Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 00:00
Static task
static1
Behavioral task
behavioral1
Sample
75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe
Resource
win10v2004-20241007-en
General
-
Target
75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe
-
Size
2.6MB
-
MD5
a3596b0537ebd98b9da4548ee290f590
-
SHA1
1e66d8cc4d99eafdae32f3544389cffda2bb2071
-
SHA256
75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468
-
SHA512
712dad09e851fcc2e52c75989182f2d5c5a74f65278b50bdc7c34f3c8bb53052ba8c1cdbc049d81e08e9205f98e5c00ab4b11444a982297aae3ab4dd4d0c8b66
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bSq:sxX7QnxrloE5dpUpYbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe -
Executes dropped EXE 2 IoCs
pid Process 2488 locdevdob.exe 2252 devbodec.exe -
Loads dropped DLL 2 IoCs
pid Process 2272 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe 2272 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocKF\\devbodec.exe" 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintNI\\dobdevec.exe" 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2272 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe 2272 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe 2488 locdevdob.exe 2252 devbodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2272 wrote to memory of 2488 2272 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe 30 PID 2272 wrote to memory of 2488 2272 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe 30 PID 2272 wrote to memory of 2488 2272 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe 30 PID 2272 wrote to memory of 2488 2272 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe 30 PID 2272 wrote to memory of 2252 2272 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe 31 PID 2272 wrote to memory of 2252 2272 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe 31 PID 2272 wrote to memory of 2252 2272 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe 31 PID 2272 wrote to memory of 2252 2272 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe"C:\Users\Admin\AppData\Local\Temp\75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2488
-
-
C:\IntelprocKF\devbodec.exeC:\IntelprocKF\devbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2252
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD566e188db09a72c219fd145f38939b1cb
SHA130b057116311de0a61d07b14e24b01421eb647ee
SHA25645dc162769c3541006cdac120e7792222bb80f0e28488ddc82828ea85e453018
SHA51290b0553f0847628f4151310b9513128b1aa4ef69a84f6bd3152dd04046e984120e2b1728ea2cc3082f3d9787a0f93d3db90ea317ea1d2bdff2ff28e859639d8b
-
Filesize
2.6MB
MD5b00c25ab3ad6003b6cc2e01a039464a1
SHA164a88d29e367901d1955c349bc916b192e942f66
SHA256aab792bf0342c29ce944bb1387acf03ab9d0b0cebdfc5963fde36124b861479c
SHA51272eaa219fc788fa83663f65670647f1b784e4a6462b6b6c0a5cb379b9e816b5a8809efb86e332959e1ff604f163fa0b23c6800749cfc00a4f78bb673e8a3f0a8
-
Filesize
2.6MB
MD5cfb381df98a1b38894d18d5319a541e2
SHA1cdac3159f495a2e468e1461653f1ee7dc1e5e9be
SHA256f5424cc8894309e5e08da525401cd005c7c8cba598ca0260ad6f45086c31506c
SHA5128aa13f2068979bf22e0b60a1c6602dde31600e28f788e8b647273fb9bf8c999287674d64b69d779e95e1d514c492633fc4c33c771dd54a2f1958fb440fb940f8
-
Filesize
176B
MD556df387be03c9b6b4d354b6023eec656
SHA149b1264550a3491f71c1b7ad89f091e434933e7c
SHA256b7d6b84cb7032058aceb2d886edaa69cf102bcabf5aebf05be8e8c539e4c168a
SHA512e0af618115a01691d802d31e2ee05b5a03d3ecde674cd528dd29acbcf2e19a9a3c09a8c767271bd81d1efbd7fdcad415191b5abca13f5e7d5bc9afc5ad8cf495
-
Filesize
208B
MD5820b7e4c56ecfd1e25960daf10900037
SHA1b991cf770196bd29a85c1ee680e691eaecf83c9b
SHA25606f971e1701e9259116d7940f136cc372033594372e93414ac9e7fb7822bc793
SHA512ba5c7a6ea4064f22ec1bd016b47cc822e22a7862fd8fe3aa8b874ac43bdb4d40fb5ab4b03051b7a45de7d52cbbb4e24684631dec759fac593c8877d055530895
-
Filesize
2.6MB
MD56bed96784cd83a7f5a13bf1b1d7fe72e
SHA18a132c167130ffcffe1a55b79424405bdf8c1d71
SHA2566899223834386d94afb3445b00ebd3063e113f8b844c010adf23637749682d83
SHA512e67171fcbcdd487b4ad66ddf6da2bcc3090afacea4b9540ff8e7301d38b9e0c4446a8368f32d82f2a4cd5dafeaf286eea4f4b9dd45c9b4b0e724be402a45edc0