Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 16:49
Static task
static1
Behavioral task
behavioral1
Sample
88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe
Resource
win10v2004-20241007-en
General
-
Target
88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe
-
Size
2.6MB
-
MD5
c43d5f34536775004db54a33cfd82f6c
-
SHA1
f2aa967ee3bfe10a7568bf653ba0f5d5cd3c9466
-
SHA256
88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8
-
SHA512
0a7ba5f9cc094d03f531383809ca9bd77ca1402846d352cf62ec7ef1f5b0bcef664f2b02acfc025183a3fa9b099f1628893ea8b6964f7ba5e5c2e4623ba3c375
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBwB/bS2:sxX7QnxrloE5dpUpDbf
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe -
Executes dropped EXE 2 IoCs
pid Process 2736 locxbod.exe 2888 devoptiloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2800 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe 2800 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeCE\\devoptiloc.exe" 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintUY\\dobaloc.exe" 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2800 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe 2800 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe 2736 locxbod.exe 2888 devoptiloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2800 wrote to memory of 2736 2800 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe 30 PID 2800 wrote to memory of 2736 2800 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe 30 PID 2800 wrote to memory of 2736 2800 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe 30 PID 2800 wrote to memory of 2736 2800 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe 30 PID 2800 wrote to memory of 2888 2800 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe 31 PID 2800 wrote to memory of 2888 2800 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe 31 PID 2800 wrote to memory of 2888 2800 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe 31 PID 2800 wrote to memory of 2888 2800 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe"C:\Users\Admin\AppData\Local\Temp\88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2736
-
-
C:\AdobeCE\devoptiloc.exeC:\AdobeCE\devoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2888
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD55224dced10ca195c0c1f5d2f3f097354
SHA1ef6c4fe0d93bf6cb737b53a7784442d4621a032c
SHA256488a002372c907ca582f353b130d7c72b22f55cf96a5b44ef4d7d2c0607e5162
SHA5124cbc1ed2a50e1d3d34a70b033e3e3c689ffb57bb030f1a8d0c974da3543d7aaf42672cc66e7c1347541a3741568901c83314281ef5e98b9217a67fac39026741
-
Filesize
2.6MB
MD52769c24dd0c2f540e4ff534fe89daf33
SHA1faa13070d33a61e578f2092432a6bb288af60723
SHA25651b977011134bf5e69ac85a9e8b52eab905390d339d0cc8af1b25df5a3e8eab6
SHA51244b5f01bcaaec6aa12710e7f8d08f705e727d79e3c3820e5ddfda72b22e07458513dae61074953d3b65712a35a0639f38c31130c30ef2fa5268bd9eb0806522a
-
Filesize
81KB
MD523057168dfc154d1ad9a3e5fbcbd9d0f
SHA17e6f6a46a229a5fb7b527dfe0d27225b987c97c7
SHA256aab2d129940037b5d66cd3096783c7c7f11656107c892dfeec303da725c587e1
SHA512c806b15061f5d63723bfad2915850ad90032e8793c4d50d25e5c4c6bde90a41b6c5198c711abafbfc491233686f013b8eccf7921cb711b3e61dc4831278f3ab0
-
Filesize
171B
MD5bf93c5ccfc127d9f88bc36c78e039e00
SHA14706de13ceabf412b1e718d183427be6ebdf0275
SHA256e29a7f2d0f249a6ec13b79930077a15de79c633b0b61282926525eb45d2e46e1
SHA51270d91e684561199ccfd0bd0ee7a151ef4ea2c6155ada5ed885a9724419891dc5d2a225c861cbafd0d786f5acf202982c39e40a9e5e33536890eebf2c61ef064f
-
Filesize
203B
MD514fc9dfd6a4eff5eaa5c89d430af3be2
SHA136a1b692f3ee139d2738a219424cbeac6c22bc6a
SHA25657387e72d27fb500f9eb8ee398e5e62e2464976f8cb1a2c8746e9412cada0abd
SHA5129dca8cce7d58e165470a8e091a8c9986c49120a7c1a370d7a2112275e04e3fe95b5863a77515d78982ff6b42cbefafc32d38ae66ac15597ed641f8dae57b6ccb
-
Filesize
2.6MB
MD5258d1995cad8073eb5ea858cbbfba193
SHA145c4a7ab456c4dfa5ece696dd542bb011078f312
SHA25679a140f3c8036c231f0f0c42df119b262c77ee67682cdb2ee1913adf0dc1a442
SHA512890cc6a264d6506cee3ade18ff5456e5f6419f1bf1c5cb9e3d97fd079dcfd72f4c03f675dbdd8b6e12d330839c079d5e217debbca2881eab0ff29f1db52dae1e