Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 15:08
Static task
static1
Behavioral task
behavioral1
Sample
ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe
Resource
win10v2004-20241007-en
General
-
Target
ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe
-
Size
2.6MB
-
MD5
453fd7630731c656c396ddc193d59e40
-
SHA1
d6fb879028f527d622555695f55847102fd4b47d
-
SHA256
ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736
-
SHA512
58060e442a49fd1cbf144f851cfab4ca430b8e9e150eac625ddeef5d2a02eed82fefc8b2fa6c4436821ba98dcbf95e54291406e2179e4cde38a3c72fa2a58f0e
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bS:sxX7QnxrloE5dpUpnb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe -
Executes dropped EXE 2 IoCs
pid Process 4616 locxdob.exe 4840 devoptisys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvQ2\\devoptisys.exe" ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxX6\\dobasys.exe" ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptisys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2040 ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe 2040 ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe 2040 ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe 2040 ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe 4616 locxdob.exe 4616 locxdob.exe 4840 devoptisys.exe 4840 devoptisys.exe 4616 locxdob.exe 4616 locxdob.exe 4840 devoptisys.exe 4840 devoptisys.exe 4616 locxdob.exe 4616 locxdob.exe 4840 devoptisys.exe 4840 devoptisys.exe 4616 locxdob.exe 4616 locxdob.exe 4840 devoptisys.exe 4840 devoptisys.exe 4616 locxdob.exe 4616 locxdob.exe 4840 devoptisys.exe 4840 devoptisys.exe 4616 locxdob.exe 4616 locxdob.exe 4840 devoptisys.exe 4840 devoptisys.exe 4616 locxdob.exe 4616 locxdob.exe 4840 devoptisys.exe 4840 devoptisys.exe 4616 locxdob.exe 4616 locxdob.exe 4840 devoptisys.exe 4840 devoptisys.exe 4616 locxdob.exe 4616 locxdob.exe 4840 devoptisys.exe 4840 devoptisys.exe 4616 locxdob.exe 4616 locxdob.exe 4840 devoptisys.exe 4840 devoptisys.exe 4616 locxdob.exe 4616 locxdob.exe 4840 devoptisys.exe 4840 devoptisys.exe 4616 locxdob.exe 4616 locxdob.exe 4840 devoptisys.exe 4840 devoptisys.exe 4616 locxdob.exe 4616 locxdob.exe 4840 devoptisys.exe 4840 devoptisys.exe 4616 locxdob.exe 4616 locxdob.exe 4840 devoptisys.exe 4840 devoptisys.exe 4616 locxdob.exe 4616 locxdob.exe 4840 devoptisys.exe 4840 devoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2040 wrote to memory of 4616 2040 ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe 86 PID 2040 wrote to memory of 4616 2040 ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe 86 PID 2040 wrote to memory of 4616 2040 ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe 86 PID 2040 wrote to memory of 4840 2040 ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe 89 PID 2040 wrote to memory of 4840 2040 ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe 89 PID 2040 wrote to memory of 4840 2040 ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe"C:\Users\Admin\AppData\Local\Temp\ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4616
-
-
C:\SysDrvQ2\devoptisys.exeC:\SysDrvQ2\devoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4840
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD54e965642b360681528c8f5125aba574b
SHA1c34fddc401807e256c747638df9745c2e853e8bb
SHA256de10a88f95be38be641f63e255e5c31bd2a2d004d1e8ac915c74e8fcd77d8eea
SHA512be62eb8797c02fd84c2d2b0112751885f4290802921187358bcd10b606747bcb416902f3f4533eccc6e326f645a0bc887ea504f94b60b0489871adcf58f60a13
-
Filesize
1.9MB
MD53240fee6e83f6fe53b2bed700cd7f35a
SHA1402ba2d91f71b67cb2f9c469e346921f002d3595
SHA256b8ada584c069a48155045ff2393f88ac5f70739fe8ef7c6fa2a2b31d77c194d4
SHA5125299d7ab732e3581d831d90d1a3d04e50c7496bdcf6e2c177f6b82f6ca55f06a1d6af37035c8370db1874129db2997febd6c779e1e752b7b96a75bbb0a712efd
-
Filesize
2.0MB
MD548cac46c51577705034e8aefe6e3e26c
SHA118b7dcd0190b31a22078e53de73d10f639e7ccd7
SHA256d9ad39a6ea61ca88fd5bf44d792fdefc6b724a6d7cf5cf6b6b84b9ec8966c653
SHA5126b072c32cda36076a408e1896d9f25a03a37886e87bf4f45a4475b7603e42cac8f5193a71f1cd4c21abd39968a246a9996bb1c4feaa6dd438c81961e47000689
-
Filesize
2.6MB
MD5bf98eec1d3c215339a6f9b9cda791272
SHA1ef820f281918d19efbbf4e77320497305981255d
SHA2562f66409de32e3d15a91688b20cf290790ec949b64ff81b2bc3bfa0b245dad89c
SHA51250bc98473404c75bb3232f4971fce734cd1a46b7e091604aa55b5b625dd48fb1382e89eebf439029682c6ab1ba00223d6c4fa1b1589e21efab72e944417c92d8
-
Filesize
205B
MD5ac80a94d12a54cae29e6eb6aed6bb7cc
SHA1f555bbc1d8dbbc75971ded28466d11ce9b11e6ce
SHA2560473ac8c1902a57ee283d6f67f5cf262ab4edc1c2f3af137cc49e72e6c6ff7f5
SHA51297fdc4f7e2b951088693c441eca0c69da9d1e292433f4de46ef2c6e25df6bfe57418084edfd972a4e5bcaa5e50ad9f374e81ee7de60871fe675aeb1f7d31981f
-
Filesize
173B
MD5525e275c6217d4423188c55ee97c1bde
SHA1518c721fb1c672e4cc25f30906e73cb9d28f66c5
SHA256fa1ec07ebc43aa1b5a61042cb87fe77b49bccf965b2142695f5eafd61b103079
SHA51267526ef9bce5e3c60cbca4ead6a29fc0981dc343ad6febfba157d64897f71014e86f8176b8fabe28d81620eb21a5e7b08e66658136783c333b84ef2ef73ae714
-
Filesize
2.6MB
MD51aff8409e99a76064d811e1320248c2d
SHA17bcae354523424df22d184c412aaf26c34e574b8
SHA25699fe2ea9833730ab338e181b1a62b051f4efb86cd9ac33e4384dd36766599161
SHA5123d8daa8836c81a953f1949b81c9d2a3880c182268a672f3244b2bf66a8cb8fc7a943fe882da092ee3bed0872bd709241a0bf9955c583f3b91ff986844e482275