Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 16:49
Static task
static1
Behavioral task
behavioral1
Sample
7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe
Resource
win10v2004-20241007-en
General
-
Target
7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe
-
Size
2.6MB
-
MD5
3d9a5f944c590f6857ce536f40489f60
-
SHA1
f5075b9092f36a62cca582b47e454cc13874aee5
-
SHA256
7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428
-
SHA512
3aa09ff9bfd1922f0fe807cbdb78499248127cdfb58d40c4e08ab449be0e04efd100e59dd1fdad328dc573cd8d2023ae2ba9da0399a52830544b8cd7d8ed9b96
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bS:sxX7QnxrloE5dpUpkb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe -
Executes dropped EXE 2 IoCs
pid Process 2396 locabod.exe 1984 xdobec.exe -
Loads dropped DLL 2 IoCs
pid Process 1956 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe 1956 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidCA\\dobdevsys.exe" 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeAL\\xdobec.exe" 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1956 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe 1956 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe 2396 locabod.exe 1984 xdobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1956 wrote to memory of 2396 1956 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe 30 PID 1956 wrote to memory of 2396 1956 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe 30 PID 1956 wrote to memory of 2396 1956 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe 30 PID 1956 wrote to memory of 2396 1956 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe 30 PID 1956 wrote to memory of 1984 1956 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe 31 PID 1956 wrote to memory of 1984 1956 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe 31 PID 1956 wrote to memory of 1984 1956 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe 31 PID 1956 wrote to memory of 1984 1956 7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe"C:\Users\Admin\AppData\Local\Temp\7458ff7069abc70a68833d64787e030cb373464b051b77cba37806bfa3e0c428N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2396
-
-
C:\AdobeAL\xdobec.exeC:\AdobeAL\xdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1984
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD588d61abe9fc0c026d7dab97d7065e76e
SHA1559acfebe8517111bd2876a2086320e652da36e3
SHA256566938447a8acea9fcfd42f836d4ad98a57f5d19e2038322dbef27179c8794f1
SHA512c0a706c1c84659da47a2c89ec947e7e1a1c2494c4fe7abade714d3193f4aac67d4ee13b6c372c56e16f864ad3374e950ff15a72b1c609b95a939b7c9ddac4ef2
-
Filesize
168B
MD5001f2fdcb33c3b36f249decfe708e6ae
SHA161f1dc4674a600628cb5680a866c68ccda58824d
SHA2566c037f66ec8687263bab42bb211e32570585c03a83ea7221de1a2bf7ed47f274
SHA512609497c66e0e18baa73c9b33504777366168b97449de3c603d728f4d14209e2c0fc3d7aa68ee841d9ac5032dda7228f8f8fb2270c076fc3c3583b5122da7a2e3
-
Filesize
200B
MD5478aa919f81de7d378b919c2d71129f0
SHA10a3d43f941cd77384a136bc1e1c7b15c68a56c2a
SHA256663115e45d9bfa70c06cca8617aea58d2a2a2a9fe81aa988ed06791d2cd317c5
SHA512c720e809f98af8548a26c6c792a6a8e2525e27e2b28fae704573e030b1f45a974888cb48c983373496a570b75370c2d9afa5770698a02ab85d4c07abe7661bfc
-
Filesize
2.6MB
MD5eaa5e4853533b1eeda6f065931411762
SHA1eeb92769d323f22ab7993588cb1899dce5911a49
SHA2562ac9848c584f4d288d53fd7ecd28b967f6b6cc6b577b57d3f87f26e6b8bb44c2
SHA5123ceee8b23914e0050d85db4fc39624ffbe06afe70d3a6e268d34089ad073001ccb1c1965a186af73854276255235039043b2172e86bba9bec598cb552e1626f2
-
Filesize
2.6MB
MD5d4de867007e2b9d82ef4435e69f4ac56
SHA1606e1c5f0cc271742ed447e405ee6b94e94f34e3
SHA256c12003d5114a36327ff07ba7c85c181e8d037410efa83a8707524c1cc7260af9
SHA51268176ec2a07b104390f9192218f49d8b850309315b63d952cce0d06a03feadb23b166ad4202c525977a21ddbaf6553fd6ab64ea39254c9272895aa31f0d3b241
-
Filesize
2.6MB
MD56f863215140b0c0b991e05dfcf0bf4a3
SHA13d303ea77bd125298b4ec81ec70c7f3b8a35fdb5
SHA2569c45a67ecef99e6ab1c757fd435ec9c061e36cb83e2d5a37a8546f3fa10c8f70
SHA512a5c8d41ded5bbca277ee14c1c425eda25f37b9ec196a084569dcdfb7ddd8b25d1569986de5e1392ad5fbe8aa5aa64e52313358392c341819923b93594c0fdebf