Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 23:06
Static task
static1
Behavioral task
behavioral1
Sample
64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe
Resource
win10v2004-20241007-en
General
-
Target
64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe
-
Size
2.6MB
-
MD5
8b8953477fc1a7b1c477705dac753fa1
-
SHA1
5d8eb49842577eb6a65efb20538f7bd3ce921abe
-
SHA256
64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987
-
SHA512
7ae486a1db0324e9afa38ed98256e59a23eb92806fad29352c7a211f7ee8354350982e6a72147d9ceca164c4a0b21658aa58bc53b3fd0d530f173814226a0681
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBVB/bS:sxX7QnxrloE5dpUpWb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe -
Executes dropped EXE 2 IoCs
pid Process 2708 locdevdob.exe 2664 devoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidNT\\bodasys.exe" 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeOV\\devoptiloc.exe" 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2816 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe 2816 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe 2816 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe 2816 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe 2708 locdevdob.exe 2708 locdevdob.exe 2664 devoptiloc.exe 2664 devoptiloc.exe 2708 locdevdob.exe 2708 locdevdob.exe 2664 devoptiloc.exe 2664 devoptiloc.exe 2708 locdevdob.exe 2708 locdevdob.exe 2664 devoptiloc.exe 2664 devoptiloc.exe 2708 locdevdob.exe 2708 locdevdob.exe 2664 devoptiloc.exe 2664 devoptiloc.exe 2708 locdevdob.exe 2708 locdevdob.exe 2664 devoptiloc.exe 2664 devoptiloc.exe 2708 locdevdob.exe 2708 locdevdob.exe 2664 devoptiloc.exe 2664 devoptiloc.exe 2708 locdevdob.exe 2708 locdevdob.exe 2664 devoptiloc.exe 2664 devoptiloc.exe 2708 locdevdob.exe 2708 locdevdob.exe 2664 devoptiloc.exe 2664 devoptiloc.exe 2708 locdevdob.exe 2708 locdevdob.exe 2664 devoptiloc.exe 2664 devoptiloc.exe 2708 locdevdob.exe 2708 locdevdob.exe 2664 devoptiloc.exe 2664 devoptiloc.exe 2708 locdevdob.exe 2708 locdevdob.exe 2664 devoptiloc.exe 2664 devoptiloc.exe 2708 locdevdob.exe 2708 locdevdob.exe 2664 devoptiloc.exe 2664 devoptiloc.exe 2708 locdevdob.exe 2708 locdevdob.exe 2664 devoptiloc.exe 2664 devoptiloc.exe 2708 locdevdob.exe 2708 locdevdob.exe 2664 devoptiloc.exe 2664 devoptiloc.exe 2708 locdevdob.exe 2708 locdevdob.exe 2664 devoptiloc.exe 2664 devoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2816 wrote to memory of 2708 2816 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe 87 PID 2816 wrote to memory of 2708 2816 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe 87 PID 2816 wrote to memory of 2708 2816 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe 87 PID 2816 wrote to memory of 2664 2816 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe 88 PID 2816 wrote to memory of 2664 2816 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe 88 PID 2816 wrote to memory of 2664 2816 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe"C:\Users\Admin\AppData\Local\Temp\64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2708
-
-
C:\AdobeOV\devoptiloc.exeC:\AdobeOV\devoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2664
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD595777fab782070dc2ec47679d47b9ab6
SHA146ba610e563bdba0884ed6d2584dc063c77749f4
SHA2563b938c41e168814fcc50328417f6ba1715bcf90ad841b98cd9413f580a6e5c3e
SHA5120220b704d6b6c4936139cfddd380fb19bb868ea0859201a43af7533ef050a70b367aec02366429c495ef14e7ca2a8d8c3a70754d3413616e92fdfbbb0f75e125
-
Filesize
204B
MD526e8d030a3324784a338e25db6b7bac6
SHA162685c1c13e5cc1822b7c3fb4ec71fee0aa7b7e9
SHA25653184f4d0e20fc3053d996d5ddac5f6d0fb25f878b3a24b4ff2601443613c1ce
SHA5128e13ff4e5a21e92f9b6141407034270c5703dca0ffc1c1b3cac0e80ca2aff98774f27621cc1e96254a25cb3bd5fe13127318d0fc2ecbfe05ad8d01cfcbaab9ec
-
Filesize
172B
MD51167583ca639dd4c6e0333842c38ad98
SHA1ccba52582f7e663356f937ce4c09d6ba6231f203
SHA25675e5f9393e25d171d2d9cac28e174306dca6c3933d4b2a8037152809f4d5fdd3
SHA512c9f2d29305bf401512aeb654b625c643f0c45a4cb1d619b165f7261c45009f66742b0aca507d61ce51736b45da6dfb50a84e2da2b952888af12a50cd5b5f5233
-
Filesize
2.6MB
MD5fd02a0f11a69c3fba92319687544af7d
SHA1c51a088fa1629a43cfe7dc4215f2549246e87c4a
SHA2564b86defd01edc7cad4943700ba3e8348122d657386b4d7249829c0cc8ae19736
SHA51203f1b9b81d1ae4c97098fa7a814f4458818a3e819b81a67a5c874de462e3fa2704e058e2b1b85bb17d7f19f0365601acbcbb1b0646d6d745bdad34eb0a0366cd
-
Filesize
2.6MB
MD598ed1a7a12bfac78414316f2691a9295
SHA1b30aa7ea83e002a72c77a4fee3fb536afef6099a
SHA25611e6e8fcc7031f183bc625f28ad4fbee951799b845c2a5d205e2afc087e53a0e
SHA512398c9fe10f21ddf36d651122eb241cae7c8e18e0eab5c325659a912a4176a5eeb6cd8f176a39e12314fec6ab6d6b4e3ea523e05322b9caef62d86b1512f5d4a3
-
Filesize
18KB
MD5f3611b180f53e7b766446f16c0eb47e8
SHA1b0a5575b4fca6d2ca1ebf68f998124b33189a5e8
SHA256da3c4283fe87c6da829e4d3b09eadb3c7290c393ca69be154a4623b54548802f
SHA51280c0937e80f63fa08bcb017f6504125ff30072a3ed9a2185ea5271bf5c0c20edbe958b500cc16a99d3c0072a1a1468864aa5250c977a0ad30c63af750b7b5ca1