bc63d4c13804889799be30af0b
SHA2562289ec1d42300b48baa80c9bfe1becd2baba7339ee930681f29079af79ab4663
SHA512f08912b9b194f9b212d4698ef5163d36c958e0f7a05ff94d0845d8292f3e0a11705d724bab6f3f70d190497689265055a9e4ce5cb9efb8375629017d3c4d233c