Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 14:34
Static task
static1
Behavioral task
behavioral1
Sample
b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe
Resource
win10v2004-20241007-en
General
-
Target
b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe
-
Size
2.6MB
-
MD5
8b3600d845d35db96432e598e7d45770
-
SHA1
b1cb17f0b17ab255fe2df7fa898c41bd4c9fe4ec
-
SHA256
b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81
-
SHA512
7889c5dc8ac7dd1b110975231f5dbee6c549de56ee8cd545afd36f87ae9bf431b1b1d7089881eb0a46cedfec2faf4f3216cc960249327e9efcc40aeac19219d3
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUpmb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe -
Executes dropped EXE 2 IoCs
pid Process 2816 locadob.exe 2812 devoptiloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2840 b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe 2840 b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvWJ\\devoptiloc.exe" b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxAZ\\dobxsys.exe" b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2840 b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe 2840 b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe 2816 locadob.exe 2812 devoptiloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2840 wrote to memory of 2816 2840 b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe 30 PID 2840 wrote to memory of 2816 2840 b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe 30 PID 2840 wrote to memory of 2816 2840 b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe 30 PID 2840 wrote to memory of 2816 2840 b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe 30 PID 2840 wrote to memory of 2812 2840 b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe 31 PID 2840 wrote to memory of 2812 2840 b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe 31 PID 2840 wrote to memory of 2812 2840 b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe 31 PID 2840 wrote to memory of 2812 2840 b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe"C:\Users\Admin\AppData\Local\Temp\b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2816
-
-
C:\SysDrvWJ\devoptiloc.exeC:\SysDrvWJ\devoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2812
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD55240b4188a25398ef9b2e86db2bf7e2e
SHA1efbd6b8ed10d2dbed28819f2683ccfd542b06bb0
SHA256391a35718f08e046d910fc0d37b8801932108a619b46b52589f8ed0b5d6859d2
SHA512e11c5512679f417058a0d2e0b5f0b4d7d934b30230d69591a823309c8f98fe404a3660bd356b93031d6faecad8dddc0b568258063d13d236aed23977c8879523
-
Filesize
2.6MB
MD548ab32d98e52a7628838322e365268a0
SHA1254cfb57bb07ecad700b9bba22e08bc06f8c24a8
SHA256898b85fa8a5225d2f989527e207e2f33f4bb6522597229d3fd0148e8acad448e
SHA512f1f7c3ad1746f300b4d6ee6591fc30a1fc6b73f8a10014814df7cafffa69a5e182c4aa5a92074e60fb7aeaefbb36d3144074d9df3c6b03ee6f95ffd1ead9b8b4
-
Filesize
2.6MB
MD560da257db580d2d6f7a6ac56d1ed892d
SHA1a2764674e7dca1003b48a4d57acf2cdb18bb9443
SHA256feaa1e0cd43a61c39646aeff63950b01546f466bd1d77187383aea8de37c1715
SHA512d93455330728dea792754fad1dd001aee32e743823b37a470f00d435911be3e6b61d6186c7cbf864167de350461c059b3f8d12314c9f317bef36717ac65831c9
-
Filesize
173B
MD5b8814a2b791633755cd8555d168e31cb
SHA191938bfa4c9410f69678bbb92ba22039e399573b
SHA2563d38c0629f42977c76c5754baf4f6c589a71a2a3b1ad6e59f544f5916c2edf7d
SHA5125bb44331756eace25a7079494b1b03f29a3605c7b8e6c2a3f05e25bdee3de14c26975f3fe40d3ddcab36f5821ddf6797c19bca59dff722605ba913c67f953dd2
-
Filesize
205B
MD5620ac2d3b36478b698ec8ec4e6417b8b
SHA12ace3018cf070ece97bd38d7098051f57a87f563
SHA2568b6fdedf1509fe338c7ef0989eea2f3f67174137d11b150965a4099df7dadf6d
SHA512f63901186e58f65132535eb4034844ff6d5e0c4ff78dad5b7fcd4ef442c1245a32023515b9fe6592859bef17b3e507ce751e8b4095a4db425e84036674e2b64d
-
Filesize
2.6MB
MD514eb18cf9d76ed990b80dc1b817c0a0c
SHA11f98653d8c4e053d044873368e6cd0170f4cf799
SHA256e3c97a32126c69417825de96248d04d93cc1e93bd079a7497eda83c0492e518e
SHA512033b8439c4d7899a3d260635839f3752c27ba9b6ed857aa888bbde9d3e42a798483226941234f67c3cd0a1afdb2d5c7ac45d3a951827801b3471802b54e67f2e