Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 17:21
Static task
static1
Behavioral task
behavioral1
Sample
37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe
Resource
win10v2004-20241007-en
General
-
Target
37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe
-
Size
2.6MB
-
MD5
5683533888eca804288fea46c019a480
-
SHA1
985208a86692bcfa0ac678d011d4cefac366cdd6
-
SHA256
37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fd
-
SHA512
4ba0b018be4491073b999a4aa1ab4e9edbab96604ab69a14b961da2d3d4b0e539940fe4fac76cbcc994921244eb63857ba248de7721c2481f37fb0ccbfef533f
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bSq:sxX7QnxrloE5dpUpZbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe -
Executes dropped EXE 2 IoCs
pid Process 2680 locabod.exe 2740 adobloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2220 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe 2220 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOI\\adobloc.exe" 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBR8\\boddevec.exe" 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2220 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe 2220 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe 2680 locabod.exe 2740 adobloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2680 2220 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe 30 PID 2220 wrote to memory of 2680 2220 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe 30 PID 2220 wrote to memory of 2680 2220 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe 30 PID 2220 wrote to memory of 2680 2220 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe 30 PID 2220 wrote to memory of 2740 2220 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe 31 PID 2220 wrote to memory of 2740 2220 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe 31 PID 2220 wrote to memory of 2740 2220 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe 31 PID 2220 wrote to memory of 2740 2220 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe"C:\Users\Admin\AppData\Local\Temp\37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2680
-
-
C:\FilesOI\adobloc.exeC:\FilesOI\adobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2740
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD50d80c026ff7217667d1758553c9b1b94
SHA114d1f220d41220a37e1c0a894bbcc390e238adac
SHA2563e19dbc8a98353863030300221ed12d9467946007da720ddec917a2b170c54b8
SHA5125668dc066d36fdac6fc594b3bd11041af417aa62285919777cfb3602fe018599d010c464467465c525804c7e0b501ae6ee2fc1bec049267f5e18bb39d0aae82a
-
Filesize
2.6MB
MD52a2e03531d8a9adcd30bac9865e90388
SHA120e18ab441b57953aff6fe2db3652a43ac17b3d0
SHA256ab5d5ff420bc351cf77b49ee8eb6cfa815bddfe0ad8bfbd4270cab194588dfe8
SHA512ee7d59ee9f6d0d8348254581998fd6da0bc9a5aabf9583b0b386a34efea57340bc48681d77d27cea07142b173e0977d3cd9cabbb6d3f13c06ed5558deb802f15
-
Filesize
2.6MB
MD5fdd12b5bcf5418f38e20f4d111d0156b
SHA120b668176d325aa3418f35846f50d85d71f0fecc
SHA256d116ca6dec6255354b4eebe606e1d493fff41a32832f0cc2f018e78e30fcd612
SHA512a530ae673933eb717d93b0c177bebfd415bbc4f05624b45cc7a13029d9ce09c6df4b5616f0b0b319464150fa2eb44d08692ec058de40c84e9b3d56587b2be49c
-
Filesize
169B
MD56379803b6c7947d428bb7b3f0d77cdf5
SHA10b6eb8f10afc95a812f2ca9b7cf67dd7dcf7e110
SHA256f894f00eb30d5552e5d07250152894dffce784096c243d2cea16f80234772045
SHA512d540f1dd1d1e0635b1abe6651390a7b873884e7cd601a3af3faf3fc3317063a9018cb93c133ac5bd77a6971186a70764a577f06098d81148bfc14d4b503bbc33
-
Filesize
201B
MD511914196df9e2415a5cb2585e340c77a
SHA18bb5a29e362e6b04922b61842cb8dc18c258bf01
SHA2566ce17b0ad5ce838b37e65df833f3d652b2f64a9b1706e8e66072790f7772209c
SHA512198d860cea18cc2f90e7c52f64308d8016ef249108f5a7f51feecf8ee51b4961e12792e953d9532b0ff694debac5aa4ca98d03b053213cf3b0f8e222954f5ed3
-
Filesize
2.6MB
MD51cdbef1077540e31855151dd38884ade
SHA1085dc85aa80590c63e538176424493eaf388cddf
SHA256c065420606b281cb1001dc7e5ef19062b4d43ddc83fc2e3bb7ab13bb7febfe56
SHA51238e9f888d3e356443b5d8c65bfc4031017f55230b26a9f0cc02870626f2062fccf6c36c6d16128181c9f9fb6afceab8641a4a6efedb70bd77843b32203b2b1f4
-
Filesize
2.6MB
MD54482bd1d66ece96f6ca1219b0aeba55e
SHA1f4f72da58a1629dd21b684ef1cba102ac3428d9f
SHA2562f1f7808701c24a72ce5ccd0505896509cc7217ac5da44b8a0bf0efff2185455
SHA5128b17e32675f01a374b6ed21f0ccca39172b173f1db021559cf7b7e9d9e60750045c0b5e40ebcb567e5d82dcd43005f4cdd5d0b98dd3c7b3d6e14af7fbc94ae50