Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 14:41
Static task
static1
Behavioral task
behavioral1
Sample
15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe
Resource
win10v2004-20241007-en
General
-
Target
15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe
-
Size
4.1MB
-
MD5
1474a1f70a6f904a5b2ab7667ae7d250
-
SHA1
02f5a85e1f974db2e863fcce355cf4d31069655c
-
SHA256
15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbd
-
SHA512
cf84e3944adca2cce6d2620d39849154dc78e045304e1c971dd1cbc845457e493b4dadec9ad74fdd63da0c0b1cd7a8e4f77a851397bd3c18590f994eb827373d
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpsbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe -
Executes dropped EXE 2 IoCs
pid Process 1544 locxdob.exe 872 devdobloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2368 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe 2368 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintKL\\optidevloc.exe" 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesJH\\devdobloc.exe" 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2368 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe 2368 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe 1544 locxdob.exe 872 devdobloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2368 wrote to memory of 1544 2368 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe 30 PID 2368 wrote to memory of 1544 2368 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe 30 PID 2368 wrote to memory of 1544 2368 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe 30 PID 2368 wrote to memory of 1544 2368 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe 30 PID 2368 wrote to memory of 872 2368 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe 31 PID 2368 wrote to memory of 872 2368 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe 31 PID 2368 wrote to memory of 872 2368 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe 31 PID 2368 wrote to memory of 872 2368 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe"C:\Users\Admin\AppData\Local\Temp\15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1544
-
-
C:\FilesJH\devdobloc.exeC:\FilesJH\devdobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:872
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD5a196bb8b4ff0261d2843a63fd47cda7d
SHA12ac12bdb281647f970a826640ed0b3e95597b3b1
SHA2562a84dc62fe70d70e54b26e8d79349175c169364497e281a9de39f1debe1478be
SHA512f4d09f3f127e42e4ca1a6b121e06d02a679a7cde5ced18563fa3e4da8b6c892cb5ff1b3d638194c419b3b73a9123598ab9d97fe0b66fc1d835b1647dc13c35a8
-
Filesize
4.1MB
MD59ab5fa40d725ac6a41b543e625b7be0b
SHA11d82fd3a46c49014467bf91361e837d3b5a96410
SHA256a016dfa3b01c1fa8e9e46414f55fe0687369549d4facf11750894f228db64a56
SHA51268d96a2fafe5ed12229063d1b3f96d63f28003bb64afb60034085652602815dd4a3e4528c57dcfe31f3585c6010d7acedffd35ba5378d0f9dc211de5e6cce9ce
-
Filesize
4.1MB
MD5ac8dff9524179c2fc3299054ceb02add
SHA16ea8517941f2cab58fb076281858e973516a3044
SHA2563c95146a217650c861598dd57e0fdc044bc229e41a12c5aa56911a580c414f20
SHA512032041c453932c7d307ee72ea8b96210b205d23ed2fc54c28bd15d817835a81c594c95943ddec2046c2b8e29de3f8ddb57ffad7277140b63d347850eeea046fb
-
Filesize
173B
MD5305fe4e47519e22918aab150615832e8
SHA1f3014d1d86ae70c4cf01253421254a792ca47756
SHA2568c5e1513096563d12d916cae757e30053f2145383f8ec29c022de295bdaa4106
SHA512f0ea2fa934091a01b5e7fe233f145cbe23903cfd6aa50daefe9bd6593d011f291a68c4bbc28750f0e25f92ef5031dfcf3a7bca706311a21e60863d03a9440ac6
-
Filesize
205B
MD5fd077b004664e4ac64b427b58b0d63b6
SHA1b5f7d4dba95ac5c69c0d19990bb786060e533014
SHA256d7c904d14339b00ac963279e49b10b9ca5fb6ecc419cb5a76a2fc12866a49844
SHA51284ff8c61127c94a81ce7680cfd145f0a81d5e95934e14a3b8553b0d43c4e0cdfe05131c09c843ad337cafc757bfef70f96de6a40d8f5f6f8f4be14af11d6b857
-
Filesize
4.1MB
MD5ec24a0754d21335c2e21694968deb460
SHA1d25219835331a0718a62dae46b4fcfac747fbdc1
SHA2567a7ecd29f6a4d74eaf696bc85dc3c3aa28d02fc7ed3c504ec67cf42dee43b966
SHA512904c9d1701ab7266e295562f8d5592287253476143d251d777136d1b91fb4dd3bed3fabe7acd3d42c876b5860e25a4d44c5ee752b197a4e47194bebfe699d97a