Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 23:19
Static task
static1
Behavioral task
behavioral1
Sample
6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe
Resource
win10v2004-20241007-en
General
-
Target
6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe
-
Size
2.6MB
-
MD5
af0ab76c356070b84815b4c61df01b0f
-
SHA1
32f2b80acc2d834fe61091871125a1dd08295d50
-
SHA256
6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6
-
SHA512
a4e311fea5c61c86a8ba2d7195134108069c4930a514cc150adddce68c299926647cd77fcf82c54b4e9606bfec3425b3fa0426732f345010fb13dfb3e65d3f94
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bSq:sxX7QnxrloE5dpUpPbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe 6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe -
Executes dropped EXE 2 IoCs
pid Process 4600 locadob.exe 5028 devdobec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc8V\\devdobec.exe" 6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid6U\\dobxsys.exe" 6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1192 6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe 1192 6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe 1192 6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe 1192 6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe 4600 locadob.exe 4600 locadob.exe 5028 devdobec.exe 5028 devdobec.exe 4600 locadob.exe 4600 locadob.exe 5028 devdobec.exe 5028 devdobec.exe 4600 locadob.exe 4600 locadob.exe 5028 devdobec.exe 5028 devdobec.exe 4600 locadob.exe 4600 locadob.exe 5028 devdobec.exe 5028 devdobec.exe 4600 locadob.exe 4600 locadob.exe 5028 devdobec.exe 5028 devdobec.exe 4600 locadob.exe 4600 locadob.exe 5028 devdobec.exe 5028 devdobec.exe 4600 locadob.exe 4600 locadob.exe 5028 devdobec.exe 5028 devdobec.exe 4600 locadob.exe 4600 locadob.exe 5028 devdobec.exe 5028 devdobec.exe 4600 locadob.exe 4600 locadob.exe 5028 devdobec.exe 5028 devdobec.exe 4600 locadob.exe 4600 locadob.exe 5028 devdobec.exe 5028 devdobec.exe 4600 locadob.exe 4600 locadob.exe 5028 devdobec.exe 5028 devdobec.exe 4600 locadob.exe 4600 locadob.exe 5028 devdobec.exe 5028 devdobec.exe 4600 locadob.exe 4600 locadob.exe 5028 devdobec.exe 5028 devdobec.exe 4600 locadob.exe 4600 locadob.exe 5028 devdobec.exe 5028 devdobec.exe 4600 locadob.exe 4600 locadob.exe 5028 devdobec.exe 5028 devdobec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1192 wrote to memory of 4600 1192 6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe 88 PID 1192 wrote to memory of 4600 1192 6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe 88 PID 1192 wrote to memory of 4600 1192 6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe 88 PID 1192 wrote to memory of 5028 1192 6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe 91 PID 1192 wrote to memory of 5028 1192 6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe 91 PID 1192 wrote to memory of 5028 1192 6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe"C:\Users\Admin\AppData\Local\Temp\6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4600
-
-
C:\Intelproc8V\devdobec.exeC:\Intelproc8V\devdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD52afa2025d57712a32da2762389c01587
SHA1c18f673af297d7389f3182ee893ec7db169ace41
SHA256e503066a8bebf1a4fb659bc1a03b7577a16f6a0480aa6866ccf38c5e458fc0ae
SHA512515fc86095c002d16ba518c5bffcc045592bd3a5314ec94b2a8f6d0f93e48ea765e8c27caceb6691973adb3e6a8e810f2b9e3bd49cb53c189109d5b7f1772bb2
-
Filesize
204B
MD549dd37c39f2aaa5ac208238b4b8893e5
SHA17605aa012aa9cea743af2505404c3ba112cedecd
SHA2567900e9867b2bae5f75fa648b2e11d4e903a2b147299421031e077f07fb9c2dc9
SHA51269e553b1c81d015c122947b3f2152600b4d53a7fdecd33aa4017fcc0994ccb44286e51096bb782b810006892b77bfdf10046812328eb4e09d1c3c7dad810509d
-
Filesize
172B
MD535a319cc911d78e5712a34f16726f1e3
SHA1cad2ee2387b55b009be9242e52573178c3caa952
SHA2565b1dda12a357dbd0086635333d5a25638914c48b755a2aeb2809a03b0844bdd9
SHA5126a065c6ed26fe2b37f4e43af26d21558c5f69ed2743581473757da577303e75e5ed17916541449ce2cd821a378baac7d6dc229a545a5f22d8f69f5399339083a
-
Filesize
2.6MB
MD55b6b9a24fced95ddf565891b0c1fbe6c
SHA1cf6cbd00dfd5a9a64473c5defc507b8b8bc9c6ac
SHA2566d65922d0e32564195ae9f36d1ec00444290e59eccfa92d6972438eea6fac52d
SHA512259827c765950acf6bf79d4ef4081c3d54c2b476cf5f62ece62e40ab139076ef5e1a61302a23e9f40b2e4cfa11235c0cfc1b426b03f8d70ce021696cd6845ff8
-
Filesize
2.6MB
MD56e453626922be3b206056a99bacb151c
SHA1676f330c77ae8aa2702dc6f77f70d8dd6b0a4e86
SHA256b99f4359b6a26c7595f2d85cb7e5a0e002e2bb490b35ac81c5de0e0108ad5be1
SHA512aee39ccc26245bbc39cae91dcf53ea782476ee1b874a4d6e33211375dd664241dd4c266d3a38dd2b07dd7eec039018373c35b7410eaed8d84c564c6ff8236edd
-
Filesize
2.6MB
MD5529ad000a8650f2a7996170d6d78c386
SHA1bf156d4f30d3f98347f1a856c257f8007c024d83
SHA256c8c51e0886c2f086c5bc3a7a62b25a57ad884b11f27fb489978d54d0ba36aa5d
SHA5129f3250d54bef4c8d04d1f970342500b74d248a70099e6af7589081355314567ed24b5f9955fa5d16f4034d576cecdc5b94405e14fc0bd2eebd43c94f6cc402ff