Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 16:34
Static task
static1
Behavioral task
behavioral1
Sample
7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe
Resource
win10v2004-20241007-en
General
-
Target
7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe
-
Size
2.6MB
-
MD5
3fa5ecad405ce4b1ed6f6fbb4fcd1350
-
SHA1
7dbf377d4e7a50197cebbe5a1b8f8d8eb77f31e9
-
SHA256
7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098
-
SHA512
a9cabf8b3751830cc894959bcb8bbf06deda309e0aabcd3b85de04afe8100afa500d1e6e22dcdbbf67692de30fff246c86c6f411d52a1850dd8cfa5e3ed127a5
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bSq:sxX7QnxrloE5dpUp2bV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe -
Executes dropped EXE 2 IoCs
pid Process 3332 locdevdob.exe 2440 adobsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvM6\\adobsys.exe" 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintUL\\bodaloc.exe" 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3764 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe 3764 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe 3764 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe 3764 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe 3332 locdevdob.exe 3332 locdevdob.exe 2440 adobsys.exe 2440 adobsys.exe 3332 locdevdob.exe 3332 locdevdob.exe 2440 adobsys.exe 2440 adobsys.exe 3332 locdevdob.exe 3332 locdevdob.exe 2440 adobsys.exe 2440 adobsys.exe 3332 locdevdob.exe 3332 locdevdob.exe 2440 adobsys.exe 2440 adobsys.exe 3332 locdevdob.exe 3332 locdevdob.exe 2440 adobsys.exe 2440 adobsys.exe 3332 locdevdob.exe 3332 locdevdob.exe 2440 adobsys.exe 2440 adobsys.exe 3332 locdevdob.exe 3332 locdevdob.exe 2440 adobsys.exe 2440 adobsys.exe 3332 locdevdob.exe 3332 locdevdob.exe 2440 adobsys.exe 2440 adobsys.exe 3332 locdevdob.exe 3332 locdevdob.exe 2440 adobsys.exe 2440 adobsys.exe 3332 locdevdob.exe 3332 locdevdob.exe 2440 adobsys.exe 2440 adobsys.exe 3332 locdevdob.exe 3332 locdevdob.exe 2440 adobsys.exe 2440 adobsys.exe 3332 locdevdob.exe 3332 locdevdob.exe 2440 adobsys.exe 2440 adobsys.exe 3332 locdevdob.exe 3332 locdevdob.exe 2440 adobsys.exe 2440 adobsys.exe 3332 locdevdob.exe 3332 locdevdob.exe 2440 adobsys.exe 2440 adobsys.exe 3332 locdevdob.exe 3332 locdevdob.exe 2440 adobsys.exe 2440 adobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3764 wrote to memory of 3332 3764 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe 88 PID 3764 wrote to memory of 3332 3764 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe 88 PID 3764 wrote to memory of 3332 3764 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe 88 PID 3764 wrote to memory of 2440 3764 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe 90 PID 3764 wrote to memory of 2440 3764 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe 90 PID 3764 wrote to memory of 2440 3764 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe"C:\Users\Admin\AppData\Local\Temp\7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3332
-
-
C:\SysDrvM6\adobsys.exeC:\SysDrvM6\adobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2440
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD54ecfe40e660a4c63e1206a6d85527685
SHA11961094f10a23027d3c1bf665ae0503bdf317f21
SHA25626ab1f7f302eb50842b4d61d30f76d0f887c4347ff732504967238ef1b4020f3
SHA51292157b83f0b9435263d7e25360fce40b4685d0d63f7152c0cde81c5c15b3aac2fa13fc1f05de4ede3377a296905faa7d428edccd16940d32d866184d9830c01b
-
Filesize
2.6MB
MD5d97bc12445392c64481a08b57b9d458c
SHA1450f878beef8256da090ee58defeb3d32f3dd4f7
SHA256cb4c499ef9c76dff644979815678c265a0621e2639f7617013b5be5e0a36da02
SHA5125fbdd3b250be5919b409597f8bcb6dfd8d94db70d848e825480b48719d40372d52047ab19e21b4697d3d6e0937c8173b855b2a0666e304b142084d6b18263e4a
-
Filesize
2.6MB
MD59df520ae6a107cbc1950bedc2054b653
SHA124c8080315eb26ecc72c1b5fb9cabe2d74f98a49
SHA2565b8dfeeb10ccfdb6d451d82bcb8af5e206f2608d811cd99e253ff1126b71dead
SHA512c4bd1c33a3b29084a5f213995176f306e47e1b7da4a63e37d7efcff6d6c8d87416ce6b47571d9a5d8c77a94be05cbd07bba13c30e0a40ebed32080bccce2199c
-
Filesize
203B
MD51eda7d3587c86e1eaa7a9f1192981a50
SHA1e3210d99de1ab1dbed737783d55e934727378d1a
SHA2569a3b96ce337f48538e497b3fcb95f27d3a54d6737558b9e17009158b53925518
SHA512c99abe354d38ccd5b3d9dd3cd669c294af43bc1e329ce2dfdf18005dffbc4e47afdf52b84f73d05825ce594ce01b6713275523a74daaeb261743a48b66bfdd6f
-
Filesize
171B
MD54fdb89e4cc44ba1dc006549d8ab3a025
SHA1287ffda7f8790d87d00a31a4cf985ad20f22627d
SHA256c37031d1de1c8944a3402fe529874a21f9cb0bd622aaf171fc744960136ed298
SHA512699ad5c17c4fd090e8ac722279279e5df47701697d3aac57f8f6513012b0df97cbe97eb9d707242ab8df7c447b8bd2ece61ed5cf69fbcd5cbae917d3f165a20e
-
Filesize
2.6MB
MD519edeaeac68a0a42c6769b981f7f4743
SHA19d3c091af76091c8df69f4cfa0f74fea25c8d580
SHA25661542906bc9a6c2c9c68857aa7f68a871600ef1416b1d7f1e2a6f9cfdbb34717
SHA5120dd8aa10bece4d79c5369309a0b6c867cf4c65258b0090e219953f3433bffbfc06a5e063af2f9c6b23c88bb0ea63892f731a35b0faec46d0f915c945a3da48ad