Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 22:23
Static task
static1
Behavioral task
behavioral1
Sample
1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe
Resource
win10v2004-20241007-en
General
-
Target
1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe
-
Size
2.6MB
-
MD5
c0f890c9b99201af39fd56f688b7d8e0
-
SHA1
6ca6f2ad3d375789f061c2f78aead750025bb599
-
SHA256
1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5
-
SHA512
27e12397a0946219f60256774774a5aab5309935a717439a6a1eae1b6c68a1ac4272178cda5d8548298fa0cc22e58adefb36ffa78d58a1f318d0d9d17f697c3c
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bSq:sxX7QnxrloE5dpUpBbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe -
Executes dropped EXE 2 IoCs
pid Process 1648 locadob.exe 2120 xbodloc.exe -
Loads dropped DLL 2 IoCs
pid Process 388 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe 388 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotP0\\xbodloc.exe" 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint7A\\dobxloc.exe" 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 388 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe 388 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe 1648 locadob.exe 2120 xbodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 388 wrote to memory of 1648 388 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe 31 PID 388 wrote to memory of 1648 388 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe 31 PID 388 wrote to memory of 1648 388 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe 31 PID 388 wrote to memory of 1648 388 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe 31 PID 388 wrote to memory of 2120 388 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe 32 PID 388 wrote to memory of 2120 388 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe 32 PID 388 wrote to memory of 2120 388 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe 32 PID 388 wrote to memory of 2120 388 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe"C:\Users\Admin\AppData\Local\Temp\1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1648
-
-
C:\UserDotP0\xbodloc.exeC:\UserDotP0\xbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2120
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5f6e6640385e0242574961e8c5ccf9858
SHA1e2049f891c5b94978642f1dfbd4ef8563c32adbe
SHA2566f76309341b25f9b19899bbcda50fa98f5c35c3cd9613d148e7b3f49e27d5c24
SHA5122d9929dd08d23a64a9ac3bddfe66c308854b956dda52538647c3be917e23ce035ed3055c1403a7f0afd6e307cc25924a5792169c22f92705525d114ffc0549e4
-
Filesize
39KB
MD58ad721cb3223c0cb0b022c6cf99d1f1a
SHA199e1b9322999587da01c53dd1be3aac20a64aae7
SHA256ec4254a666580ddda21c1d4b28a9805a5d6b1bde7d697e49780a04a2f59fd39c
SHA512f6c2d6c678dd330439cd301f544050af076e23f3a04efd8ee991f1744f510706ec892d2d68b699da9f65e2c45daa04d9c4173f2775f267613e4f3c00ac1d2dfa
-
Filesize
2.6MB
MD5fd41b43af8b67c35d086caf7c1b3a3a9
SHA1bb7e14a1463728d07ecc840a527bf4b444c4d3f6
SHA256a1fed6c3fbf784c9f8ec89bc67d568f6359094aea167b47c09e3a4840fdb0bb9
SHA5123bcc9fc9e10dcdfb66b45092f1975dd1c2811cff13fa5364b5ce91db109d91b9a1cee7cd052e40dd6298a4e771884eea5cad5d78e45aa334de5f110b3930999f
-
Filesize
170B
MD5e43e5b50d75495f8e5e54434f109ec91
SHA1998b92b0539e3ef765f3dc693c0e53b4c3fb886a
SHA256109261c823c5d609c3a90b576b7bbe1e0c4587db5dd05d4462dc0658bf49984f
SHA512f806867e57b1c60eaa6eb09adfe0f0e9e772672d9b1a536384b739f31a23b91d79f2b30a18145893c3d4884c874ed0cdae0d6dd33f5ead1e2668c40b8880d5c5
-
Filesize
202B
MD57c58c48f4fefff24ed23e6e76d57edfb
SHA1a3bddd073b8b456e247cb1fc8d317d3e7e79597b
SHA256735f4f8a324066a6f1c731a019ed984ccfa8d5ff6ece333922fd36f22f050823
SHA512c731264bba3defafd20046df0505789900493f677e69c3477d7a13c46ae704120005839161b178497dfd98c041e939d5cc71fab4cc76c949b17af31dae8b6b11
-
Filesize
2.6MB
MD57cff24274e88cbe4f976252711957557
SHA1f06cfb56ae41bb0f511dc4473c13694092a7215d
SHA256bb2db57aabe95f3a1a47d6ea6fb107a011b5167f9cc2ed352178c91898f116fa
SHA512404a9d089319047eda518905463ca87d427c699c45e171d53fea20cabd7ec0f8371009b8ed10ce53c13b8266520736dd3a99ba58ea5ba2ecbe687816062eda71