Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 16:30
Static task
static1
Behavioral task
behavioral1
Sample
6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe
Resource
win10v2004-20241007-en
General
-
Target
6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe
-
Size
2.6MB
-
MD5
49006d86c71d72775b4982251bb9fd40
-
SHA1
5ae4cd5c68da2c9dfaf07047028d4dcaf92be31e
-
SHA256
6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426d
-
SHA512
c8bf3421783d051084a45372b322f40a74e8f185344b15e412c3f48d72a6a6fd3fab4829f0c1adee5fac32b9f425e8392ff507ee813cf63125d7975e2a2b2554
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bS:sxX7QnxrloE5dpUpFb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe 6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe -
Executes dropped EXE 2 IoCs
pid Process 2420 locdevopti.exe 5104 devdobec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeC8\\devdobec.exe" 6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZO9\\optidevloc.exe" 6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4300 6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe 4300 6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe 4300 6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe 4300 6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe 2420 locdevopti.exe 2420 locdevopti.exe 5104 devdobec.exe 5104 devdobec.exe 2420 locdevopti.exe 2420 locdevopti.exe 5104 devdobec.exe 5104 devdobec.exe 2420 locdevopti.exe 2420 locdevopti.exe 5104 devdobec.exe 5104 devdobec.exe 2420 locdevopti.exe 2420 locdevopti.exe 5104 devdobec.exe 5104 devdobec.exe 2420 locdevopti.exe 2420 locdevopti.exe 5104 devdobec.exe 5104 devdobec.exe 2420 locdevopti.exe 2420 locdevopti.exe 5104 devdobec.exe 5104 devdobec.exe 2420 locdevopti.exe 2420 locdevopti.exe 5104 devdobec.exe 5104 devdobec.exe 2420 locdevopti.exe 2420 locdevopti.exe 5104 devdobec.exe 5104 devdobec.exe 2420 locdevopti.exe 2420 locdevopti.exe 5104 devdobec.exe 5104 devdobec.exe 2420 locdevopti.exe 2420 locdevopti.exe 5104 devdobec.exe 5104 devdobec.exe 2420 locdevopti.exe 2420 locdevopti.exe 5104 devdobec.exe 5104 devdobec.exe 2420 locdevopti.exe 2420 locdevopti.exe 5104 devdobec.exe 5104 devdobec.exe 2420 locdevopti.exe 2420 locdevopti.exe 5104 devdobec.exe 5104 devdobec.exe 2420 locdevopti.exe 2420 locdevopti.exe 5104 devdobec.exe 5104 devdobec.exe 2420 locdevopti.exe 2420 locdevopti.exe 5104 devdobec.exe 5104 devdobec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4300 wrote to memory of 2420 4300 6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe 86 PID 4300 wrote to memory of 2420 4300 6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe 86 PID 4300 wrote to memory of 2420 4300 6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe 86 PID 4300 wrote to memory of 5104 4300 6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe 87 PID 4300 wrote to memory of 5104 4300 6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe 87 PID 4300 wrote to memory of 5104 4300 6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe"C:\Users\Admin\AppData\Local\Temp\6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2420
-
-
C:\AdobeC8\devdobec.exeC:\AdobeC8\devdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5104
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD586e8500c36b1a9dfa91433752d94ca8d
SHA12c09190f55c18a11200f881ca680901d2f9d49cc
SHA2568a8b0b53b826fc5d597057026920bef7966d9eccd6d04cb4809b6d2c3e541f6e
SHA5128fbf7c22dd315c71fc74ed13698cdd1c78d9e0b86cc3cecec3636794ef27ac86b0a8d0d9dd49dbd82e4e9d576399b11d62f603fbd56efac997edd7c9aaaa1091
-
Filesize
2.6MB
MD54b2c9451c3193e04923fadbcf694050b
SHA10fd5796987674a0ed46f590de846652f06716a29
SHA256cca2bd5e101f507aab4b38faaac5145914d6fab0c0c34fca89aefd2c08e1f6c4
SHA512eb5fda9870eb978cfa68b8e79ee84e24d417f913e049a04356f3801c3bb89a737b198dad18c785aad98d1875a0abcc7e61d35cbe7b1ba7a9125e7ef86acea15f
-
Filesize
2.6MB
MD5c13d6c5b009165454f06d69c49a066af
SHA1e074e818c3739783968ae3d0ffe24aff26182957
SHA2562193fdb1b2f60a56c98fd8d4b9a8ac67b5625063c7bb5b4b7e2c9416ba86ea84
SHA5126e0fd70cbf9c6734ff17cc0dbb31ef0787cb5d261e58c671893d2a8a34346541dc2d638490808e2f5e16107326f5ced8804aa25f1e3da83a9b8b2fce2ecc999f
-
Filesize
207B
MD5c136b24c9581402a4a71c1fcd703a094
SHA13cbc475114ab5b5d3bb251718af6f4572479411d
SHA256c088c8b0af231181c8510344c8e9b76e37ebb3d0d02d7fa5afcc5582d22fb1e1
SHA512ab3a55970ecb204a74048e52901b2a2e17776f93986d519bbbcfa3f3fa9c1d4df639ea3e4e9923c24892e87b364c1d7fc86bc0f0f2caf1053dd7fd483ad90fe6
-
Filesize
175B
MD5990b37d892a862925751b1da18ebd4ea
SHA182f1f22c0288d32eb841ac67cd1d41c09fc0442f
SHA256e5934874e65c3e697af01e0271c2b20678b143dedb33d14cacc0293457a7fd14
SHA512b1acdd03c6dd138ad704dd5a111361410706051cc2dfbdcce8869a7023900f751d97af3aaa4a2bffd4d87eefbd6a1c0bb54e2a30ffabb3471df3fbcb3e8019cb
-
Filesize
2.6MB
MD51f8c7ac7bef783aee0ca3ef93272160c
SHA15df3a67854a0e4be64bb98e7c08582af38c3f2ca
SHA256f07e340b765e4d5e97efcd33e462300533e7d5c0fbbf77e8a207bc23ca1d1508
SHA5122841494d6adeb93879872123b3b3093f1bdf25b6416a9b88ef99d06ffaebff4ef1cdd714fd2edc053ba5dad24439ab5192de99ff788c1f6ebb1b565f6342572c