Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 23:08
Static task
static1
Behavioral task
behavioral1
Sample
88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe
Resource
win10v2004-20241007-en
General
-
Target
88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe
-
Size
2.6MB
-
MD5
23d0af67dfe646f9e6e097a3acfa9496
-
SHA1
9de285012d4eecad61214f49f0d85f0908196631
-
SHA256
88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626
-
SHA512
a80122dc354010325dce2a93abf27e6d9b40ddca1e1ddde96dfe1cd58e71e3e33fe1a00313eac94c478da1ec18fa30219b124e21600a73de1aeb06694c43c5c3
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bSA:sxX7QnxrloE5dpUppbR
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe -
Executes dropped EXE 2 IoCs
pid Process 4588 locxdob.exe 5116 devdobsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesP6\\devdobsys.exe" 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidEC\\dobdevec.exe" 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3340 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe 3340 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe 3340 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe 3340 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe 4588 locxdob.exe 4588 locxdob.exe 5116 devdobsys.exe 5116 devdobsys.exe 4588 locxdob.exe 4588 locxdob.exe 5116 devdobsys.exe 5116 devdobsys.exe 4588 locxdob.exe 4588 locxdob.exe 5116 devdobsys.exe 5116 devdobsys.exe 4588 locxdob.exe 4588 locxdob.exe 5116 devdobsys.exe 5116 devdobsys.exe 4588 locxdob.exe 4588 locxdob.exe 5116 devdobsys.exe 5116 devdobsys.exe 4588 locxdob.exe 4588 locxdob.exe 5116 devdobsys.exe 5116 devdobsys.exe 4588 locxdob.exe 4588 locxdob.exe 5116 devdobsys.exe 5116 devdobsys.exe 4588 locxdob.exe 4588 locxdob.exe 5116 devdobsys.exe 5116 devdobsys.exe 4588 locxdob.exe 4588 locxdob.exe 5116 devdobsys.exe 5116 devdobsys.exe 4588 locxdob.exe 4588 locxdob.exe 5116 devdobsys.exe 5116 devdobsys.exe 4588 locxdob.exe 4588 locxdob.exe 5116 devdobsys.exe 5116 devdobsys.exe 4588 locxdob.exe 4588 locxdob.exe 5116 devdobsys.exe 5116 devdobsys.exe 4588 locxdob.exe 4588 locxdob.exe 5116 devdobsys.exe 5116 devdobsys.exe 4588 locxdob.exe 4588 locxdob.exe 5116 devdobsys.exe 5116 devdobsys.exe 4588 locxdob.exe 4588 locxdob.exe 5116 devdobsys.exe 5116 devdobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3340 wrote to memory of 4588 3340 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe 87 PID 3340 wrote to memory of 4588 3340 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe 87 PID 3340 wrote to memory of 4588 3340 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe 87 PID 3340 wrote to memory of 5116 3340 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe 90 PID 3340 wrote to memory of 5116 3340 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe 90 PID 3340 wrote to memory of 5116 3340 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe"C:\Users\Admin\AppData\Local\Temp\88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4588
-
-
C:\FilesP6\devdobsys.exeC:\FilesP6\devdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5116
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5e98461758ad6752a8a4c6d493ac275e1
SHA16c3e89ed39e13d5dd1192524815264835ddf599c
SHA256be2fd500615531bfc19317944d10a960d17d0e6995f0f857eea944a3f73263bd
SHA512802b2a73b7e88181f5002492397012923a3ed929e31769b252d8763a278545fa779812d61c5348dc04908effb9d2b34d619f2d193386ee52cc366dbc4f2f683d
-
Filesize
202B
MD56a3aa751eee96442ba8c4eeab4f43ca5
SHA18ba3fa4039867e2f2087629b17f34bec154f8687
SHA256401af69361bd5327e366a8220c9bc72c37891221d439e325bfc04d9973645ea9
SHA5124b6eafe158ac411da008f11594db43bc982e879f5621c7a7014b2a563d21ef2341fe31801a8880ee1e3b31a99833f7e40cfe186ea633d96c06e7668796179d56
-
Filesize
170B
MD5e56576c996c34ff87ce0d543daac8e41
SHA1210277cf94fe9c08e30c192b1f633727c6e68ee3
SHA256dea8bdf86c6a79cc3877f612f5e8287a685e4803b02a44e654986b80163062ae
SHA51233447621637d28e5bae11798b4e7e5333b230d9265e9ce8d6f592069b7bc507b4e847faf539b962fa26b38d1b70414d92403cedf5dc82c0c9bc8dbbf658ec881
-
Filesize
2.6MB
MD586ea4ad862503ff8bf6023b229250877
SHA112a2d8539577dbd4a3fb7f6244885d8f5a3bb67a
SHA25672bebb7912531c33da792ae09c49ed5e29abe6437ee9977d3bfcece528605220
SHA512fae7153856f508eda3e49b1e62ac0253c8a1c1901dd45b5ae9af8cfb0765bc41a7fd2de9082452523ca4fb5372a51dc409c5d93fd80ae41fb24d8c7ed3143bd8
-
Filesize
2.6MB
MD56601aca06565d3acf05e2c873cb6fd72
SHA1e78118ed5b2f92a8366f057d211b99c48506e779
SHA256999fbdef4fc909c31684c296dd32be95aff027a0953830d64b277e6454e22ccf
SHA512f550e4985cb88525f3e883e2e4da0235af3fb3f6bf0a8b2d9faf576818c0f2fff36598b85e77741bc6132e0149d1f6032931db8ad1ad0ce19281950ab883374f
-
Filesize
2.6MB
MD502fc151485f0a22baabf5617e9c474d6
SHA102334cbfdaaaa383e40082e2d7c3c2f69ecfaea9
SHA2561c4a06e04c9d2392b4da1db1ef81a4e1aae8e846a1431ee2ee32f4b796c3b550
SHA51294e2ce10c58b331ae6466bd33fcca60bf23862829673dc7ed9b09e8adcc0342675475835e90bd74f8ed468c0e13c201f3f69a16b0077e752e0cc8ed8d0d14412