Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 16:38
Static task
static1
Behavioral task
behavioral1
Sample
eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe
Resource
win10v2004-20241007-en
General
-
Target
eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe
-
Size
2.6MB
-
MD5
37456cc11ecdb190fe3a6a3f53c61860
-
SHA1
f2f5eca5d60f67a17277a8e2b8c929041f3eb031
-
SHA256
eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17
-
SHA512
80fd964ee3dbe341d7c71c08cb629f3b407375e5d9e5fb1e65dbfa78fb2935ae3dba2774703624aee6210bfeca475161e6b623fc1329b18dc26a5c6923f2ef34
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBgB/bS:sxX7QnxrloE5dpUpHb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe -
Executes dropped EXE 2 IoCs
pid Process 2544 locadob.exe 2380 xdobsys.exe -
Loads dropped DLL 2 IoCs
pid Process 1692 eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe 1692 eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesWN\\xdobsys.exe" eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxM8\\bodxloc.exe" eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1692 eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe 1692 eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe 2544 locadob.exe 2380 xdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1692 wrote to memory of 2544 1692 eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe 30 PID 1692 wrote to memory of 2544 1692 eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe 30 PID 1692 wrote to memory of 2544 1692 eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe 30 PID 1692 wrote to memory of 2544 1692 eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe 30 PID 1692 wrote to memory of 2380 1692 eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe 31 PID 1692 wrote to memory of 2380 1692 eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe 31 PID 1692 wrote to memory of 2380 1692 eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe 31 PID 1692 wrote to memory of 2380 1692 eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe"C:\Users\Admin\AppData\Local\Temp\eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2544
-
-
C:\FilesWN\xdobsys.exeC:\FilesWN\xdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2380
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD561b773990ee27e9e908970e63b267f79
SHA1522f4b8bd8207fe759634142fdb72607b71380f4
SHA2568680f82d44553da0b976a373a4c22a7847b75edeed53a8fcb3bab73b13c72c0d
SHA5126a34405c32b1ed6c0070d4c054d00db08edd60f126246e30755b99cdc98b0de4394c89b066d72ca1b9f4c4ef554bf4713874e94aae71615254c3d79bc546c29e
-
Filesize
11KB
MD54b15a8dc60fb28ba194308947f8d0bdf
SHA1addcf6f0cc5dc9577f5354dd3efdf91843caddb2
SHA256eeda459c0f86c4f2c639edc7bc26cc6dc4f508b51063a31d85ac8a6f6e64b152
SHA51235c0dcc269feb3a6378ec13dde959d0dbc121e4ec5236b5910536beee95f1128b58b5d7711ee4f05359371d8097a799e57a11fa6b9dbb26c543666dffd669e7e
-
Filesize
2.6MB
MD527dbcfde0d4705bc70943febd554ef43
SHA11c2c2293fd608bcadf8c20e45222fe822ca7d757
SHA256a1c99f033e3441a83209accd7575df428f73c1d783ee9a6f4007a1cd8667addf
SHA51247204c06cb8e8d7979717a543c2a2576ef90f987064b65bb202554d0f87e915c7c3a4b6d7e04a40ba833449d0ddbf0f5629d50829c2d3e322d4ddf1139c261b6
-
Filesize
169B
MD5234a8452369ad3b3d23faff84b116e36
SHA11677bd47a29c984fd1f10696eb85658b60c35a07
SHA2566424dfa0781e2366f6c4a2356cbf5c276272c8c5a5183e9567bd80cdfe83645c
SHA512df9680ef3dbbab90c174cebedd178bf7c6ae1f71b02cb46ebed7b7625c063df52a3a2ee2f6c6288959f1f06af41474d309d42161f3ab5cbe2de3b1fbf62f8469
-
Filesize
201B
MD5cc143e566c36996b0cac15316edf3241
SHA1ceda6ebac3992199a9e42c850287c49381536643
SHA2561a438862dbf2fe975191d3bbb3d129f9308fc465f53960c768671dcb7b81eac4
SHA5124b5e2fe0b752392984d41846216d89dfeb4f7d3806555ad3d56c645444b97db3f0f51879d39e96330a2982fac407d63ee5ecc1ec6576cdd9e1ac3f1b2320b24f
-
Filesize
2.6MB
MD5c12a9f08c88022efb2ccd48ef903fd60
SHA13617e3d1a20f3fa4693ed8d29923ded594c2b341
SHA256dd977b120a28d78334365a90f86644005df38cbe3a4467a4c5dbed3080971ea7
SHA512bd1a3bb5e45b460071b556df1569997eb4376b5d386dbff5ea163b6d8f04691e39c05ffcedfd654a9a34758f34982cda497e6aed8917f7104f3b8de7b441690a
-
Filesize
2.6MB
MD58d978cfa0c7e6d1d2fd391c7315acb47
SHA1c45bd78adab3febe44b41a6d2d792669289661ed
SHA256286c333d619bccfdb98416927d45accee3b95d9bd3a1e776e1ec610182aa69cd
SHA512431dfdd8d95992d1b2c60060a67ba3e7a2295dcb14f416ca4c715df8f25261928b1a0679e16546197dbb3b2f5227023088bcf838378dcd01d2320b939bb674d3