Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 17:02
Static task
static1
Behavioral task
behavioral1
Sample
fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe
Resource
win10v2004-20241007-en
General
-
Target
fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe
-
Size
2.6MB
-
MD5
a954123375b68224644745c7d4caf4f9
-
SHA1
ad91f8c88f9414ce194d49898df6286671e14eed
-
SHA256
fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30
-
SHA512
9a1cde7ae63c7dbecde7b5c9150ce88074cec75980ad76c266a28e610e84ecaf3bbe02ff6ef2e7217ef61fdab126b005acc68b7f686b09836ef35cee218af648
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bSqX:sxX7QnxrloE5dpUpIbVX
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe -
Executes dropped EXE 2 IoCs
pid Process 4180 locadob.exe 4824 devbodsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocAC\\devbodsys.exe" fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidAM\\bodxloc.exe" fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 556 fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe 556 fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe 556 fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe 556 fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe 4180 locadob.exe 4180 locadob.exe 4824 devbodsys.exe 4824 devbodsys.exe 4180 locadob.exe 4180 locadob.exe 4824 devbodsys.exe 4824 devbodsys.exe 4180 locadob.exe 4180 locadob.exe 4824 devbodsys.exe 4824 devbodsys.exe 4180 locadob.exe 4180 locadob.exe 4824 devbodsys.exe 4824 devbodsys.exe 4180 locadob.exe 4180 locadob.exe 4824 devbodsys.exe 4824 devbodsys.exe 4180 locadob.exe 4180 locadob.exe 4824 devbodsys.exe 4824 devbodsys.exe 4180 locadob.exe 4180 locadob.exe 4824 devbodsys.exe 4824 devbodsys.exe 4180 locadob.exe 4180 locadob.exe 4824 devbodsys.exe 4824 devbodsys.exe 4180 locadob.exe 4180 locadob.exe 4824 devbodsys.exe 4824 devbodsys.exe 4180 locadob.exe 4180 locadob.exe 4824 devbodsys.exe 4824 devbodsys.exe 4180 locadob.exe 4180 locadob.exe 4824 devbodsys.exe 4824 devbodsys.exe 4180 locadob.exe 4180 locadob.exe 4824 devbodsys.exe 4824 devbodsys.exe 4180 locadob.exe 4180 locadob.exe 4824 devbodsys.exe 4824 devbodsys.exe 4180 locadob.exe 4180 locadob.exe 4824 devbodsys.exe 4824 devbodsys.exe 4180 locadob.exe 4180 locadob.exe 4824 devbodsys.exe 4824 devbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 556 wrote to memory of 4180 556 fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe 87 PID 556 wrote to memory of 4180 556 fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe 87 PID 556 wrote to memory of 4180 556 fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe 87 PID 556 wrote to memory of 4824 556 fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe 90 PID 556 wrote to memory of 4824 556 fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe 90 PID 556 wrote to memory of 4824 556 fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe"C:\Users\Admin\AppData\Local\Temp\fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4180
-
-
C:\IntelprocAC\devbodsys.exeC:\IntelprocAC\devbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4824
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
166KB
MD559a48ce5a74f8c922ed04e5f9065512a
SHA14edca80fba593207101ea059e3f114254b57a0bb
SHA256a6325b8bbfcd9316f91ce21f6813e168d329c64b9bdb53cb12f7579d1114ce73
SHA512795d81469ead76b3440276e99f749f6c01516877fd851bf1cbaff36aef76278f98cc2eeb831fcbbaa4a6c0d7af359f378de068acece5024a8f57541cc48f0b5c
-
Filesize
2.6MB
MD50455232c5f9f9f72ab1b7c358cf2b952
SHA19f8eebf483495941b81df84038de58827f979704
SHA2562f301e3de255f4cbae139d3b49c73b148d78d8c89b901112f1e13ad8c47796ee
SHA512bd7630f845f46165e33b17b9c04ac06cc82db70e79c0ab4f0e1612f174e2bf89cad666b6c9f6b0c6f572c7e6892fa70d9e23017d8956f4ac7f3a906298af9c00
-
Filesize
205B
MD5875e764c94eaed6310810a1d24036e94
SHA12557544ec6861445d815640da6212dc140d6dff3
SHA2560fd81a2a395fa7756a52e6d5ccc666c94f6ce1248a6c537993cc43c22a20c793
SHA512cad4697cd2485d2f322a30dbdcc98a67d126031283903b329064e9d5769c558c7220fe1a3ffc144060a21722b1fcd5526c477d008f4f370793406062f6847b93
-
Filesize
173B
MD593e70b7e92487ac930f2b9f73db812e4
SHA1b5a67cd09f64650c268a7ff24a7386d5e10c4653
SHA2567762d8f936f20e4791e7243c2530cd913ee4c81e3aa87a174e70cf46ccb3d796
SHA512b8972e3d1a15ec49c4c7dd40f70099558b4c6c6169f7622d3c486cfe555a5d5e9c657ccf73f8c0f9be0297fb3c80007f650632000d654250d1bb46a35389052c
-
Filesize
2.6MB
MD5a63b66e74e8e27ab591d281e4bb7db59
SHA128db36803db6dbb558efefaded94a97305857e88
SHA256f491697680f4cca7ee5f369aab3f3a045f04884f34dcd1e8bbd62d20c0465e33
SHA5129ffd68aa70cd52b4edd1edd48a1db423985a131f2a54d75fa0bd89d05b087a2374046b21464757749927df0947744d74b82f3cc845a8ff350a770ec76187a11a
-
Filesize
1.6MB
MD56c29ec948cb7cc49beeacd44edc7ba5f
SHA13f8fca2e9b5b524f47534978205bf11999d820c9
SHA256cd7177727a4301dc97e033166992404a9a43f7d190e00bfdd55a218f6ad3e5b9
SHA512262f29baf7cbd523aebff3f4b306df7ec1a227a93fe1d8d79b44d56c20c6a4b54b46346c65ed0f9d448af2f70dc3f830bce322289f015bb4b11b2ea0350a9330
-
Filesize
28KB
MD5d405a6e6ec1ee7e8bde0fa127d94f818
SHA13a4fc1b8659a42c0c87e2cb68df493ef10520626
SHA256f7769493a434bb396a726643dfcddb3d418728f3d2de4d39bc5a2304e2078ec1
SHA5120db30b1f330437d858e2a4f9ab32ec3ac5e2b5fdf0605b6a0bd6f7bd3b17f31a4967bac0fd7b59c07caf47c5cd0bc0b3e81597652c08a98bf5f1913674124529