Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 12:45
Static task
static1
Behavioral task
behavioral1
Sample
f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe
Resource
win10v2004-20241007-en
General
-
Target
f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe
-
Size
2.6MB
-
MD5
a3875c96399721e33b1ea6180d7f6e50
-
SHA1
ee29ca8862ccfb321c3cee04d6564dcf41d56402
-
SHA256
f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3c
-
SHA512
7681adc3c525607a6bc9fcc33d39c961a0eb0cd95deffcf9495ccd447ebbedfe026bddd3dc501b9ac61f057f82237125558869a5625482f21f116efd67912670
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bSq:sxX7QnxrloE5dpUp6bV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe -
Executes dropped EXE 2 IoCs
pid Process 3764 locdevdob.exe 1772 devdobloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotMC\\devdobloc.exe" f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZG5\\dobxloc.exe" f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2004 f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe 2004 f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe 2004 f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe 2004 f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe 3764 locdevdob.exe 3764 locdevdob.exe 1772 devdobloc.exe 1772 devdobloc.exe 3764 locdevdob.exe 3764 locdevdob.exe 1772 devdobloc.exe 1772 devdobloc.exe 3764 locdevdob.exe 3764 locdevdob.exe 1772 devdobloc.exe 1772 devdobloc.exe 3764 locdevdob.exe 3764 locdevdob.exe 1772 devdobloc.exe 1772 devdobloc.exe 3764 locdevdob.exe 3764 locdevdob.exe 1772 devdobloc.exe 1772 devdobloc.exe 3764 locdevdob.exe 3764 locdevdob.exe 1772 devdobloc.exe 1772 devdobloc.exe 3764 locdevdob.exe 3764 locdevdob.exe 1772 devdobloc.exe 1772 devdobloc.exe 3764 locdevdob.exe 3764 locdevdob.exe 1772 devdobloc.exe 1772 devdobloc.exe 3764 locdevdob.exe 3764 locdevdob.exe 1772 devdobloc.exe 1772 devdobloc.exe 3764 locdevdob.exe 3764 locdevdob.exe 1772 devdobloc.exe 1772 devdobloc.exe 3764 locdevdob.exe 3764 locdevdob.exe 1772 devdobloc.exe 1772 devdobloc.exe 3764 locdevdob.exe 3764 locdevdob.exe 1772 devdobloc.exe 1772 devdobloc.exe 3764 locdevdob.exe 3764 locdevdob.exe 1772 devdobloc.exe 1772 devdobloc.exe 3764 locdevdob.exe 3764 locdevdob.exe 1772 devdobloc.exe 1772 devdobloc.exe 3764 locdevdob.exe 3764 locdevdob.exe 1772 devdobloc.exe 1772 devdobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2004 wrote to memory of 3764 2004 f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe 90 PID 2004 wrote to memory of 3764 2004 f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe 90 PID 2004 wrote to memory of 3764 2004 f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe 90 PID 2004 wrote to memory of 1772 2004 f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe 92 PID 2004 wrote to memory of 1772 2004 f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe 92 PID 2004 wrote to memory of 1772 2004 f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe"C:\Users\Admin\AppData\Local\Temp\f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3764
-
-
C:\UserDotMC\devdobloc.exeC:\UserDotMC\devdobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1772
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5858c814a6660013bb5ab014a288e8d5a
SHA15b4fcb43a8893e4ff71b817c592ddf2e0945dfbf
SHA25615aab088d7b1a73c8cfde4d78f272340e34545f6d593c44082a2f56cb53c5126
SHA51233dbd76747562b75809186a6e8ffa0beffa50b622cd61c7a5c2aa69657b5137fbd17bfa6bd5e235b1ec442482d5fb19fae5261695d933b4db3a3462d13f69c51
-
Filesize
256B
MD5bae5eb085a9f023b8d36e2a083933bdd
SHA1c8f3b383d6ce74e8606027a03db4b0ae08c513b1
SHA256b505b72bbec0ac5ef11559a9e1cd5d9b176f6b03b0dc9296023c144e105605ab
SHA51293d15b5bec81644cf4030f24c5941cb76efb1e539e47e25ee9c722db4b1b52b8ec129fef26b9080ad23fe6b7d1f0752e3a263040aa5557656967acd4d5e485f3
-
Filesize
2.6MB
MD512388a1d28c3f73f09d093fa650f55e2
SHA15d8a98fe71749573fcb94125d182018c18161533
SHA256a165cfb9793f8caaad87ca126c94e168f76ab6be0f8bf4562fe9f050672b88c2
SHA512aab9b0f407c164d8f1a16280112d977196b966d14297f352597c6e214cc04175f9c0f5f4b9b5bf9ae99b11b704be65a5688cd2db03bdccfab0bafa278d9cc487
-
Filesize
206B
MD5a3ea100a13cbc201a1103478b0eb0f0b
SHA1b48679f64d4e6f243cf724dc5a427e034b5908c0
SHA256fda351f1812515d59aeaef74a2c0f1f6bf1f3bc246f4b5a301aa6aa5aae44df4
SHA51213bb5cd325a4b40aeebfc6426a6717d78f6351f71cccb35e36f3de992f9d3603ccb70cc63ad147c52873ee2fa2bcb8fb9e4ab375bb10399328c0fb66563bbc40
-
Filesize
174B
MD50a70ba75a803446a0dd9b69a9d5b8b1b
SHA13bf821b50d0faddbd23199fd84f23da34c3a7cf2
SHA25686b3d5a61a4d865f4494a7e55595644cb96ed83f2854cc578b961a52fbf8ff1a
SHA5125623a64e3e57f6792010092aa9058d88a836eb019f019ef491b220e722aa2e68aa83022b63d3cfc618c4e5f6304f77435cab0882d73c0b0e14ff8f44a50f3fb6
-
Filesize
2.6MB
MD5c0032b5e1e6bb4cd09131791351f1c64
SHA13beb56afba04d39d660f321b28edb17cab9d23f5
SHA256fe56ce5895ea379e18a1e8a8f7c5d9a45f738b3f5594492801c4f616479d4c39
SHA51293d0979667f22fd91b5bfddd24f778824a682997093639dafa923e55355ecd1633d1020019f5b502c7b868e680b5a0c56375bd78cd3bf1ba669520551b4118e9