Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 00:06
Static task
static1
Behavioral task
behavioral1
Sample
2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe
Resource
win10v2004-20241007-en
General
-
Target
2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe
-
Size
2.6MB
-
MD5
c21ee1eebb8a3a74eebfe5f4f5a6e590
-
SHA1
7589d40f762bdc6857fc5b9830a5e803c9329173
-
SHA256
2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898e
-
SHA512
89377f2e304218854729ce9bba13fab4a892fd6b18f65c5b13d5c8abcfe449058bf320056ba3bc773b2da562331b0a40bbef54a5f58b02741868cdb295c3afc0
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bS:sxX7QnxrloE5dpUpmb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe -
Executes dropped EXE 2 IoCs
pid Process 2412 locadob.exe 2936 devoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 1724 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe 1724 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesUS\\devoptiec.exe" 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax21\\bodxec.exe" 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1724 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe 1724 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe 2412 locadob.exe 2936 devoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2412 1724 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe 30 PID 1724 wrote to memory of 2412 1724 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe 30 PID 1724 wrote to memory of 2412 1724 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe 30 PID 1724 wrote to memory of 2412 1724 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe 30 PID 1724 wrote to memory of 2936 1724 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe 31 PID 1724 wrote to memory of 2936 1724 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe 31 PID 1724 wrote to memory of 2936 1724 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe 31 PID 1724 wrote to memory of 2936 1724 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe"C:\Users\Admin\AppData\Local\Temp\2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2412
-
-
C:\FilesUS\devoptiec.exeC:\FilesUS\devoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2936
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD57ba42336e0b7c150e5fb19e0d750467d
SHA1533c53cc42656c0a3c05f6508b4ac04c64a5c587
SHA25663b29a5760787529f861a2402ff0d80b2cc56af8a3fadf48d48cbd1def4efeee
SHA512fb20f6516c7746a5d0c02f2b947b1cca1dd2ecb2cd2c6e0c2b32875c748703fa23ce7912f26891090a2304d3c0dbb65811b3db4f1a62e03e003147bf9477f0bc
-
Filesize
2.6MB
MD58c2c9efb4adc543428bb0f2de655a84a
SHA160c8cc50c99f756989d4cb77ca829be8bef5fca6
SHA25644289753e65116cd3be4a55bb944dce4b3865f9090a11a319dd3b9ade7172928
SHA51201009e54a27c5733d5d2d2f928da6e60ef877640017512bf40046aa9a6d299bf82e2d7585b43e7ca1684ed43672b576f10602ef8ecabcc4ce5f762750d635297
-
Filesize
170B
MD50a836e9bea9293e6881ee87ce0ade9bc
SHA1695494b96c0791385b168d624e8bd921eda56bf5
SHA2568b18e7074cefd0f602a940d81f11b7e023ee93d103f3003fc487c2923ff2aa57
SHA512f0c7a52122a95f364b3f38b9352c5ac8dacee1dfd3f0877eb243bcb6ff413626c4a4ff5b9a612bebdefa7f7d5fa9e0965376a70355fe9f5d1833f329984e90e3
-
Filesize
202B
MD56420dd230b9d7833fabf2666c2d1dd5e
SHA154b8523c696abc12a44a5a96def61d171efc60a9
SHA2564107017b524e76bdc3b5ea23df5ce6287e0844212a69733bfe49ebf2e04ed504
SHA5129e6d82d8850d8d200a1414e16388135c1095927d8f77255c1698f6d1006d8b57a1691535b92d4f3a24031178a5bc22acddbc39263ea3fad97e53b3eaf881090f
-
Filesize
2.6MB
MD5533c6024f3174cdd6ff5160a2715a018
SHA10febd7ee3dea7a43ae0c478bfdfcbb9057296ec1
SHA256ee54c167f9d0093f501fc1a348a80bba7612aaf4c7b8c282bf4f1e95fc2258e0
SHA512fa6d708d7176fe25c6b1e11b52d66db9d95d33e327f0bce6bc9e418a71638a3c70787c227d557cbb7e5b2420073f7928b20ce6e3b747b5c3b99d1e8292e05d74