Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 22:18
Static task
static1
Behavioral task
behavioral1
Sample
52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe
Resource
win10v2004-20241007-en
General
-
Target
52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe
-
Size
2.6MB
-
MD5
40a89c9c1f86c5fa732987e226becb5f
-
SHA1
ae3dac667d036cc775a0c271bd628db6169c070d
-
SHA256
52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6
-
SHA512
882b9ea8fd55b355c6463664f39c30279707dd667db28e1ad8ce301dc05c8a23295ad0cf4440071f7aa13654a0dbbbfedc65d5330a2efe0768f1b7f9b0a65907
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bS:sxX7QnxrloE5dpUpyb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe -
Executes dropped EXE 2 IoCs
pid Process 2816 locdevopti.exe 2116 xbodec.exe -
Loads dropped DLL 2 IoCs
pid Process 2676 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe 2676 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv7X\\xbodec.exe" 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBVL\\dobaloc.exe" 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2676 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe 2676 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe 2816 locdevopti.exe 2116 xbodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2676 wrote to memory of 2816 2676 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe 30 PID 2676 wrote to memory of 2816 2676 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe 30 PID 2676 wrote to memory of 2816 2676 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe 30 PID 2676 wrote to memory of 2816 2676 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe 30 PID 2676 wrote to memory of 2116 2676 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe 31 PID 2676 wrote to memory of 2116 2676 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe 31 PID 2676 wrote to memory of 2116 2676 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe 31 PID 2676 wrote to memory of 2116 2676 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe"C:\Users\Admin\AppData\Local\Temp\52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2816
-
-
C:\SysDrv7X\xbodec.exeC:\SysDrv7X\xbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2116
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5e82a9c11845448ba16fe674915e98347
SHA1302af2806fdd0e7b5c42c24248b27e39c09ef641
SHA2562a2d7dc1589e186a41c13d3792a0d342a2aa03792ae4fd35cbc13dbf2b0d73d3
SHA512928ce0de970d9f9cb0f6ae934cdfcc11939968d29ce2a02bcd5347b3f668034c62bcb10cb1c59410dc30cb9fdb5febb0e22ecb147a6c9d20afaee27c25bfc159
-
Filesize
31KB
MD5373f961ab3d25066725789da227a8fff
SHA148b241457cf4adfcd7a9483034d872c4b596e114
SHA25616d2cc264fb3f54be681b16469f177273b23ac2afd6eb8358d057bca653b78c6
SHA5121492c4985bc5000003eccea3419df8da990b187372c61f2c03996ffb4d5d46fa54f764875a58a4b2c35b935c2589207f861bb731dc9937be44c6284d84b4ea97
-
Filesize
2.6MB
MD5b4e99ce52575ba4ad35a9579c64adf14
SHA18665f083abb589dd1da394682d1fe66d4f35ab76
SHA256ad645c9e261ceb046ad69650f3a095062cdf9f2f66a3686dece9d9ab4748b929
SHA5123a3e3edbd50e238004626f125a9076898c8637f21b3db003bb43fac311492e83a21acf20f7aab800bcd6c7259065900fc64923b9821a7fc7a2ab8cfd0f128e84
-
Filesize
171B
MD5948991eb8dfcde882cab218dde7acabf
SHA1ff54905953ae2e9be8ebc2052ed65170337428dd
SHA25697997111eac51d9afd10f3157c30b3d21e1a6340255f0e019bfe49a2956146b3
SHA51223e54abfda9ea674dd285246e9aa62cd9dd639566c1e077958fb2784ec1e4e20c8f48daea7b773050360d120e0aac2caee0a3b74329275a493b45378b758794e
-
Filesize
203B
MD506fcd77964dcc51454540f7e3a14909e
SHA1736e367ed900b2ccd6774320cc6281c4435d4bae
SHA256d483d411b2b1b6877e91b9baaeb0689a45d3cb425d275f19d321e3bb9cba091e
SHA5126e7706a05ca19a679934998fb543460d8b6dabc5d5d3576ed91a5ce21fad20040d12b6c327c634a69176c0dfb4e08d7a9b545a20525ed0404780fe89b6c48a10
-
Filesize
2.6MB
MD559021fefc1a3e73d833d01577fa952d9
SHA1e3b56a75b12a4d25df5b3b02ec37b090d02e4b9e
SHA256269137a31047339e3865b6d590b3bbee8fb67542da72c44f3b684117421e69fa
SHA5128e75c0c2cb05f1be22e64fbd3c5beafb1b515a25689ee29aca4d144ecb1bb63e340c37dc78ad88f7f1f10529a777fd7cdde015b0b61ee7e0e26bcc1c1d1ee6c8