Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 22:58
Static task
static1
Behavioral task
behavioral1
Sample
0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe
Resource
win10v2004-20241007-en
General
-
Target
0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe
-
Size
2.6MB
-
MD5
671ca0e4036f5e4fd20da5fa86937dda
-
SHA1
6f7522bd908960c39a8279a20ece9200947acb69
-
SHA256
0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991
-
SHA512
7910b63602e6128d32ee1c0dbdfa1cf3e2229d7ecd339348c2fb5f0f127a59cccffb80cd66bf711edaafbfd6a4215c90066aded58995ee307141669c14bc5ced
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bSD:sxX7QnxrloE5dpUprbI
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe -
Executes dropped EXE 2 IoCs
pid Process 5024 locdevopti.exe 4736 adobloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocIY\\adobloc.exe" 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ4U\\dobdevloc.exe" 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2884 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe 2884 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe 2884 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe 2884 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe 5024 locdevopti.exe 5024 locdevopti.exe 4736 adobloc.exe 4736 adobloc.exe 5024 locdevopti.exe 5024 locdevopti.exe 4736 adobloc.exe 4736 adobloc.exe 5024 locdevopti.exe 5024 locdevopti.exe 4736 adobloc.exe 4736 adobloc.exe 5024 locdevopti.exe 5024 locdevopti.exe 4736 adobloc.exe 4736 adobloc.exe 5024 locdevopti.exe 5024 locdevopti.exe 4736 adobloc.exe 4736 adobloc.exe 5024 locdevopti.exe 5024 locdevopti.exe 4736 adobloc.exe 4736 adobloc.exe 5024 locdevopti.exe 5024 locdevopti.exe 4736 adobloc.exe 4736 adobloc.exe 5024 locdevopti.exe 5024 locdevopti.exe 4736 adobloc.exe 4736 adobloc.exe 5024 locdevopti.exe 5024 locdevopti.exe 4736 adobloc.exe 4736 adobloc.exe 5024 locdevopti.exe 5024 locdevopti.exe 4736 adobloc.exe 4736 adobloc.exe 5024 locdevopti.exe 5024 locdevopti.exe 4736 adobloc.exe 4736 adobloc.exe 5024 locdevopti.exe 5024 locdevopti.exe 4736 adobloc.exe 4736 adobloc.exe 5024 locdevopti.exe 5024 locdevopti.exe 4736 adobloc.exe 4736 adobloc.exe 5024 locdevopti.exe 5024 locdevopti.exe 4736 adobloc.exe 4736 adobloc.exe 5024 locdevopti.exe 5024 locdevopti.exe 4736 adobloc.exe 4736 adobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2884 wrote to memory of 5024 2884 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe 89 PID 2884 wrote to memory of 5024 2884 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe 89 PID 2884 wrote to memory of 5024 2884 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe 89 PID 2884 wrote to memory of 4736 2884 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe 92 PID 2884 wrote to memory of 4736 2884 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe 92 PID 2884 wrote to memory of 4736 2884 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe"C:\Users\Admin\AppData\Local\Temp\0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5024
-
-
C:\IntelprocIY\adobloc.exeC:\IntelprocIY\adobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4736
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD5c9221e0eb3a16dce428ff8c482aa2dff
SHA1793cc75bc04db78d6d21cce028ebc5202ab1f199
SHA25689c1ad531a116c26ad2fba26da6aa3bfb742ddc6af38f6f62b23e30e4064dc82
SHA51247ee868b2819e8889fa54c5e846d987eb2e67d90d25d969bde5b4f55cf75e4b12765acc7077bab313d9e96935a1d554300bfac8ef2ebe9d36f2bedcf78e5ec12
-
Filesize
2.6MB
MD51b0e8c585b73aea3163d4b6b9f3474ef
SHA10f9f694c3515f4ca17affdf851fe83a761dc52eb
SHA256b35f9f3a122def26731ce307bd4420797a66960e479a1c5383e92968a4caaeda
SHA5127be38543d0a1d753fb36f12b73afcaed5fc437818bdff3d49408904120270335d7b7d1aeac3f8f0a7f9cddab9e9a5b6368bdc509ea98a74f58e895222e32c7ca
-
Filesize
2.6MB
MD5cef51197dce2890a2055b4bdc0728943
SHA194cce71556d92b8c7abbdd892d5ba6c7dd359fac
SHA25606b8fc7dddf48866ed37f2a28160e7b4832348cee160cccfbc98da9818663f5b
SHA512e019ae0a71409e9d0a8fffbbd3f2fe56096cea74559fab5effa79ad834ce946ef5cb97a6108c198981f89805fffa1fa6b8de07f0a9700bdb57f2c2e457b576c3
-
Filesize
2.6MB
MD5790f7205b4301ec602c0a2fbc5c2ef6e
SHA1c2b4d64e91312b297d7da1e115f26de11018a8dd
SHA2560f69cf209312523ba469875b1aad04715bfbdde96244fca79175eb5de133f6d5
SHA5121d566cf3e019c34f1ea74fabcdaeb56c48079383d54606e0d5f56554d62d45b5531372844b15f9b9370d26a1f62095e643c3394b01b4ac15f5bc1d734c34ecc9
-
Filesize
209B
MD5ab2ee4eb83160d67c5ef6d15085c560e
SHA18bbcc17cf86b5db296f4cee68b5f84e217bccfd2
SHA256567e09dd60645ffa24e0e8e75db20b54ba03d846cd433cace609fa42ff19e795
SHA51258b8ce1253d96acb11ade7004e39c2b728ed42972127f540a450da5c5412d4e3394e2fd5a1f8538c7e307e53de863344dae26587e45847e728ce970d1850be41
-
Filesize
177B
MD59e73eebf6e43c9e8bcc80345294a8cad
SHA17a2bfd07b07fd75f86747e295e4ca0b6558974f7
SHA256b1cf67c9196980e783d7a6c0f90df19ebbaacf8f01671a9524b303d7a52752ac
SHA512308fd64655414fa638305d1b7991d73ffda6d2b3d9924e94bbdf32b1368c753d8bd2854bb71a2b97b4588166bea8cf94252034876d146ad0eed8acecde5f73ac
-
Filesize
2.6MB
MD5a3a99e4910fb60bdbb0e0a7c30baba0e
SHA1497241c397e96e1db33e38da9caf945a95029de5
SHA256c229e00c3336d8ecc5b4a4a54928408082191e27c1e0497712a74754293ef035
SHA51290f18c669a035777e07e8915f8d33681b952ec28ec333817dc5e9da6b72180398dbca3224202472872eb8cef10fe5f9e5b1c6283a589262ee9c6ba7189c003a3