Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 00:01
Static task
static1
Behavioral task
behavioral1
Sample
42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe
Resource
win10v2004-20241007-en
General
-
Target
42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe
-
Size
2.6MB
-
MD5
28059835fcef9aba9240ae90757e0290
-
SHA1
a15d9d51328309f8bc59de08eaecfec07483e8bc
-
SHA256
42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40
-
SHA512
b4be8d2a584785d8092cec220f2b167977f9f53e49cc3a840843381a9ae69fff2bbc04a7b76e536dbe352bb5134e6ef1a9f612ae113a7d55e21600eac329d990
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bS:sxX7QnxrloE5dpUpvb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe -
Executes dropped EXE 2 IoCs
pid Process 344 locxdob.exe 3552 devoptisys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintR6\\dobaloc.exe" 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeCP\\devoptisys.exe" 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptisys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxdob.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 368 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe 368 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe 368 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe 368 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe 344 locxdob.exe 344 locxdob.exe 3552 devoptisys.exe 3552 devoptisys.exe 344 locxdob.exe 344 locxdob.exe 3552 devoptisys.exe 3552 devoptisys.exe 344 locxdob.exe 344 locxdob.exe 3552 devoptisys.exe 3552 devoptisys.exe 344 locxdob.exe 344 locxdob.exe 3552 devoptisys.exe 3552 devoptisys.exe 344 locxdob.exe 344 locxdob.exe 3552 devoptisys.exe 3552 devoptisys.exe 344 locxdob.exe 344 locxdob.exe 3552 devoptisys.exe 3552 devoptisys.exe 344 locxdob.exe 344 locxdob.exe 3552 devoptisys.exe 3552 devoptisys.exe 344 locxdob.exe 344 locxdob.exe 3552 devoptisys.exe 3552 devoptisys.exe 344 locxdob.exe 344 locxdob.exe 3552 devoptisys.exe 3552 devoptisys.exe 344 locxdob.exe 344 locxdob.exe 3552 devoptisys.exe 3552 devoptisys.exe 344 locxdob.exe 344 locxdob.exe 3552 devoptisys.exe 3552 devoptisys.exe 344 locxdob.exe 344 locxdob.exe 3552 devoptisys.exe 3552 devoptisys.exe 344 locxdob.exe 344 locxdob.exe 3552 devoptisys.exe 3552 devoptisys.exe 344 locxdob.exe 344 locxdob.exe 3552 devoptisys.exe 3552 devoptisys.exe 344 locxdob.exe 344 locxdob.exe 3552 devoptisys.exe 3552 devoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 368 wrote to memory of 344 368 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe 89 PID 368 wrote to memory of 344 368 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe 89 PID 368 wrote to memory of 344 368 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe 89 PID 368 wrote to memory of 3552 368 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe 90 PID 368 wrote to memory of 3552 368 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe 90 PID 368 wrote to memory of 3552 368 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe"C:\Users\Admin\AppData\Local\Temp\42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:344
-
-
C:\AdobeCP\devoptisys.exeC:\AdobeCP\devoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3552
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5c85958552ca53df5cfe3a431fe83c299
SHA16d4783ab0987d622e917c4ab4854a0bd92ba477a
SHA256f28dcaca530aaf867d9c1adeead9a3407c6406b1a71bd72a430335e8585a137e
SHA5126fe0dd0f1a1b10853248338f48b9b4acbeed0394ef075d2015f1a4b475432eb4baa311dd82ae3f4c5a2a1add4291aa4950fb5641ebcc132cca0556054448e2d5
-
Filesize
2.6MB
MD5d2ad1414c7fc881eedbb5658990ded66
SHA1b7dbf1bbeda1b1fc9c5f315db56a43b99e1076ea
SHA256e8315b492b9de26e1dc0656dc62a454d09fa582d7b8145fc8786265cb1cbe8dd
SHA512f3f8db602d742ba3e9b9bd69d7583db65f05b07dbc81d82831820d7176948ac1cefa63574aaf037b2dd992f9d3ea1ca33c9a6ca0b856f490f73a633a0ccb401e
-
Filesize
2.6MB
MD503e8d0a7f0c1c55f1931a8130f07ef4d
SHA1e76110181ec468f257f780bd47aba2df414f0af7
SHA256bc88bac0a2b82ff5e51b659eaeef6790bbddb60cb127c8cb2d7d1a3b410c90e7
SHA5120f79d9e21842137e57e53f02823957a4eff4510db47ba8cabad8be86c0803517cf39f520c8de76e3db354726a9d95efeaa27a0e5864a70cd9b2a2979e74e0305
-
Filesize
203B
MD5eabde8b37200d12dd20e1df4709ba347
SHA172c3748eacbc9b2f3e6497d6ddaefce6c340eb5f
SHA2563aa5d454c0ec3ecb6d1458c23c022d7e9fbc92cae5bd6305a661c6756594400a
SHA512209db248e9feabe5dfc26f9c5f796f0d9e5d99e963513d4dffb7a1c40a397cec7bcddca61cbce92a166c7392483aa2b4f0ba2e53ef8738c380365dc774842136
-
Filesize
171B
MD5a1a0fbc24b7606890b5b396148d6d5b2
SHA1200a965cf3ce10201fd38b186fdfe912df8e99c2
SHA2563ca444291e19e1519a909bb4543b50e1342b6908a7b1a157df1f59fd04aab066
SHA512f8f19d3526c49b7056d1c0cb442032dea2b7d2bd70d457504bc029804704b9a968b902ffc1978b9a7436b31773146336d6e7a778f5f0c9278066259828d81aec
-
Filesize
2.6MB
MD5224745e89cb23cf387cec86bddd27372
SHA1d2efef360ff41d39c7f0bd1f1308fb569c120913
SHA2561cc08945310f6d2137110cdb3577748b2b71647285aaacfce5767495605f0252
SHA512b4ed535866796d63efcb3f0a50a4a6e29169a698586a5b4a82c6a1e8a5862837a2dc7c4dcec03f772743289509df46817ded319d279bac9c28f0ae814917e749