Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 20:30
Static task
static1
Behavioral task
behavioral1
Sample
22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe
Resource
win10v2004-20241007-en
General
-
Target
22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe
-
Size
2.6MB
-
MD5
5de6be5c30bb2135981ae6980539632b
-
SHA1
8e3d53cdf18a38a840114294342ab829d82d254d
-
SHA256
22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f
-
SHA512
822bb6bdfcc1acb0a56efe7b8b3d1201898b13196662d80e0c8c736191874c67430b32f0d65c8c3295f8fd0689a2dce36313d3d98a657997091b873ced15ea53
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBoB/bSq:sxX7QnxrloE5dpUprbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe -
Executes dropped EXE 2 IoCs
pid Process 2560 locxdob.exe 2652 devdobec.exe -
Loads dropped DLL 2 IoCs
pid Process 1624 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe 1624 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv9S\\devdobec.exe" 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax48\\optixloc.exe" 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxdob.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1624 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe 1624 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe 2560 locxdob.exe 2652 devdobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1624 wrote to memory of 2560 1624 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe 29 PID 1624 wrote to memory of 2560 1624 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe 29 PID 1624 wrote to memory of 2560 1624 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe 29 PID 1624 wrote to memory of 2560 1624 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe 29 PID 1624 wrote to memory of 2652 1624 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe 30 PID 1624 wrote to memory of 2652 1624 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe 30 PID 1624 wrote to memory of 2652 1624 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe 30 PID 1624 wrote to memory of 2652 1624 22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe"C:\Users\Admin\AppData\Local\Temp\22e6c1f2b82c7b84567dc0893def30fade182159cc5057db787177cf051ead6f.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2560
-
-
C:\SysDrv9S\devdobec.exeC:\SysDrv9S\devdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2652
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD540c5bbb60e55bbd1091d47ac106d7e70
SHA1a0a18e5ad953d4394451e1ef58fd4e6957169084
SHA256f33b4c2c37a38bce3d28311463ea3bb5d9655391cc3359be13ec83bd538a4023
SHA512c8c627aee442f9653bc266788d0f66cf3c9df122faed60d0c911dbdb170584be87e8bb1845544c0d269b05f140915dfe5a54809232234cf8405b03e999c2aa0b
-
Filesize
2.6MB
MD505177f4b4c1e473827ba1ba6ec9e3f89
SHA1d1b30c1144349697383ae012676fed0e367c278c
SHA2566efc6cc16c0548cff13c43576524e691f99504226b50ad8620b6c325210290d4
SHA5120475eec2dae0ae565c0d10dc034cd3d70ada75821675b6b97eaa3acae9f32c4a3a2f940b13dc45291dceedaf2132f8d08d2c4ec17905101613418ce4e6b5f4a6
-
Filesize
2.6MB
MD5f04667c7c1a199613e1c669d9aa1f955
SHA1e908244991e1cd2ea933ac68d2c933ea067aff71
SHA256329f53d04d871137cf0404f43f52c7fc4de9a96c08ca006506bf622bc6803e1d
SHA512d0f513eeb37fcf8055d12eb068be0c45c4ade949d11d6b6e9ec7ffb33cc25729e65d8a9b08f63d9b12b3a76aa4e56b2d8fb29360e21d57974dfdc67a0ff54521
-
Filesize
172B
MD5908f256cc0adf8104fe5b78e721d0258
SHA1cda7a39ddcc166fd721d5a490ad718af4e672ec7
SHA256887e6c0e0a77fc57a0f0cdb4f226e9c4a2ff6ed4be56a0790f1bb8aeaa9d4c9b
SHA5122affceccf1b0b03c832f0eff7946dddcdd7ce074b2bf6d670351407e6475b44f3c20fd1c59ca73f54167e4b828b047ee379077514682b3bdf117f8a1ec0c0d6f
-
Filesize
204B
MD514bf3dadc7715960818342191277588e
SHA1d6149fe51392eedc2f52d20ff58290ca4d0537bd
SHA256133e3efad18e123cb5de66e7988057280e028a62bdfd3b814b39fc4eee5bd3b7
SHA5122dac2340d48a081972316e5c6f1843d7d150d725253cbf8905811ee628792dd5c2469d97aecc411df0c927d09e3479f5892a66924488f4c25fd8fdc62716191c
-
Filesize
2.6MB
MD55e46fa8e685dab487116a70651d17f4f
SHA13f2ecfa7bf7ebaf4cc679b6239502b09eed474ed
SHA256cb59ea181ea1fd87f7edd6744a2f2a3074ed3ba313d276f4e15a124dc93604c1
SHA5125c95d243543d0ede23dc6414f1eced3440b711275324ac093460f82670763d0843bc75cba7469c22955f6bbd6252ac24c7295c36b24fc1960298b6a1bcbf9f1a