Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 00:00
Static task
static1
Behavioral task
behavioral1
Sample
75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe
Resource
win10v2004-20241007-en
General
-
Target
75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe
-
Size
2.6MB
-
MD5
a3596b0537ebd98b9da4548ee290f590
-
SHA1
1e66d8cc4d99eafdae32f3544389cffda2bb2071
-
SHA256
75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468
-
SHA512
712dad09e851fcc2e52c75989182f2d5c5a74f65278b50bdc7c34f3c8bb53052ba8c1cdbc049d81e08e9205f98e5c00ab4b11444a982297aae3ab4dd4d0c8b66
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bSq:sxX7QnxrloE5dpUpYbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe -
Executes dropped EXE 2 IoCs
pid Process 3196 locdevdob.exe 3688 devbodloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocC4\\devbodloc.exe" 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZLF\\optixloc.exe" 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 372 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe 372 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe 372 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe 372 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe 3196 locdevdob.exe 3196 locdevdob.exe 3688 devbodloc.exe 3688 devbodloc.exe 3196 locdevdob.exe 3196 locdevdob.exe 3688 devbodloc.exe 3688 devbodloc.exe 3196 locdevdob.exe 3196 locdevdob.exe 3688 devbodloc.exe 3688 devbodloc.exe 3196 locdevdob.exe 3196 locdevdob.exe 3688 devbodloc.exe 3688 devbodloc.exe 3196 locdevdob.exe 3196 locdevdob.exe 3688 devbodloc.exe 3688 devbodloc.exe 3196 locdevdob.exe 3196 locdevdob.exe 3688 devbodloc.exe 3688 devbodloc.exe 3196 locdevdob.exe 3196 locdevdob.exe 3688 devbodloc.exe 3688 devbodloc.exe 3196 locdevdob.exe 3196 locdevdob.exe 3688 devbodloc.exe 3688 devbodloc.exe 3196 locdevdob.exe 3196 locdevdob.exe 3688 devbodloc.exe 3688 devbodloc.exe 3196 locdevdob.exe 3196 locdevdob.exe 3688 devbodloc.exe 3688 devbodloc.exe 3196 locdevdob.exe 3196 locdevdob.exe 3688 devbodloc.exe 3688 devbodloc.exe 3196 locdevdob.exe 3196 locdevdob.exe 3688 devbodloc.exe 3688 devbodloc.exe 3196 locdevdob.exe 3196 locdevdob.exe 3688 devbodloc.exe 3688 devbodloc.exe 3196 locdevdob.exe 3196 locdevdob.exe 3688 devbodloc.exe 3688 devbodloc.exe 3196 locdevdob.exe 3196 locdevdob.exe 3688 devbodloc.exe 3688 devbodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 372 wrote to memory of 3196 372 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe 86 PID 372 wrote to memory of 3196 372 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe 86 PID 372 wrote to memory of 3196 372 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe 86 PID 372 wrote to memory of 3688 372 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe 89 PID 372 wrote to memory of 3688 372 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe 89 PID 372 wrote to memory of 3688 372 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe"C:\Users\Admin\AppData\Local\Temp\75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3196
-
-
C:\IntelprocC4\devbodloc.exeC:\IntelprocC4\devbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3688
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5e949aac111dcd395eec4a142f3332bb1
SHA1e1d24508516d15627032074e860410ce92a12b4a
SHA25606d25477ced35acd1d2bb7455028e22fa3022dbf444bf58c9f08a5874733ac88
SHA5120a2dc02137e6950a044e77acb3343123695cd64bf6fdda11b8e5884a32b908bfd504199e24aa737294e4c4c716e08077cafe4a55b4966b1c33878a1b4dd4b84c
-
Filesize
2.6MB
MD530d86b2f18ca72d7970aa818a2bfab37
SHA1a3ed21409a67479a9d3e25c9b90fd92a928c652b
SHA2565bdaff641f6449a6143984dd990c728d06e832295e70dd9b3ee709e920640aa9
SHA512cecd24b346737a1cc95a4410f525200e5c5afd34f2c6d888ad18e9220edce62f2b74996574d8c2dd21ef83a349cd4263187a779976de5c8e2ebe1c30a27119dc
-
Filesize
2.6MB
MD5386c67999881567c208e295421e5e1d6
SHA106e502c41a69f5d36593f5860e791b434fd027f2
SHA2560a65a23ea064fc5399cac8151da22b013cd2bbcd766e119042d0f02cdc7dbbf8
SHA5128003bdc79042f0f95051c4bf55a5c8c651822d80f31083f4f3857f8e39aa28845d1ba73c051650248e4744fd5e54c1d11c4880dcb8b56236ef04c76035ee030c
-
Filesize
209B
MD598a6560369f2524829837f359bdb9dce
SHA1970a25a3f94eef59a368d6e548e7c9edc2080d0b
SHA25627edc74e9f274d3c9d121875559587e126c6be196c44251710014ae5dba50a89
SHA51209c694fc468569c402ea11528ecdeaee672a6a76f5f7b668c725be87d0ba8e47dc498ba5be7af5e9a2e05abb0c9e5e965f80ebdc4de030794fe88a4c7ec499cd
-
Filesize
177B
MD5b86baf64a2f4d6dae072300ecc0a48c5
SHA10d3d2c42bd88180f830fce202ea54a81ab5cc7d5
SHA256d6c06371c0e1afd014888effb8b64df787c6ea7616e6beeeca1e552646f89eb9
SHA512c5201bc6a7933aad78b0108bfe6e4fce9b1ffbbe529232bec2961e4c8d8e77f3125979dd16eab046d3d6a439d63a6692a4d0dcb054ee2857e53b6b08ab03700c
-
Filesize
2.6MB
MD58ec5fbe4531477a2430367ff50b8ffb6
SHA1812a942428116b4ac3a4502ccf949bf7ba04e547
SHA256a56b36da9e2f53a8de00463a96f9617f413bdb521b38c6cd171990bed3e828b9
SHA5126e837b4f82a6daabafc3dcdb4ad5d2b47ae827372773e681b2f034de18ea032d70c51529cc180c6b8ef0d7e6611c49cbf4fbaefe8881e5b4a22f1b59da5312c5