Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 21:57
Static task
static1
Behavioral task
behavioral1
Sample
76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe
Resource
win10v2004-20241007-en
General
-
Target
76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe
-
Size
2.6MB
-
MD5
660de9f89377146f2f21666c17297fe0
-
SHA1
cf87b3f5cc616c2a52bd03eb7428b89305590fc2
-
SHA256
76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159
-
SHA512
0508fd373c7ed3992a1d133c703b7b8ad2e14a936aff7cd8a9035ed4cbb935d5cc657176d332f20b1ad24f40b3d7c9cf84ef181fa5a75ad8354f7a0c53a531f9
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSq:sxX7QnxrloE5dpUp8bV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe -
Executes dropped EXE 2 IoCs
pid Process 2464 locabod.exe 1724 adobsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2500 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe 2500 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesD5\\adobsys.exe" 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBYP\\bodaloc.exe" 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2500 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe 2500 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe 2464 locabod.exe 1724 adobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2500 wrote to memory of 2464 2500 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe 30 PID 2500 wrote to memory of 2464 2500 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe 30 PID 2500 wrote to memory of 2464 2500 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe 30 PID 2500 wrote to memory of 2464 2500 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe 30 PID 2500 wrote to memory of 1724 2500 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe 31 PID 2500 wrote to memory of 1724 2500 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe 31 PID 2500 wrote to memory of 1724 2500 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe 31 PID 2500 wrote to memory of 1724 2500 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe"C:\Users\Admin\AppData\Local\Temp\76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2464
-
-
C:\FilesD5\adobsys.exeC:\FilesD5\adobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1724
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
692KB
MD560bb9675ac0dd36387be153b3eb502c6
SHA1375df1d4f237f7bf6d13fe97963003f39f0b758e
SHA2561ccb27cf9fdccd60dbd37dc35bc768eb4b97665cd9783dd9ed0934a0608c995b
SHA51212c2fa37d5ab11b35e590bd3f5693ede6e306ec9518bf9b6215a68ea5d2df47e990242fe9e749b961575e27af7ea63653678d1f9eceb3c889f4e84a00f0f66b9
-
Filesize
2.6MB
MD5bd9c23f29393cf7db89f5fc9f63b9c9c
SHA1d11ec3c3cd3080b806298c727638c3c72e7e002e
SHA256887579393c0badeaecb753afd0480ae55e987686775d3d13707c102a873f4920
SHA5128a1a358d5f1842e32b31796bba954fc425dd518f1de1a2c0cb4cf5a64985aea31c5a14d3f0a2e6cebd973ef441470bfa6e064b0654c51216994f2ce5d9d20443
-
Filesize
45KB
MD574ed8e02892e5dc25b8e4e3440a4caa8
SHA1c95a257bed3343fe4ec8d6fba752a902a80debdb
SHA256409823c6a46e08c8c7f48e5fb99333e36b14d168688c1d4857a753f9c447bc61
SHA5129a0e9f4304e7b390ba918570d20e4ddb9f4b411a3f8536243e378386c8a25cb327c7549365bfa796dce30a4780293f05a6c42daa0535ea006d879e31179ca983
-
Filesize
168B
MD50c33bf4695536a332d8bb0e7ea482119
SHA136b113f97d99e26f2d361507651b97d63accc71a
SHA256eb41648383cd298c5bd15a2f2946a530362f37833adb93c7adfe2bc1924f3a0a
SHA512fcc6d638c3b51d14254fa5be9ce39a3a14ab853c27be10f28a1c3f6a5989dbc551f10d72c76d80be04702bbc1d2bf21184af3c7cf35f9dd2210d166fbed64ddb
-
Filesize
200B
MD5ced71dac7850c0b494e9fa05d8b53e25
SHA1f1923f06f133b691e099f8481ed891b1d215968c
SHA2563bc94a4872afcaa36f3304e1fafc4859d94be65639a21791c51d2eca0b915e89
SHA51250e799b22ca6cbf97a723afb1a3f3a9622f20b35e3f5d2a9cec453d760480321b8dcdbeee6f9e4f165bbd87c204d71970e9ef1d776348135d06d3ddc7d37bbe1
-
Filesize
2.6MB
MD52331ccc8dad5973f8ea5e3b44358c46d
SHA120566f438979f22ef751e8156130b8fa5f58352a
SHA256908626a5180125ba283028646e87a41b7c4d65c14a1ca3eb383f87551e3e9128
SHA51238411b0a23e558225bfcd8edeae601e803a7ae1ee05b2384fcd5426b049b8e22c570c66a05b5ab587659d477a93385849c4d3b51c790c627e5599c97521d84c5
-
Filesize
2.6MB
MD5626b8830c21b1a476b996879594cdfb9
SHA15ffe7aef476d586f2a8e44b0fcc60ff42f14b52f
SHA25675a033111227befe323896190ba490361304560d7c715b43e613c30fcfc067f1
SHA5127955e888b82534ec2985bd471e489b3da5e271e66ba84410cd76793614d5f559399a19dd997bc128f42fa75555d28772291dcff0399847f7071fec2246c7e3bb