Analysis
-
max time kernel
149s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 22:04
Static task
static1
Behavioral task
behavioral1
Sample
4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe
Resource
win10v2004-20241007-en
General
-
Target
4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe
-
Size
2.6MB
-
MD5
4a836cfb060f1f2d768f82f786eebb11
-
SHA1
f845ec8ea795af33cadbf5d588935d296d088f8a
-
SHA256
4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068
-
SHA512
f49f79c5a8e3ff475824535b3405ff93cb6ab686502acf7896743ca8cb26e7bcfbec3f6f769e1c3db4cea36eca17c3f797f706c25cd1a519bd2f0caf5e0563c6
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSq:sxX7QnxrloE5dpUpybV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe -
Executes dropped EXE 2 IoCs
pid Process 4532 locdevdob.exe 3588 xdobloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocFT\\xdobloc.exe" 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintNC\\bodaec.exe" 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2196 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe 2196 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe 2196 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe 2196 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe 4532 locdevdob.exe 4532 locdevdob.exe 3588 xdobloc.exe 3588 xdobloc.exe 4532 locdevdob.exe 4532 locdevdob.exe 3588 xdobloc.exe 3588 xdobloc.exe 4532 locdevdob.exe 4532 locdevdob.exe 3588 xdobloc.exe 3588 xdobloc.exe 4532 locdevdob.exe 4532 locdevdob.exe 3588 xdobloc.exe 3588 xdobloc.exe 4532 locdevdob.exe 4532 locdevdob.exe 3588 xdobloc.exe 3588 xdobloc.exe 4532 locdevdob.exe 4532 locdevdob.exe 3588 xdobloc.exe 3588 xdobloc.exe 4532 locdevdob.exe 4532 locdevdob.exe 3588 xdobloc.exe 3588 xdobloc.exe 4532 locdevdob.exe 4532 locdevdob.exe 3588 xdobloc.exe 3588 xdobloc.exe 4532 locdevdob.exe 4532 locdevdob.exe 3588 xdobloc.exe 3588 xdobloc.exe 4532 locdevdob.exe 4532 locdevdob.exe 3588 xdobloc.exe 3588 xdobloc.exe 4532 locdevdob.exe 4532 locdevdob.exe 3588 xdobloc.exe 3588 xdobloc.exe 4532 locdevdob.exe 4532 locdevdob.exe 3588 xdobloc.exe 3588 xdobloc.exe 4532 locdevdob.exe 4532 locdevdob.exe 3588 xdobloc.exe 3588 xdobloc.exe 4532 locdevdob.exe 4532 locdevdob.exe 3588 xdobloc.exe 3588 xdobloc.exe 4532 locdevdob.exe 4532 locdevdob.exe 3588 xdobloc.exe 3588 xdobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2196 wrote to memory of 4532 2196 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe 87 PID 2196 wrote to memory of 4532 2196 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe 87 PID 2196 wrote to memory of 4532 2196 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe 87 PID 2196 wrote to memory of 3588 2196 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe 91 PID 2196 wrote to memory of 3588 2196 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe 91 PID 2196 wrote to memory of 3588 2196 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe"C:\Users\Admin\AppData\Local\Temp\4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4532
-
-
C:\IntelprocFT\xdobloc.exeC:\IntelprocFT\xdobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD543a9ff379e2059c3f8158a2015110341
SHA166434c35a5dfe8f0d61827d05d96519b7d4eeb1d
SHA2565c6aa7b84ee01100214edab111886fa290c429b80f17bbc93404d860e1f281c8
SHA512d4060775ff6175eaf8b69442399af9219f9949cb23185d8e767b66ee25e8cbf68e34ec268da9dca2114f9fae502b7835d46d824708f13b4b226ca924dc0abb0c
-
Filesize
1.2MB
MD5bfc585b53c251bc54143bc3b7997c02d
SHA1a3ed085fba1895419b27dd0ffc23140a7bb7dc44
SHA2567d562016c25f92016c69e012609f0e64a52a7d884a45acbecd16e11aff0f7b72
SHA51237a995eea7a7fa82a0089ef725cc1a7790e0a5356824ca115b148d27d800a466e51c783f5863558c58dd10b6dc1631f673357b0a4a8dcc62c4c05ccbb9decb56
-
Filesize
2.6MB
MD50040f3d98ea9a5547c37d0e61b2c7348
SHA193bf511b8d9006e3b4062cad086fff8646963303
SHA256964a8efc97359944c4636cce27c9a8ecfc8b4ca7a2f623d5506fda5e7df15977
SHA512ed41977cf0299a656f98c58ca69186b2ddd9c050ab064311ae433a75dc86e5a9e74021260b6628d9011634bbdce490dea0908071ab59936ae095f2bf2287d328
-
Filesize
205B
MD540878f1230354d0fd041f4f470710fe0
SHA111aa86d24de207762e1e586688f64e3cadc9d37f
SHA256b51c926cbd19bd14caff6ec099db0b349fd836209df5cc7debd30b693d9cc9ca
SHA51245007ad39d3b11c202caa8a86c8326933ff528c269fcdfbd7ccd1f08abc276d3a3e97b58df2141dfc451468b778f0ca59c0a76b7f4b224992c4767fb81bf7a97
-
Filesize
173B
MD5701dbf1ecd0054eedb47cd021b9cc453
SHA1162423eab564bbff4240251d14f2f0b698529519
SHA2567b89d3874842d56678d158e12aa922e0239f2ea08a454aa0de41fbe8283ef578
SHA51217f94b973e2749df11bec5b0c84a621bfb2d8431aeb417741d1441ed0112e3197b3d78e7e3f890471031080c23da8dbe473c58a5206083ad06a97617645c7283
-
Filesize
2.6MB
MD556690dd23a48c7a54907acf4f61c5dbd
SHA1506e9c8752ae54212e6e93e8e24a6c87a80ff908
SHA256b3207eea01dded1bc1f6b2a9d69ef50450eec4c381f8708c1cc335fd1fe96948
SHA5121834782796d498fc14f55c51a1c1a3b46065f063fc12a11a66e8c6c220cb3a09d8d145f0ade317bab9d2a4b9d9ff1bdcfbdcd8a4923a1de2b0c3f32e50ef1aa2