Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 13:06
Static task
static1
Behavioral task
behavioral1
Sample
8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe
Resource
win10v2004-20241007-en
General
-
Target
8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe
-
Size
2.6MB
-
MD5
33b4e30ee96a5727bc4493aeabd22780
-
SHA1
e3afcfbe56f525706e317b6eb6d0a14c7da21f04
-
SHA256
8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39d
-
SHA512
b4ad73297d7a865b0b50f6e4ee51281e7279ffd47d3baf0af658cefd80b2b94d1c99993e6757a87a06e099f2ca801a20e1e35e6dbe5172df2c025c509e528e73
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bS:sxX7QnxrloE5dpUp6b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe -
Executes dropped EXE 2 IoCs
pid Process 3724 locdevopti.exe 2680 adobec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesNW\\adobec.exe" 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidSG\\dobaloc.exe" 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4976 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe 4976 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe 4976 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe 4976 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe 3724 locdevopti.exe 3724 locdevopti.exe 2680 adobec.exe 2680 adobec.exe 3724 locdevopti.exe 3724 locdevopti.exe 2680 adobec.exe 2680 adobec.exe 3724 locdevopti.exe 3724 locdevopti.exe 2680 adobec.exe 2680 adobec.exe 3724 locdevopti.exe 3724 locdevopti.exe 2680 adobec.exe 2680 adobec.exe 3724 locdevopti.exe 3724 locdevopti.exe 2680 adobec.exe 2680 adobec.exe 3724 locdevopti.exe 3724 locdevopti.exe 2680 adobec.exe 2680 adobec.exe 3724 locdevopti.exe 3724 locdevopti.exe 2680 adobec.exe 2680 adobec.exe 3724 locdevopti.exe 3724 locdevopti.exe 2680 adobec.exe 2680 adobec.exe 3724 locdevopti.exe 3724 locdevopti.exe 2680 adobec.exe 2680 adobec.exe 3724 locdevopti.exe 3724 locdevopti.exe 2680 adobec.exe 2680 adobec.exe 3724 locdevopti.exe 3724 locdevopti.exe 2680 adobec.exe 2680 adobec.exe 3724 locdevopti.exe 3724 locdevopti.exe 2680 adobec.exe 2680 adobec.exe 3724 locdevopti.exe 3724 locdevopti.exe 2680 adobec.exe 2680 adobec.exe 3724 locdevopti.exe 3724 locdevopti.exe 2680 adobec.exe 2680 adobec.exe 3724 locdevopti.exe 3724 locdevopti.exe 2680 adobec.exe 2680 adobec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4976 wrote to memory of 3724 4976 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe 86 PID 4976 wrote to memory of 3724 4976 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe 86 PID 4976 wrote to memory of 3724 4976 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe 86 PID 4976 wrote to memory of 2680 4976 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe 87 PID 4976 wrote to memory of 2680 4976 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe 87 PID 4976 wrote to memory of 2680 4976 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe"C:\Users\Admin\AppData\Local\Temp\8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3724
-
-
C:\FilesNW\adobec.exeC:\FilesNW\adobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2680
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5f1313f3c640b9eba1e874109252a649a
SHA15933eabdda64aff5d456eafb95f7df8f7ce79e70
SHA2562cb02b444111d8c3a4374b496e0c281033db3de0246ed9af610f0f105b72f9d2
SHA5123f41f7089d262bba0f9190c77202793eb995bb0a6df49d839ef2161f1f00c0f3627ddfc778101cc6a7f8466f5869540a19248e98768e809b473eadbfac37e095
-
Filesize
201B
MD5ad50c09de3db7f654a6e88d0bb8c6cc2
SHA1377f1b04623782900e42dbd5d6aefe498a6e82ca
SHA256d4339c6fbbc6e3f9ddd601da2cc99336513f25843da8e54554eec37528568654
SHA512123b4880bd70b4626cdca82d5e2f25587275b47743fb7f1ae581886abcc54c0fcb33f571acafb25426de3bccc11e997afaf69f53de1d1c743fbfb307235070e7
-
Filesize
169B
MD56a2769b475f6a6c6d6f8c5edbe10f092
SHA114ffffe226ba4b1db32f629fcdc32e9c8bf19a8f
SHA256d1e282c90e0b4b91b82725664010c26af3fb5d3f688fff429dda4d0cfdb6816d
SHA512bbd84d7b6156702ca525065fd49b2e6ecf8ea8542507e6e979ebe2c8f4ca021884002b2d3d229b5a1547e3ff3fbd68394482185a84b407100d3ddab192d68824
-
Filesize
2.6MB
MD5dd8bef981f282930a034f83df8367903
SHA1a88362c114488c4652f87523fb3e3fe809eeabea
SHA25649526c4b10a69ba358521d798c1bcb9499fd0c9f0ba5c5765f31ec2fd6cd6451
SHA512863a9c2865264d9c76d43711acd64a7a924620bfc60d361e67106e7b4ae338f75d345cdc8b692c6450993390f547026faf515436c596a16da4c649a0ee4b92ab
-
Filesize
279KB
MD59d1ab53997f65bc5185b49b6e2479ef2
SHA1cb532aa628a2837e0752bd57d69b4451291e9f2d
SHA256833d0577c3514dc8d97bc71854a30666efcc5ad75334cde6ade2f634c6ca0416
SHA51268ff0256151067ddddd4d98e0d075a3b5c7197dc87c2c65a12e0de39931c65a5d9b8f70f0c35857130625c6c4b51d2f212f5c74864e5f8a3b52afca76ecec0cc
-
Filesize
2.6MB
MD509d44ca6acac043781be969fc6687470
SHA1549362fc10dd11e2a7341b1b1b2492aad1912e85
SHA256440da96083dc9dae8f390d4bebb56e9fc74f4f468d1a810fc008711786160e93
SHA512b12b040a7cea753ff80d4ec43bd316b59d88e852583e6831da09dea06927d91a5753c3963bf8e57d03206d3c47b93375d6194621574b62b347cb20620b8741ea