Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 17:21
Static task
static1
Behavioral task
behavioral1
Sample
d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe
Resource
win10v2004-20241007-en
General
-
Target
d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe
-
Size
2.6MB
-
MD5
b4479cc4f5a9479b5d4259b7eb25d2b0
-
SHA1
8d575cf4883182cbf288c7db009ab72ccc086968
-
SHA256
d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825
-
SHA512
070db49fddcfae383d9d7e30c8a86a74f666de352f9033c5056a7a75bfa791ae60093236d35ed8e2e313e30afe76a882ee108c8aa19db91d3daef665136881d0
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bS:sxX7QnxrloE5dpUpZb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe -
Executes dropped EXE 2 IoCs
pid Process 1188 locdevbod.exe 3208 xdobloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB24\\dobdevloc.exe" d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe65\\xdobloc.exe" d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 536 d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe 536 d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe 536 d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe 536 d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe 1188 locdevbod.exe 1188 locdevbod.exe 3208 xdobloc.exe 3208 xdobloc.exe 1188 locdevbod.exe 1188 locdevbod.exe 3208 xdobloc.exe 3208 xdobloc.exe 1188 locdevbod.exe 1188 locdevbod.exe 3208 xdobloc.exe 3208 xdobloc.exe 1188 locdevbod.exe 1188 locdevbod.exe 3208 xdobloc.exe 3208 xdobloc.exe 1188 locdevbod.exe 1188 locdevbod.exe 3208 xdobloc.exe 3208 xdobloc.exe 1188 locdevbod.exe 1188 locdevbod.exe 3208 xdobloc.exe 3208 xdobloc.exe 1188 locdevbod.exe 1188 locdevbod.exe 3208 xdobloc.exe 3208 xdobloc.exe 1188 locdevbod.exe 1188 locdevbod.exe 3208 xdobloc.exe 3208 xdobloc.exe 1188 locdevbod.exe 1188 locdevbod.exe 3208 xdobloc.exe 3208 xdobloc.exe 1188 locdevbod.exe 1188 locdevbod.exe 3208 xdobloc.exe 3208 xdobloc.exe 1188 locdevbod.exe 1188 locdevbod.exe 3208 xdobloc.exe 3208 xdobloc.exe 1188 locdevbod.exe 1188 locdevbod.exe 3208 xdobloc.exe 3208 xdobloc.exe 1188 locdevbod.exe 1188 locdevbod.exe 3208 xdobloc.exe 3208 xdobloc.exe 1188 locdevbod.exe 1188 locdevbod.exe 3208 xdobloc.exe 3208 xdobloc.exe 1188 locdevbod.exe 1188 locdevbod.exe 3208 xdobloc.exe 3208 xdobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 536 wrote to memory of 1188 536 d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe 87 PID 536 wrote to memory of 1188 536 d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe 87 PID 536 wrote to memory of 1188 536 d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe 87 PID 536 wrote to memory of 3208 536 d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe 88 PID 536 wrote to memory of 3208 536 d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe 88 PID 536 wrote to memory of 3208 536 d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe"C:\Users\Admin\AppData\Local\Temp\d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1188
-
-
C:\Adobe65\xdobloc.exeC:\Adobe65\xdobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3208
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD595ab4c216dfa422e2f9bfe7bde8097b2
SHA1d351bde01c0a05ec2766bad5e34d032524ec681a
SHA25608fe99f5d793b308d1e437223ec27ef58cc1f745c52f6053d9d703fb6caec87f
SHA512dd2e6491d429861c21fe92233b843f182f2a0c2b15014f756a9c8a252d7272831104fd8dfe8735a960049b903d3ede1aa7a93b54903dda954de3f58ab54d6ffd
-
Filesize
877KB
MD5dd441a90b3929e379b5e687c40e462c1
SHA1ed8fd1688fe952f3c4139bbd554a7dcc9e4fb617
SHA256398c41f2868f122743f609b0ee2e6e0e4ceb264eb56f10b8426be5607653aeda
SHA512a37d5c21bc1ef4eb8a29e0a73193794141403a89133fa7bad9236123025a080b130191fb93a5f915e0fe79f1a689c67eeaed99ba453503ad3c6e7fe0f4b0855e
-
Filesize
2.6MB
MD50f44e2a3c0551a5e4fe9193d05c1e0ef
SHA1b4850d426fd963665b1cf1c478c7a11f0e1398c3
SHA256b15b1fb7549e37e66632af877cf9154f8698d790ef00874bfe4367901dd09586
SHA512508be8d3b425e7d30b214b4b76c029abae2a2bc344af4aefc02a66e714eb932fabedb34cb0a4f8b75195a5ebe0c02d8feea35c8f593996d417e65bbe49c6a611
-
Filesize
204B
MD5d0dd4e5183a95065048e679331b77239
SHA1c8f719c7655ca9c1128d54287c2743358d14b9df
SHA256ff7ba338ee00acdb24699b9b4e9870af905fe493a6d689c7e7b268dd56a58186
SHA512893c73748e613acd97eff565cbc9d4d3e4ac619f704999ba41b398975c14dc8db709e45e3c74cef189a0d20a2eb0a4d9c0d4f2fdc2ee8e74a58aa51e80b4085d
-
Filesize
172B
MD58616775d1b303f9c7cc6b6697e26df13
SHA198883ea5281dbbc790c8a31352a388ae53cf4b44
SHA256b1110957034016e38f3a124ec2c1fdfec861793d3fc0fd306d20972de0cd0805
SHA512aecb5fa03c56abd2a259ee47a2291234549ee300c33c6899844ed7b7579c066de861153b05735342cc7a7e1dbda15d0b055c0dd37948a0e1999a658ff1946095
-
Filesize
2.6MB
MD5f74a6cf39a57abb3fdb5b0cf1f03afc5
SHA1282e6330df78bb548ccf58378b876eea51a93c80
SHA256d9c1a96eb49a9ae315b91457dbb607bdf51e406d057dd7a1f6bd09a4530dd14a
SHA51259c412a6125c4459a41be4e8b231f3f838385a76f6b5449a20e92a7d8a5f8f8eb9cd19f0ea28809b7b7c8ff66b18d6264367733c1e1efbb363f82c0972d68cca