Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 22:30
Static task
static1
Behavioral task
behavioral1
Sample
be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe
Resource
win10v2004-20241007-en
General
-
Target
be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe
-
Size
2.6MB
-
MD5
accf34785eae1f5727b18983b01c38b0
-
SHA1
462a1bb16c7eb99319f254eb1df1e852b2ebfeb5
-
SHA256
be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7
-
SHA512
072ea1f8d38c649328231e4310b1bcaf70734ae58033121d9acc751a774777926acc22e50cdae20eb48463f347669cd96649f691fedb001cbfef6bec971b7da8
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bS:sxX7QnxrloE5dpUpUb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe -
Executes dropped EXE 2 IoCs
pid Process 2344 locxopti.exe 2496 devbodloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2252 be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe 2252 be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeGM\\devbodloc.exe" be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB8Q\\boddevec.exe" be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2252 be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe 2252 be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe 2344 locxopti.exe 2496 devbodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2344 2252 be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe 30 PID 2252 wrote to memory of 2344 2252 be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe 30 PID 2252 wrote to memory of 2344 2252 be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe 30 PID 2252 wrote to memory of 2344 2252 be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe 30 PID 2252 wrote to memory of 2496 2252 be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe 31 PID 2252 wrote to memory of 2496 2252 be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe 31 PID 2252 wrote to memory of 2496 2252 be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe 31 PID 2252 wrote to memory of 2496 2252 be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe"C:\Users\Admin\AppData\Local\Temp\be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2344
-
-
C:\AdobeGM\devbodloc.exeC:\AdobeGM\devbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2496
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5d5b3a7c4dd81660c7ba05234812498e5
SHA14122a8dfa3c5dd571ce3a167bb324dfad086be43
SHA25631f0744041b0a484a746cbc631e9ec9dc06593a936c6e7d125739c87a478b3b1
SHA512149f1d0ccb641d0b29d642a701e63b39468860717f36ab124d87f6f6b63bf1e178071d0e04e4a782ad600aeec02d9bd811f94b188cbab1e92d8390239874f13b
-
Filesize
2.6MB
MD585f1412a33b81decd52d503a61939ceb
SHA1f0063ebc9de0ca0b995bb7c3e560476ce75c92d8
SHA2561eb54b8b123284561b91f692dfda188447a7ec1a9b224a6202cb899725c10df2
SHA512a997c3afd6a06172755778473d3090f830099dbe8205f9fbb5aa55459356544a4f1e04e2047113c173151ca7fe2e86f8efaf12ca8e2810d80c3090c724ddc3e3
-
Filesize
2.6MB
MD55a8a731bdaed01719111732a65c1eb31
SHA10c0ce22506530dfdf7cb3efc00ed2036e3269b33
SHA256bfdcc8032c4bb14a70ab977e0ae8ea968a5f9cbffa6fee00fb8a5fb561446132
SHA51253c59f105651f83da0e2092f74527b019603b362a1efcc7296703fa0dcff7b0257fdcc358533a60cb6a29a5066d33539c19ecbbc415743be34be89d3225af4dd
-
Filesize
172B
MD5aa9a44e7b934977f1be0edd92371b2f6
SHA1ba2e8c774a0ef9072f954a3c6b84e757bac73563
SHA256515b38afdb76005f15622548f2d093a0ccfbdaf086ed5b6e5cf6a15682f9820b
SHA51294b434a59c2973c446fc359d162973ae3667dc0903cd3b73ad0fe6a1b6884bf3cd014c7397d7345255094ce69610d7e4f606f11e2a904d1e839d8eecc69d7eda
-
Filesize
204B
MD50738ee3f61ca8e684201eb10c691af43
SHA1ecdefeaebcceca2948e24f1f75aeabe6d3b438a3
SHA256587e9e7f053da2ff2cea8caac32d76e514b78c6471d4424a85e7d123b839bce0
SHA512b9f23ca87537887a9640029ba3e373fe0f6c3d6cfa45494e2e605b56bedd596de311cde9f7c6b00d8385b14d91857a95937202d6b3e2f87502c257c809e9c1bf
-
Filesize
2.6MB
MD50c04ddc916e56126549e98c28d75db86
SHA1edd8072f7580ffe88dfdf8d39ea732f5e1abf31a
SHA256f82a403dce3e47e028685958032fa47c82c550c3555c82a2d346c05afc690727
SHA5129d1031662c570779538489427420521305d31b42b555637e24af0b333e5d297aef7d254682e4e85c6262a48c74bf2970d1a57aa80d46eb4b45f369c1a58cd88f