Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 00:02
Static task
static1
Behavioral task
behavioral1
Sample
4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe
Resource
win10v2004-20241007-en
General
-
Target
4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe
-
Size
2.6MB
-
MD5
58f112e134ba38876c9e55651bde32c0
-
SHA1
cedbdf28dc10b68ace93a699fdcb19176f8d9501
-
SHA256
4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631da
-
SHA512
e299c0e560028e708192c8dafaea60a6daea3ba409421a0f060d2c52ed08ba27f0bf661dd8b5077ae0287d0ce873ba3cfcffec15c1b16979f5702be9fcc71457
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bS:sxX7QnxrloE5dpUpHb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe -
Executes dropped EXE 2 IoCs
pid Process 5036 locabod.exe 3948 adobec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvBA\\adobec.exe" 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB1Q\\optialoc.exe" 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 820 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe 820 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe 820 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe 820 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe 5036 locabod.exe 5036 locabod.exe 3948 adobec.exe 3948 adobec.exe 5036 locabod.exe 5036 locabod.exe 3948 adobec.exe 3948 adobec.exe 5036 locabod.exe 5036 locabod.exe 3948 adobec.exe 3948 adobec.exe 5036 locabod.exe 5036 locabod.exe 3948 adobec.exe 3948 adobec.exe 5036 locabod.exe 5036 locabod.exe 3948 adobec.exe 3948 adobec.exe 5036 locabod.exe 5036 locabod.exe 3948 adobec.exe 3948 adobec.exe 5036 locabod.exe 5036 locabod.exe 3948 adobec.exe 3948 adobec.exe 5036 locabod.exe 5036 locabod.exe 3948 adobec.exe 3948 adobec.exe 5036 locabod.exe 5036 locabod.exe 3948 adobec.exe 3948 adobec.exe 5036 locabod.exe 5036 locabod.exe 3948 adobec.exe 3948 adobec.exe 5036 locabod.exe 5036 locabod.exe 3948 adobec.exe 3948 adobec.exe 5036 locabod.exe 5036 locabod.exe 3948 adobec.exe 3948 adobec.exe 5036 locabod.exe 5036 locabod.exe 3948 adobec.exe 3948 adobec.exe 5036 locabod.exe 5036 locabod.exe 3948 adobec.exe 3948 adobec.exe 5036 locabod.exe 5036 locabod.exe 3948 adobec.exe 3948 adobec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 820 wrote to memory of 5036 820 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe 86 PID 820 wrote to memory of 5036 820 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe 86 PID 820 wrote to memory of 5036 820 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe 86 PID 820 wrote to memory of 3948 820 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe 89 PID 820 wrote to memory of 3948 820 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe 89 PID 820 wrote to memory of 3948 820 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe"C:\Users\Admin\AppData\Local\Temp\4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5036
-
-
C:\SysDrvBA\adobec.exeC:\SysDrvBA\adobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3948
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD503e353ec64c3130c89a25f4f0b487dee
SHA10896d457e466e7ebbcd8a4250233a1fbabe446ba
SHA25611df3bca421d7bf2284c15f952bed50f227ee8f1eee7b436571163474ed25388
SHA512dd6e51697deee61491d4a01e28451eca7e5696b2eec6be9e90c7281fb38e4b6bc0d8fc568daa6caf65e1c6d5357f7eab026fe7b2755b1dc6f8109ff6c46a341c
-
Filesize
445KB
MD5c0e959c32f555f9fd61499193a13b100
SHA1168baef557e6cdd9bcd9d177daf208112cf61768
SHA256c07d5726ee2a3910bd31623b72b375152d0b85df1e89506a9a11959ea461c690
SHA5124b76236dfdc725931fa31da8b63d60c41e21006a88bb242043e50a008245037bb66b683fa2054b0f56addbb561cf28e0dfcd77acfa78db8e146b0a310e576e57
-
Filesize
2.6MB
MD52581ec6f6d6f368c9a2a7597fafff1ef
SHA1ea14efb976ced02d4bfca3d8819b82ad9f8c4ac6
SHA2566339c0cfb2dca3d86cd3d5496a589f305f50acb6ddc44a16acd3f538caf4b77f
SHA5121021640cd221f003c5b337887fb961c656d53e53295d12c6e638fe49a2013ea5413f3416ef0efd7ee4ad523bca4f743d8c67f645785d1c96aa845c00e6fef7b8
-
Filesize
201B
MD5ea9f64b5856d26ea5da399834efea6f1
SHA12abcc65b45e086e93a4b8f4e005440319aca7b8b
SHA256cfadb2cc052f93c42b757425c13fdd1610b0e9d608a10c436e35687f5bad5edf
SHA512ea42fec9c8f6abd4cf507d8d017bf576ce18715bd3d34deca4d50a04516d6e12255a550ad1f52d8c538b8e81a969112355613386973d0689d7cfbfa87448f7b4
-
Filesize
169B
MD5d852bf295898904f0af68998c841d445
SHA143b876e910e1838e252693a62bac80897dfbb99d
SHA2561b1c23f5f45407adae9c06408f1cffe0c3051403e951070a1092bd7c2286ab8f
SHA5121050878cb4c8bbe23a2bb2eb318a5807ba365a0f2237e803f1b5f3274f510d6674870bf5db1f80a2b19f07407ed23dcf0caa6f7c50d12392e2920ef714248fcc
-
Filesize
2.6MB
MD56013daee45ca2bb82e3dd133e72909a0
SHA1d773cfe9ebbe80abaa2f434156ba90f9342e4147
SHA256292594c89640ccf15bf3673d1790532ac1e4b82a75d763ab9d953866c781c7cf
SHA51250d8d7f96e6e3a954811523368aa451ceffdc2cec4c73d9a1113caec9447725d6f883f612af6ecf42a55aa783109592ccdf80a3c9a635848a2afff3c41ae9b00