Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 22:56
Static task
static1
Behavioral task
behavioral1
Sample
60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe
Resource
win10v2004-20241007-en
General
-
Target
60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe
-
Size
2.6MB
-
MD5
06a8ce2ed29c283efd02f9ba5c161c33
-
SHA1
e837f4f40a14ca7563c207c9d29115a666a0fdf6
-
SHA256
60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1
-
SHA512
02b1250c811b50b4d027d559e52fd1969defb177665494244c6c18f9078c44c525c7a029c16ca35a9a65949386258df7057386393bae096b3a3ce71e73dc46d2
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bSq:sxX7QnxrloE5dpUpvbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe -
Executes dropped EXE 2 IoCs
pid Process 696 locdevdob.exe 3660 adobloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocDD\\adobloc.exe" 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint6J\\bodaloc.exe" 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4996 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe 4996 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe 4996 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe 4996 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe 696 locdevdob.exe 696 locdevdob.exe 3660 adobloc.exe 3660 adobloc.exe 696 locdevdob.exe 696 locdevdob.exe 3660 adobloc.exe 3660 adobloc.exe 696 locdevdob.exe 696 locdevdob.exe 3660 adobloc.exe 3660 adobloc.exe 696 locdevdob.exe 696 locdevdob.exe 3660 adobloc.exe 3660 adobloc.exe 696 locdevdob.exe 696 locdevdob.exe 3660 adobloc.exe 3660 adobloc.exe 696 locdevdob.exe 696 locdevdob.exe 3660 adobloc.exe 3660 adobloc.exe 696 locdevdob.exe 696 locdevdob.exe 3660 adobloc.exe 3660 adobloc.exe 696 locdevdob.exe 696 locdevdob.exe 3660 adobloc.exe 3660 adobloc.exe 696 locdevdob.exe 696 locdevdob.exe 3660 adobloc.exe 3660 adobloc.exe 696 locdevdob.exe 696 locdevdob.exe 3660 adobloc.exe 3660 adobloc.exe 696 locdevdob.exe 696 locdevdob.exe 3660 adobloc.exe 3660 adobloc.exe 696 locdevdob.exe 696 locdevdob.exe 3660 adobloc.exe 3660 adobloc.exe 696 locdevdob.exe 696 locdevdob.exe 3660 adobloc.exe 3660 adobloc.exe 696 locdevdob.exe 696 locdevdob.exe 3660 adobloc.exe 3660 adobloc.exe 696 locdevdob.exe 696 locdevdob.exe 3660 adobloc.exe 3660 adobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4996 wrote to memory of 696 4996 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe 87 PID 4996 wrote to memory of 696 4996 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe 87 PID 4996 wrote to memory of 696 4996 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe 87 PID 4996 wrote to memory of 3660 4996 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe 91 PID 4996 wrote to memory of 3660 4996 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe 91 PID 4996 wrote to memory of 3660 4996 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe"C:\Users\Admin\AppData\Local\Temp\60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:696
-
-
C:\IntelprocDD\adobloc.exeC:\IntelprocDD\adobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3660
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD56e2e2ae06d4965f9ae7e4f6d61d39785
SHA15557808b1ec9f94485115a5bd5dea041c85fb346
SHA256cba157ad63dfb08c88245c7791db8dd4c670fa782d3849d6fc2ffc54a51c84e8
SHA51243e32faf52b264423328f9802f2ed336d8e45b30e676305ff0eda27e4dcecdacfa8d0ffbb7edef908078fb297a0787d5ac8155f7ae4012aa66c1dfa387371234
-
Filesize
2.6MB
MD5ffff156d86136d0d3aff1fd02be3a5da
SHA11783a766011fce713e23aba621d5598e748baf23
SHA25630fd6b54df04d58c3027f09e512686972e9530a14b176c37e65450f8f5850abd
SHA512d88a6885910bd2e6236678462d6dc0340de32fd2c9dfd7f84bcc75f734659354cb8f738bc6651f7134d22db189dc6c5be3eda906f97df1f82a50b2d1defc0fb5
-
Filesize
2.6MB
MD5d5502f1df8d13b8b0e87be198f8085a9
SHA12b96cedf210867a0077934dc884d375f5f293d5e
SHA2562c226d4283aba2a14323a347774b1048b57f570f6a3b8d8772a3024ee25b26c4
SHA512666e660aecdb6d50d2b66a299696fe2275bdb965d601ac88a1f86200b00849461879df1c35a1ae3e63e7340c9da40480f7d0e1187cb3081d2f956369cf9ba1bc
-
Filesize
21KB
MD5be6bde58cb6cf4840bf2f369216e6ca8
SHA1bebe32f42ee735ab61615b73aeafc8ee34bd033b
SHA2563ad7f6033f2b1db728c3a4b5c97696b4937d8a8e6f48b2fc59fe0fe3b42b1125
SHA5122cac71141edb08665138751ac2e4c07afb181573db67b4fb52e2fcff3eb94639225e88eec03aefeddd29debf271a301297f474744cb4daf8107395735533d1ba
-
Filesize
206B
MD56fa69b52149d1b706645cda60606ba9e
SHA1a0049173fe2add3d31985a0b5d4061845a415d0d
SHA2568c6dcc1a7a792189f5b0673a16c7bebbbbee54e30fb5c69ab6adb7db5afe6784
SHA5124196d3820984f9ec1a2a632908801b81f2ec2b16acb4194f51bac965ab048b1a40813afa20dee21cd30d72d267686a72a916f1d165fede41e84df9d798dc48fe
-
Filesize
174B
MD5404a763f5454dffc34c87c5843c6e2b4
SHA1f7b5715aa668122315019bfc34c0405ae0e03f68
SHA256905def7c98c67f454c831ece74e600c9c7c869474b5113da0a05a1aed63ccd3e
SHA512a597ef4cd67a2357b416ec2649b58489959372d45e433f5e79ff8ffb27f945619b2a3c78d7e2b4d2071e5602458b66d84a98affd40971d1f4af71172aa92c997
-
Filesize
2.6MB
MD577f7f1198b96b71df5200a3f564a7435
SHA165695c0ab25a4022d9edc6194f3deee92d272ef4
SHA25641e4f47ac0a499d9d560e56f11204e09f873afa695da1990d53037cf246f5f7c
SHA5124563de6460fd2cc052a398bbdfd6d2adb510aee6979a0f5f4e84d163f4959e4c17379c557f397031804e725aa33e447832abc3fb8082a3bde7237932dbef07b1