Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 16:33
Static task
static1
Behavioral task
behavioral1
Sample
e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe
Resource
win10v2004-20241007-en
General
-
Target
e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe
-
Size
2.6MB
-
MD5
d2808e3373c56fd1aabd501b37bc4fd9
-
SHA1
5a4486f26e2c3bc11f9f7ec9e8a7e48adb94f354
-
SHA256
e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e
-
SHA512
db891ab58cf24b596c68260c65b72b57a54122a0cd00dba892be7b30aab550c3531837486738cf0874dc2408951bf91daeb257556c87a4c4face7c83035177e2
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSS:sxX7QnxrloE5dpUp0bF
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe -
Executes dropped EXE 2 IoCs
pid Process 2176 locdevdob.exe 780 xbodloc.exe -
Loads dropped DLL 2 IoCs
pid Process 1724 e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe 1724 e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvWF\\xbodloc.exe" e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB1C\\boddevsys.exe" e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1724 e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe 1724 e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe 2176 locdevdob.exe 780 xbodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2176 1724 e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe 30 PID 1724 wrote to memory of 2176 1724 e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe 30 PID 1724 wrote to memory of 2176 1724 e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe 30 PID 1724 wrote to memory of 2176 1724 e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe 30 PID 1724 wrote to memory of 780 1724 e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe 31 PID 1724 wrote to memory of 780 1724 e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe 31 PID 1724 wrote to memory of 780 1724 e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe 31 PID 1724 wrote to memory of 780 1724 e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe"C:\Users\Admin\AppData\Local\Temp\e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2176
-
-
C:\SysDrvWF\xbodloc.exeC:\SysDrvWF\xbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:780
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5b7a226bf2331f05130b41da79f75fdc0
SHA14284c1a8b441c78a20c908d2a29938e07d71332e
SHA25620db50f7a121c96bc47fc9ee8ca893b999e766577e4f8c8d36321fc7d87d63f1
SHA512b749166eaab7431fdf6f2881bf50bc697461ee866025f71d8ad83d3568d373d14605f050bd786df4a065fc124124e6485144150363d5f40df30123fcec2a4db0
-
Filesize
2.6MB
MD52cfbad5eeb6b20fc4af031801d45a7d3
SHA130eb198ce35220728d5f88b9539e912deaf5029d
SHA256baaed73e22bdb11d5b9b9573b9c3959fd7f4250fa0c61c64289e48d5ddffc1ec
SHA5121eb53fa56ad33b21723c0ba103d4a0af31ddcc98cd7294f760155b7a298cd5df182a5b57bbcb54ff06c58ce3d3e0f30e033fb2832f7580bebc4e0cd4504be1ae
-
Filesize
2.6MB
MD55d9b84d99551c9ee041bb5ca61a8c48b
SHA12311b162de5d208aadd7261717dca6ce7860eecb
SHA256971bca7de55d47b25cd8cea9205aa21af502134d154ebfd2007f37ff30c77ce0
SHA512948c844a3ecaa17e9f285c106da7e05d6735675c240243102f9171f6268c1e0e8095390d950cc852659527726b8e31c371a840275069f69b2b916f38f9ac3293
-
Filesize
173B
MD5bc32eeec9abc06b070c616f6c523d8de
SHA188873791dd5b07ebfd3f43f87d2f4986f3de06b7
SHA25612dd1cd6bd8056bc78605fcbacd32a4f39573001eff02033ccd2926874698fdd
SHA51217e73f6e31ba5bda35142ee3bec38276be09e62be899383c95fbd074f369a3da4c20427949747103d77ca1139ed82230cfe5e1c979a87ec1bee10c146505d42d
-
Filesize
205B
MD57d7e4128542af780492182013b1f5213
SHA1d0c2e1f91b2c5316ee6d6ff21e778d2fcc094e06
SHA256b6c76221addadff58182d0f45009a9a3adb4aff2002378b15a2f3a512eacbe90
SHA51214bb30f6d43b999e1698f9b78a84c64e5e0307e94472164623be5fadc4a94d10333b1c346c40a1543f4c493f829b27b2d95f9aad212d323883db481fd59b4f77
-
Filesize
2.6MB
MD564680f9ca782277eee07c70177fbedcb
SHA1f7ec18dc6e063663014079724a71e9eebc9c0fe8
SHA256e06fd50175c3589fb4f2088e199f06724fee1c458b1d99a3332e122a12a83a2a
SHA512cc9706b8b115d1b87dd648ee3ff2dd60ccfe08d97a8ce0cbeec75f056546ee8336d635665dedefdee70cb100d0e64a15b0aab0aa8df6db97c814cae922474bdb