Analysis
-
max time kernel
148s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 23:27
Static task
static1
Behavioral task
behavioral1
Sample
6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe
Resource
win10v2004-20241007-en
General
-
Target
6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe
-
Size
2.6MB
-
MD5
e38140640c98a63a8f77a11318314497
-
SHA1
04eaa25131abcde8ba90647f08998b2f0b550034
-
SHA256
6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1
-
SHA512
43d60cf61ded1b731022303b85e641b80f4bb4da3400d65d5e9f53ff7d9956d7bd9dc57f16ec41ae13f881e757c4df5ce4d7b84c04c14a85331388b51f5b6e64
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bS:sxX7QnxrloE5dpUpnb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe -
Executes dropped EXE 2 IoCs
pid Process 2432 locabod.exe 2584 xdobec.exe -
Loads dropped DLL 2 IoCs
pid Process 1820 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe 1820 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvXN\\xdobec.exe" 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxDF\\boddevsys.exe" 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1820 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe 1820 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe 2432 locabod.exe 2584 xdobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1820 wrote to memory of 2432 1820 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe 28 PID 1820 wrote to memory of 2432 1820 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe 28 PID 1820 wrote to memory of 2432 1820 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe 28 PID 1820 wrote to memory of 2432 1820 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe 28 PID 1820 wrote to memory of 2584 1820 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe 29 PID 1820 wrote to memory of 2584 1820 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe 29 PID 1820 wrote to memory of 2584 1820 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe 29 PID 1820 wrote to memory of 2584 1820 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe"C:\Users\Admin\AppData\Local\Temp\6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2432
-
-
C:\SysDrvXN\xdobec.exeC:\SysDrvXN\xdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2584
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD59cfa03b4de8aaac1eb30cd83e2cb2354
SHA19a4d031d2a634ffe2ddcc6c068a2b207afa8a803
SHA256d06d6eb1a9825353f98d994b4b27740d0539f8c489ac16c147a00aa14462cd4b
SHA51251b0b945b90eee2baad642e54448acc22b720152787e075ed05ccd7c63b1244fb24a2281fa7606283236d056c6822e4cf04fe570120e9129fad0b58d3be40d22
-
Filesize
2.6MB
MD513500401707c5370492d3577a8a42cea
SHA11a508cd39f0a017beeb952cdc509a604c5dace50
SHA256e8a3cc464c099f92a966899a477a3a400f6843717062035092869ec2305ca36f
SHA5129f1b6dade81dfb411f7874663d7c715092f443abaaccdcc742218fe9e963dd834e7db1506a82d8b648e70270ec1daf0d1f65aa57e8ef468c4f90cb6f58d940fb
-
Filesize
2.6MB
MD5f306ffd1834922e210ba79ad6030d74c
SHA1b71cdbe8787a7e0c0164e7bc3be27879e00602d5
SHA25604a55b5ce07ddf9f818981a645c15ceed92923364941593fd7c7dd56a9579990
SHA5127c765f473ac2d844f2e9a360cbd1c51f3d9387b5d8ed6019f53dc3e070e351ae6fb1664445fce4403e69f253ebd58e8935a5e16b972796d5bfedeed17676c998
-
Filesize
171B
MD5132cf19b7d4bfd05d0b1857039b8e826
SHA1a91dffc216f680bf2a11ebc9c80788099b578832
SHA256497cec8660b9ebf79980cdc04223076b5934cbfc43c25d3f03cd8f4cc7e9bff6
SHA512120895865f179aaa6b82eadb0c35fda2c439baf9834824f9ea97dcecb96d77c3425a80c8f2259833ddae4c21bac4db7a4cdc3860d2f0d507371a829f539ba563
-
Filesize
203B
MD54275a56b1731a4baff37b8fad8dad183
SHA1cebc5d1b7b9aced5c95ecedcd84762eeaa3c1dff
SHA256e8cc7303dc66a4bf70091afde1a168e5738cb1af2c2408d396605300276e4665
SHA512f9a1c193b46d5b503eb9fe23ee0e83d76118fe545bea1b23a3384d902a6374bfe76f23ffdee15f6499ab327974a23a73f005ecde15e60227b65878630ad491c3
-
Filesize
2.6MB
MD5ee28770a7977a03c18682a0c18c1df85
SHA1747ab889d0a3595968329f413bf964c452a19b04
SHA256dddd899e44201bb301126afe559ab527eb43269ac534f7073b6df3cc69fa0fb3
SHA5122b785541a63764883a789d1639f589b5e2d55060b18d7bd7341021b44e7d2e769797b70cbec86611ae9f91732d64ff9a8eafca5bbbb5e2043aa0be25e57afdd2