Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 19:05
Static task
static1
Behavioral task
behavioral1
Sample
010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe
Resource
win10v2004-20241007-en
General
-
Target
010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe
-
Size
2.6MB
-
MD5
cd73125f1fe8152cd43f3f5578c8baf0
-
SHA1
5b24f6dc3a9dfd3c96daca88b89fbf2e46f2972e
-
SHA256
010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111
-
SHA512
6a552589b1f1ab116f526e64096d495e697871c86409056b80c0654a68dd74eedf3ab9589ec0b26e3faa559bdf042f32116f4458101d19049715a7621b044bfe
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bS:sxX7QnxrloE5dpUpwb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe -
Executes dropped EXE 2 IoCs
pid Process 2928 locxdob.exe 2248 devdobloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2096 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe 2096 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvG5\\devdobloc.exe" 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxV3\\dobdevloc.exe" 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2096 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe 2096 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe 2928 locxdob.exe 2248 devdobloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2928 2096 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe 30 PID 2096 wrote to memory of 2928 2096 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe 30 PID 2096 wrote to memory of 2928 2096 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe 30 PID 2096 wrote to memory of 2928 2096 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe 30 PID 2096 wrote to memory of 2248 2096 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe 31 PID 2096 wrote to memory of 2248 2096 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe 31 PID 2096 wrote to memory of 2248 2096 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe 31 PID 2096 wrote to memory of 2248 2096 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe"C:\Users\Admin\AppData\Local\Temp\010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2928
-
-
C:\SysDrvG5\devdobloc.exeC:\SysDrvG5\devdobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2248
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD55d46f1583e8f4b4f3c31e60c84ed4477
SHA100fc9f97ff5f01d418d6d2e9158546989b8b3d46
SHA256f49b02ee5f5b8bea5ecfd150c426e399d32bc8f9e03d4bae4bd5ca4801b100b6
SHA5120cc4995b86bfc065c21b581d0771bc5778dc0fde6e4ded7c6d9c62e5437d6b5d02e8557f66f07ae7ecd9dfff6004f9c0f10c93b2c31384a8539b1b7e014441f3
-
Filesize
2.6MB
MD581ce1b81c873dc78212b666a9283272b
SHA1e29201ac69cfad4064f4e5b21f35a36f82faaa37
SHA2561a8a3dafc167fce8464ee1f461fa97c3305c74f8e96d65fc9ec1e3c5ed962e8e
SHA5128174ec4db9d91f50a4861bd4f7604c8bbe02427e961f3af38ecca0c37454f0b596d83ef7f0e3006ff55dad9167cc8b91d93a73a526039d0725f08080f08d4744
-
Filesize
2.6MB
MD5a1ed1585f27394a6fc24b456f780823f
SHA1691b3f888c6b6325cdbd9b856c608055440a12aa
SHA25625a29a05767c888bfdfb16282fbb8bdbb75eb678b4fd6a40e98cb08ae56abc78
SHA512b09178bb88e9a9065ef112539cc2912bcef63c1df7ec2fa392b4629526dcb5dc37e3725bfb4c5549787221cdf7b49b14ba88a03621503a8582bac4428c1b00d5
-
Filesize
174B
MD55026441d728cc76b2b04f4d90f87a6e7
SHA127b633d2bcbcaaf02a3a9ee88373589568acf8bc
SHA2566ed41d72c0ee34db214ab8680578f2711ccb382f6b6f8629f1cd81199d002fde
SHA512f2d746a2758d6bce6b2326df36a2cf24bce6176c0efb331614207f2b3ada6490bc8ecd79eb607f24a2d2bc96762bc2e2ea6b983d3acf7b4fd7b2d68dc70c1bc1
-
Filesize
206B
MD59fa69ed3efae6dbc34d31b8da980d2a7
SHA12989cef3bb0dc327a2339e3c7eba982ca5177e7d
SHA2564e44d56dc9d7016d93edc4a3cc75164bd8fbc687c8cbfe10cebb2ea037aa9ea0
SHA512d5171855501119e58cd83ff486177c003f5093b2a8cd140a3b22743976aea645ab2495a350329f4f572d87f771414b70d7f2e05bcfe1eafbcd04c531edfdb4ec
-
Filesize
2.6MB
MD5ce9805bd16cfcfda238a1a42573d6300
SHA150ddf1a060e6493764120a5e84712ee8a6ec24c2
SHA25658a7bed7fcb09c5ac2f67b10c6c60603290f1c30625731efc04c1f8231ce01f3
SHA51237347a0a5b24c2af6bbc9e9837f8762742474c55e0c67f2c9276bf682acc36ded2fb83441691a21374ecc323736586a958a55a822b4c51bc9f9851ce9cac168a