Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 23:25
Static task
static1
Behavioral task
behavioral1
Sample
34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe
Resource
win10v2004-20241007-en
General
-
Target
34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe
-
Size
2.6MB
-
MD5
bbf43291083500c1aa9195023fb8038c
-
SHA1
9fe366b06a5eda3b7e58fbfb3e4cbfcca499edf1
-
SHA256
d0608ed4f5d17b8e9fe55fd59f06f51c3be3a850d0a9edb83b096aeac4296515
-
SHA512
577282a24e7dab7994308f36e95e2fd0665f8866170d810503cd0f6a2dbf3022d9e5d30ccfc352596ed917b54fc7a07f891446cd0a0e0902ff31e4b93fff24f7
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bS5:sxX7QnxrloE5dpUpZbg
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe -
Executes dropped EXE 2 IoCs
pid Process 2908 locdevdob.exe 2344 xoptisys.exe -
Loads dropped DLL 2 IoCs
pid Process 2132 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe 2132 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeCP\\xoptisys.exe" 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid2Y\\boddevec.exe" 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2132 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe 2132 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe 2908 locdevdob.exe 2344 xoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2132 wrote to memory of 2908 2132 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe 30 PID 2132 wrote to memory of 2908 2132 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe 30 PID 2132 wrote to memory of 2908 2132 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe 30 PID 2132 wrote to memory of 2908 2132 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe 30 PID 2132 wrote to memory of 2344 2132 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe 31 PID 2132 wrote to memory of 2344 2132 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe 31 PID 2132 wrote to memory of 2344 2132 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe 31 PID 2132 wrote to memory of 2344 2132 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe"C:\Users\Admin\AppData\Local\Temp\34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2908
-
-
C:\AdobeCP\xoptisys.exeC:\AdobeCP\xoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2344
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD569c569ce85ae4ac92c23ed62ccfaba1d
SHA1483d0707406120ec71fec0e01f126613f81acd39
SHA25610df2fd229f5c5b41b22a6fd23c21230051d39ee5e22742d526487591eb569ed
SHA512f494a3b99ce601c193f32814c99900019ca11864ad8d9afe3807d5c4ca55d6efbd71d4904f54e59fce4472e41bee18724e35cab1dbdfe28b1f83bd902d0de318
-
Filesize
171B
MD514b144f9afd091bbad4926ed3f2691ea
SHA17c686f6498facb4baf6d4176d1fb2cc5e46a55a8
SHA25644769ca0084f7691077444b7b283ab31c199052ad483c597ab934c611346e74e
SHA512bcd6f8c2008144ec91590753b5b1dff4ed5266aa90f118600f04415ac1b12a5cd0d13113a4d4c2a3d560c6aad750327e132d095bae48a7fdd59a932a57724c1a
-
Filesize
203B
MD5ad16d8d6e99494bb1df98bc610c3a50c
SHA1ae4da1b76b57f16ba33f5e251359fa1cdf13d4ea
SHA2562cd784a12fb0a5162a8e9e19d5fa748118de931958f72c0e0e15780dd1ac54ce
SHA512c983742bb363920fd800b5b6ec8ca28ab2a9b661728097d1a5e77c1b61c58764a464f89e67aeec72e73b4104de4fc0a4118562db44cb00ef29e080053835b5dd
-
Filesize
2.6MB
MD529ac6b89d4e0491177a88adf518b8427
SHA1fe13633e026dab8ff34c3d4a19f2ce99b72ee8ed
SHA256ba31f3902232fdbf0afdf9a1da1acc06c2b76131bbc8822240feeb130d694182
SHA512ff7fa9703f8778cd4a356b48671acb733f9588a8e4faf32545e368b5881b68a2b7cd7a9901bd8c290d5f404562335db71f32abc669809de7afa6efbc76d14119
-
Filesize
2.6MB
MD504e003246e4f4c90093bec8fac8d4b4c
SHA1dee33ed5496137fd9c564b37204eaff424f4d8aa
SHA256126f7ad5f4b547bf3efaab4f103cf7b6dabf5aa9598616319cddd16b9d5d8010
SHA512a0e6cc52ebbe0a3e26b4b2dafa3a5af828dd71d54dd53bbbca000552d571c8c6cb6ac9f383a4991393ea69c1419ad0a3826905323dccd85b3031452e93011a8c
-
Filesize
2.6MB
MD56e0b2cbf1b96046a1c8d488bd3c52503
SHA167882c5c48ed4451663e424cdd37e14c87bc9deb
SHA256a86a8a83fd247756084ac1b40fd7791d7bddff032e03cf19ead3011030f8e5f8
SHA512c0bfe3aab14d621fe0e822e319d592f07ee484397e4105cd27af53595a5c6c6e3933dd338f63ea09311b193294a7176675b20dfb3d8e4562192ecde1a78e66ea