Analysis
-
max time kernel
120s -
max time network
24s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 23:41
Static task
static1
Behavioral task
behavioral1
Sample
20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe
Resource
win10v2004-20241007-en
General
-
Target
20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe
-
Size
2.6MB
-
MD5
8598554f88f28f57e507eec02adce7fa
-
SHA1
258703846b37011b1330d221be6840b41f5543d3
-
SHA256
20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133
-
SHA512
34648e1beeb3f35c1f2d5e9babd20c9773c2ccb735b859270876414bb2f9d76a24231110f4b16a176ac46b90b6f73b781144f1d01783934c1e8b1762267974ff
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS9:sxX7QnxrloE5dpUpybo
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe -
Executes dropped EXE 2 IoCs
pid Process 1256 locadob.exe 2160 xbodloc.exe -
Loads dropped DLL 2 IoCs
pid Process 1768 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe 1768 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotP0\\xbodloc.exe" 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint7A\\dobxloc.exe" 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1768 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe 1768 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe 1256 locadob.exe 2160 xbodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1768 wrote to memory of 1256 1768 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe 31 PID 1768 wrote to memory of 1256 1768 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe 31 PID 1768 wrote to memory of 1256 1768 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe 31 PID 1768 wrote to memory of 1256 1768 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe 31 PID 1768 wrote to memory of 2160 1768 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe 32 PID 1768 wrote to memory of 2160 1768 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe 32 PID 1768 wrote to memory of 2160 1768 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe 32 PID 1768 wrote to memory of 2160 1768 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe"C:\Users\Admin\AppData\Local\Temp\20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1256
-
-
C:\UserDotP0\xbodloc.exeC:\UserDotP0\xbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2160
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5a2c0caaa5b129da4f968d16f962c0589
SHA1bd353320647d85913d9cebdb39b74b066388fdc3
SHA2566b405633b6dadbf8a54d436db04e42d649ab0ad8088bf6180e4fe6c8d2ce716c
SHA5125b792f59b19e4aaa22ceb7ad3d1405d2f6b3a84adae7c83642f9a460ab7e2e19c51cfc2436fcd1e58cc40a2e980e0b0454ac80d439519ee11ae65d7ab3c907ff
-
Filesize
2.6MB
MD5f68b5f1fe21a2b852b1d1bb635530d81
SHA1c13cf7b29510bf497e39295d03353403e8c2e174
SHA256cc43a09e68a94611eb3922886184bd45b08bac44632be6dda5acc12bfb0fc5f3
SHA5124eaf26062908ebdb36f8a25bcece5428de1fd5f27402ad787522da7a4c4b111cb420a6558e3719888fd3524fe3f290179a8e87592e0ab60ec335379ffa079574
-
Filesize
2.6MB
MD55c7937a92ae3b13e253aa5ea1b97983a
SHA1f83087cf5ea6c2e7ac0a7b72f22acea2ea70fa89
SHA2564ad37e2a2f4d49206200ba2db4d686bbceb2cf5fd14fea44e39e2c69905bf9ba
SHA512b2f83082806471caae55d4b5fc1ae1404901c40460c1a4207232b762baf080dd7473c677f0036f08e84fb53774e2359dc4a6b29a695aeb22f6d8abcb6075fa65
-
Filesize
170B
MD5e43e5b50d75495f8e5e54434f109ec91
SHA1998b92b0539e3ef765f3dc693c0e53b4c3fb886a
SHA256109261c823c5d609c3a90b576b7bbe1e0c4587db5dd05d4462dc0658bf49984f
SHA512f806867e57b1c60eaa6eb09adfe0f0e9e772672d9b1a536384b739f31a23b91d79f2b30a18145893c3d4884c874ed0cdae0d6dd33f5ead1e2668c40b8880d5c5
-
Filesize
202B
MD57c58c48f4fefff24ed23e6e76d57edfb
SHA1a3bddd073b8b456e247cb1fc8d317d3e7e79597b
SHA256735f4f8a324066a6f1c731a019ed984ccfa8d5ff6ece333922fd36f22f050823
SHA512c731264bba3defafd20046df0505789900493f677e69c3477d7a13c46ae704120005839161b178497dfd98c041e939d5cc71fab4cc76c949b17af31dae8b6b11
-
Filesize
2.6MB
MD5cd13f5df74f007a109572f80623d8863
SHA12d789f296405a397de63f439036da74d13815b42
SHA256260f5f5acebec94d70825c06dc68b1f08446bd5358fc08ae5a8c41de30b5a5dc
SHA512bd88288fc3b8a55f129dff00bfadac23ae413a1b827c9e132029fbd622120bd9e0025048d0d7c1ba596b1ea4fdb811e5f94585ba5d76f9445c43cc492095f5e9