Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 00:06
Static task
static1
Behavioral task
behavioral1
Sample
2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe
Resource
win10v2004-20241007-en
General
-
Target
2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe
-
Size
2.6MB
-
MD5
c21ee1eebb8a3a74eebfe5f4f5a6e590
-
SHA1
7589d40f762bdc6857fc5b9830a5e803c9329173
-
SHA256
2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898e
-
SHA512
89377f2e304218854729ce9bba13fab4a892fd6b18f65c5b13d5c8abcfe449058bf320056ba3bc773b2da562331b0a40bbef54a5f58b02741868cdb295c3afc0
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bS:sxX7QnxrloE5dpUpmb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe -
Executes dropped EXE 2 IoCs
pid Process 1624 locxdob.exe 3048 devbodec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidUN\\bodxsys.exe" 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeM4\\devbodec.exe" 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2228 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe 2228 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe 2228 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe 2228 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe 1624 locxdob.exe 1624 locxdob.exe 3048 devbodec.exe 3048 devbodec.exe 1624 locxdob.exe 1624 locxdob.exe 3048 devbodec.exe 3048 devbodec.exe 1624 locxdob.exe 1624 locxdob.exe 3048 devbodec.exe 3048 devbodec.exe 1624 locxdob.exe 1624 locxdob.exe 3048 devbodec.exe 3048 devbodec.exe 1624 locxdob.exe 1624 locxdob.exe 3048 devbodec.exe 3048 devbodec.exe 1624 locxdob.exe 1624 locxdob.exe 3048 devbodec.exe 3048 devbodec.exe 1624 locxdob.exe 1624 locxdob.exe 3048 devbodec.exe 3048 devbodec.exe 1624 locxdob.exe 1624 locxdob.exe 3048 devbodec.exe 3048 devbodec.exe 1624 locxdob.exe 1624 locxdob.exe 3048 devbodec.exe 3048 devbodec.exe 1624 locxdob.exe 1624 locxdob.exe 3048 devbodec.exe 3048 devbodec.exe 1624 locxdob.exe 1624 locxdob.exe 3048 devbodec.exe 3048 devbodec.exe 1624 locxdob.exe 1624 locxdob.exe 3048 devbodec.exe 3048 devbodec.exe 1624 locxdob.exe 1624 locxdob.exe 3048 devbodec.exe 3048 devbodec.exe 1624 locxdob.exe 1624 locxdob.exe 3048 devbodec.exe 3048 devbodec.exe 1624 locxdob.exe 1624 locxdob.exe 3048 devbodec.exe 3048 devbodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2228 wrote to memory of 1624 2228 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe 89 PID 2228 wrote to memory of 1624 2228 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe 89 PID 2228 wrote to memory of 1624 2228 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe 89 PID 2228 wrote to memory of 3048 2228 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe 92 PID 2228 wrote to memory of 3048 2228 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe 92 PID 2228 wrote to memory of 3048 2228 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe"C:\Users\Admin\AppData\Local\Temp\2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1624
-
-
C:\AdobeM4\devbodec.exeC:\AdobeM4\devbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3048
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5a203f730d039f868127b217f5125ce0c
SHA1d6610dcb497afe1129443627084919b25442c19f
SHA2561eff88926d2539d816dc99df45ca7b2071c5df39e68e28ad5bfafe14042db3d1
SHA512fba99c25948df33d0821960318a9c90150003c3c32a2b63aa866f5bbfe9af7c9dab5754b1d6413b8532f643cea16c173fce4091f8ef57d8dd1a2b1976627d106
-
Filesize
200B
MD54ef9de9c3dc5025e5854a8312f408e14
SHA1238d182336d62a2175703b0238b8c8f4ec6b9c35
SHA25633d4486004bbb28bf64123efe490b7144a28334b0f0d530030d995ad67a052a2
SHA512777164dc9821d89e6ce04301713a286264687071b9e841d27d8914fa0f411f1676d394d5eec7f057986fc0ceff29b88e99da0831b2ceced4a71e75415cc5c2ad
-
Filesize
168B
MD58d91e13bbc17005003df7d2eef8b8241
SHA1b6aa947735391a18e7991f28b061a76a9f0fd927
SHA256577d44eaba63691b5a33b63a754c95a1528b2cd5292543f8677800d541769c0d
SHA512e1db7fdb7e351bd22fd5ac9282f195387dbe0dc6a04aee7e65f0586f5b5dfaf6ab2b7dffa4f05bd2dd0eea22ae338144ceb9f2a537613f9e8f632b8799039b34
-
Filesize
2.6MB
MD53e9633299a846c444a3c93961ef6e60b
SHA1266f6eda79eb7cf64f491faff24fb524c9f4a3ab
SHA25655f47b6d443c3f515a948c3981750e7af5d121e3dcf12876ffea73b9376ba5a4
SHA512f062206f23f8001144f020ef26c7c1e750ae40904031ca0b13f7a27b9316660b74d35b58a536845ac92c42ea75009a4b6f42c2ae68f051ce224d1a408e0a9b1e
-
Filesize
2.6MB
MD5b2454d2d5c9713710e0b625fe6ec2f9e
SHA174fccc3577e18d90473c384d570b42d2c151bc9e
SHA256e7583a13ea1e31d7822215e924ec5688229f16855283ec984816f26e879cc81b
SHA512995dcd5b712a20d83066ab57f9a92ab6775954f008e6d93f80a46b5aa5e394eeadfc2497e35a5f30b7db821b5fc4639113acaf0c7ef8141d51f8c5ef1758d7d7
-
Filesize
2.6MB
MD550e9abe8b096be1f9e9b04c31845f87e
SHA136407aadfcdc7aa153f7f28664f615277ef3a126
SHA256a4953762eeb2cd6c423b609f0fa1a46983bfa594cc8ce2236244988bdeba268e
SHA512e1feaca30201b210e8347a0afb4c958f96b5affdc6712e3fefea6ff77974eeb5698c024c22742981ebda400439fa8bd66270787fa71342ba5a6716dec194b868