Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 22:04
Static task
static1
Behavioral task
behavioral1
Sample
4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe
Resource
win10v2004-20241007-en
General
-
Target
4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe
-
Size
2.6MB
-
MD5
4a836cfb060f1f2d768f82f786eebb11
-
SHA1
f845ec8ea795af33cadbf5d588935d296d088f8a
-
SHA256
4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068
-
SHA512
f49f79c5a8e3ff475824535b3405ff93cb6ab686502acf7896743ca8cb26e7bcfbec3f6f769e1c3db4cea36eca17c3f797f706c25cd1a519bd2f0caf5e0563c6
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSq:sxX7QnxrloE5dpUpybV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe -
Executes dropped EXE 2 IoCs
pid Process 1724 locadob.exe 2476 devbodloc.exe -
Loads dropped DLL 2 IoCs
pid Process 1728 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe 1728 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotYW\\devbodloc.exe" 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax8X\\optidevec.exe" 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1728 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe 1728 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe 1724 locadob.exe 2476 devbodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1728 wrote to memory of 1724 1728 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe 31 PID 1728 wrote to memory of 1724 1728 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe 31 PID 1728 wrote to memory of 1724 1728 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe 31 PID 1728 wrote to memory of 1724 1728 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe 31 PID 1728 wrote to memory of 2476 1728 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe 32 PID 1728 wrote to memory of 2476 1728 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe 32 PID 1728 wrote to memory of 2476 1728 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe 32 PID 1728 wrote to memory of 2476 1728 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe"C:\Users\Admin\AppData\Local\Temp\4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1724
-
-
C:\UserDotYW\devbodloc.exeC:\UserDotYW\devbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2476
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5bc92ff2c466662d4a084a9e369f30cfb
SHA1315e6781f7c3974404334fd6b7f17c7d8b08b5d1
SHA25696e49fae039353ede60ab7ce4332d9130b1b718d888d67107b044403ef58bc71
SHA5129f37b87dfe9763bcb2187cca521dbeb82376d048ead13b3fb3a80641e1734cf1d1d830535c9c3bc607d5e008e0d965074fe8f10e3aafd3cc93a82d89ec5a5e8e
-
Filesize
2.6MB
MD556302b181d9d5cd7703046aca93da057
SHA171453145f8d2ea7b12d5022793ef3ae747caa8e1
SHA256e55f0fd4043f2637b5b9f2dfc4a8ed72bc400945db6017fe51cd8e0b1e567440
SHA512cd342c7b2cccee6372a3bf0a7dd69eeba6441e35dfa9396cf65f8f99c5ab0a4acfb0aeda14dd00be3c0fc2019cd0bb167a45bd15a833964778dd95f803a90773
-
Filesize
2.6MB
MD5646612680e812de985fe8f60c2cbba52
SHA1bb66a888d8a8daf6687e64e4929011c5441f803f
SHA2565e2ff79cbdec22f0c166833f3ceae77bd859dc0dfa7cb62a3f895b8c3f1506f1
SHA512f9b35d9a96c7d83de80ad74a886b29ce18b29360979ebd90b7132a7a934dca8de8c755211496fe13d1fbd2b9a6d8d3f96ed2257d81ddc160b477c5c8f9bdc79d
-
Filesize
175B
MD5d13a9d458bcd2c8608ed5180207d61d5
SHA1ff145e5bbb886dc8a2daf075a16f5aa95889358c
SHA256a8b989fe084cc41f79d8e9af519cc6aa37c9e55a310569fce4015c8da4a2718e
SHA512481aedf7dd3ff1d8daafae9ef0e234be67666ce58706abe6afbd3815368bad3faa893e09563545403acc80c84eb6c02cdde6f07282a6fc4742d94a4054a14f4f
-
Filesize
207B
MD5c62ff5db21ad9566e0e502f4f7c59cbe
SHA1d5f25f95509e9660358673c7c6a61286f452befe
SHA25612f86de19d3e41c074300798d4bd30b22de7cac3b8bcab9acef02356dfad1aea
SHA51226484f2633f843c4c7e98ac003bea8b2028f3a6deffe97590c85dd7c0a5a22e640f2a2d2f9ec689d214cdbb89a64b23165ad9ab991555e58c139407f93d96ecb
-
Filesize
2.6MB
MD5b322bf339455139248a52159b49b2c2e
SHA1bb15fa0e524f3dd083c6c19f730d2270e62e3945
SHA256a19e40b56f2ea2606c9c54985eecee40d7445e68b7fbf820d93457bc28b7691f
SHA5124050ae9ceeede4a113fa36e0ea307043d0670e2a2007a094988fa710897a7005f598aec8b3bee8973fb3a112c3c9aba5cf6567119971e02589f5187fdc14716c