Analysis
-
max time kernel
119s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 17:00
Static task
static1
Behavioral task
behavioral1
Sample
cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe
Resource
win10v2004-20241007-en
General
-
Target
cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe
-
Size
2.6MB
-
MD5
5f84d08fc99bc0b5ff62a54c248de700
-
SHA1
e1eb147143a95304448cf490a5d6980eda871afa
-
SHA256
cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0
-
SHA512
2314dbc7a30079e6d8db93ccbf682e396e6974841b818b0b05f86b248a9c57b071e3cf849698f9df708f4bb0a9f3cc51326ec2eb3d93f512ca69d837626afd47
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bSq:sxX7QnxrloE5dpUpwbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe -
Executes dropped EXE 2 IoCs
pid Process 4852 locxbod.exe 3256 abodec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotII\\abodec.exe" cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBRC\\optixloc.exe" cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2228 cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe 2228 cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe 2228 cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe 2228 cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe 4852 locxbod.exe 4852 locxbod.exe 3256 abodec.exe 3256 abodec.exe 4852 locxbod.exe 4852 locxbod.exe 3256 abodec.exe 3256 abodec.exe 4852 locxbod.exe 4852 locxbod.exe 3256 abodec.exe 3256 abodec.exe 4852 locxbod.exe 4852 locxbod.exe 3256 abodec.exe 3256 abodec.exe 4852 locxbod.exe 4852 locxbod.exe 3256 abodec.exe 3256 abodec.exe 4852 locxbod.exe 4852 locxbod.exe 3256 abodec.exe 3256 abodec.exe 4852 locxbod.exe 4852 locxbod.exe 3256 abodec.exe 3256 abodec.exe 4852 locxbod.exe 4852 locxbod.exe 3256 abodec.exe 3256 abodec.exe 4852 locxbod.exe 4852 locxbod.exe 3256 abodec.exe 3256 abodec.exe 4852 locxbod.exe 4852 locxbod.exe 3256 abodec.exe 3256 abodec.exe 4852 locxbod.exe 4852 locxbod.exe 3256 abodec.exe 3256 abodec.exe 4852 locxbod.exe 4852 locxbod.exe 3256 abodec.exe 3256 abodec.exe 4852 locxbod.exe 4852 locxbod.exe 3256 abodec.exe 3256 abodec.exe 4852 locxbod.exe 4852 locxbod.exe 3256 abodec.exe 3256 abodec.exe 4852 locxbod.exe 4852 locxbod.exe 3256 abodec.exe 3256 abodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2228 wrote to memory of 4852 2228 cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe 89 PID 2228 wrote to memory of 4852 2228 cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe 89 PID 2228 wrote to memory of 4852 2228 cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe 89 PID 2228 wrote to memory of 3256 2228 cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe 90 PID 2228 wrote to memory of 3256 2228 cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe 90 PID 2228 wrote to memory of 3256 2228 cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe"C:\Users\Admin\AppData\Local\Temp\cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4852
-
-
C:\UserDotII\abodec.exeC:\UserDotII\abodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3256
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5c91d3464c60c5b5148dcb2ebbb8d6c6d
SHA16dddf2180d4bf983aeed53bdae0739f180728dff
SHA256d58fe3a217f490df0d327e51b9c5df67d288c3221a8775238f9ce2fabfcf462e
SHA512e8639ab7d80347dd238bdf6c4a35af0ae1f7ece2dda2530f1c4352846567ed139e7fc8590fb6c7dc2510e47b98c35eec8d8f77cc9ea90120ead81c0015fb63b7
-
Filesize
37KB
MD59ba1f92f17320406dfe029e73132f1f8
SHA15178500c26e0bae7a24b5f6089f4efac6bd1c451
SHA256e2bdabf6ea4b10b3bcdc7cc25b9413609a1f9f529940ba94824e408abb581504
SHA512afcb08b444b349ced710fdcf62a34fe5d36f5ae3233e46e7dea8b228f13e34643000d248e3a4eb700d4def94bc096c9aa4988b02398441d2eb578682cd4eb835
-
Filesize
131KB
MD526991a7323425d01232d37cb094e7466
SHA1c35c3f0cdbda25fd88f1d39dc07c623a9a25394b
SHA256af25ad1f354e0a9b9af9625b0ff62750d55269a382acdc5d0eda0ded96daa83c
SHA5128ddf1b20514ab76b2d74f09497589eb722ddde38c639c31307afec011c53c360debb4f69182f0e0ef72e87c20118afed6e21f2e0ed9da19669ec7663ecf62430
-
Filesize
2.6MB
MD563a9b7065fe4c6908caf527173847371
SHA1621a851c6f6ded04ae33be11e91c4d767537e32b
SHA256aa2ea1a9379653bafd2d21adb4bb0c73ab5b00c46e7ff9dc46b0c536be5c27b7
SHA512dece9e22c1135bd3fd7b69a541eaa3cb50f9f7aba3a02685afb38f63da5645f96ae5e3149c79571987a27f75fcaf846e859bc6375d97a2b25b511b1714ded50a
-
Filesize
202B
MD57b7426f3c1aabc68316b23ae295425af
SHA1b41b91b9cb9cff9a0ed1095236233b232a02eb6a
SHA256c4d534f675928ab244dfa9cd3f8328e8ac1c08cd28216e78106205ba68d915dd
SHA512c21243ce7f22d87279741a25467d09a73eb9fc6e5afe34d0bf78d990b6768f3c53761fe37bac9bb62f6c27fe2166727506be02f7f6e2b46eb9667e5252146316
-
Filesize
170B
MD52cb720d83b7252983524eafa54b288b9
SHA146bdbe4001f39718908b1c0d80bb5924550e4edc
SHA2563b323139fc52500240c6de22c74444facb5c12a01d49622b742d8eb0bdf0e10c
SHA512816dba094e3eb23e130b82b8836481f90abe22d02658616404fe7ecb4556e3f30f2a0afd429d4d18427fdb51a50257858e42bfd5372b8420b071631ec2be685d
-
Filesize
2.6MB
MD5a94758262f254b2c166cf61d3b980711
SHA1a1f4276fcb5550ecfff04db01656079e4d9326ae
SHA2564cd681872029519e7278099043dbea6fa111c3a66b84cc0718a1301d2a86a44b
SHA512fef4f5fc9b415b4f212078819f573521e384068e57b9e12258d4566606102eb893f91c02a4ac033515ede79c4f457136c2e5c10c3a456a2fab835751f8fe8532