Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 17:22
Static task
static1
Behavioral task
behavioral1
Sample
b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe
Resource
win10v2004-20241007-en
General
-
Target
b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe
-
Size
2.6MB
-
MD5
c8e6cd3b257f0fbbcbe9d47e89be9380
-
SHA1
ac72c5c60b9d1f31636772e7db3070cceb9c1353
-
SHA256
b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7
-
SHA512
d7111cb2a21ac5de9a89b875151a85a3d0233f7f9a84893407ed588702f2398c222d28c57954dac6a90fae2710daf597f6ef56e3e79bd09ca2f74560df747a68
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBgB/bSq:sxX7QnxrloE5dpUpLbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe -
Executes dropped EXE 2 IoCs
pid Process 2808 locadob.exe 2732 abodsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2152 b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe 2152 b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeE5\\abodsys.exe" b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBT5\\dobxec.exe" b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2152 b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe 2152 b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe 2808 locadob.exe 2732 abodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2152 wrote to memory of 2808 2152 b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe 30 PID 2152 wrote to memory of 2808 2152 b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe 30 PID 2152 wrote to memory of 2808 2152 b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe 30 PID 2152 wrote to memory of 2808 2152 b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe 30 PID 2152 wrote to memory of 2732 2152 b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe 31 PID 2152 wrote to memory of 2732 2152 b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe 31 PID 2152 wrote to memory of 2732 2152 b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe 31 PID 2152 wrote to memory of 2732 2152 b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe"C:\Users\Admin\AppData\Local\Temp\b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2808
-
-
C:\AdobeE5\abodsys.exeC:\AdobeE5\abodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2732
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5d66bd7c008ad7b4a9e0b99df91de8255
SHA156f4d445d6605949be271e63451a4ce1fc6a92b2
SHA256443097d91df09e6e212f658e688b56d35af92f4c01948b27c9a7be21eff3e11a
SHA512a489ce8b5ea6fe84173f86eb294a75368e2aab67f3ac1590ea8daade4f8f26a04a46184f36a5c69a87acfb461e3db317e7db3fa776fbc11a372b045b8e05e589
-
Filesize
2.6MB
MD594ddd99007321bfd7b3af2f306793b30
SHA1a7498f9f7c4ea7b223975cfec894ff5cae547170
SHA25688644a1244ffc6bd3a2d865866351be61da1def38f6c5f5da063b94a08344c8c
SHA51255171c6e499fad5a1eb59ebd6cb828d9b42283b440a2bddff773cf29abddca130d57d3f81016b125bbc2bcb7d14b298ab4754c380772e3c0bb72487604d57bd8
-
Filesize
2.6MB
MD503d3196e6be75996b8519a625cacde2d
SHA141f1d5353f6a69128f8a3ae685887ef21143b7a2
SHA2564f970a4b2db3fb998bbc56f05b53ebfbda272db276e42706c072d44d4adc4d70
SHA512de891583e53539c62c5034bfe0d493f21cf18ed406889ddcd56a44b351e42c1b4bec54fd74842ee5ddb415e5a1c7d04a22fe1c1efbf5fd80b846d1de1b6ee234
-
Filesize
167B
MD55fbd78922358f922873cdedd5e25babe
SHA117b2332a5aff6ea840f6e455c77d8730936bc4a9
SHA256482a3bbc58c100f10fbea2df7a1cc332be1484bbfc8039eb5a46e914cf9d332d
SHA5127a8809dfff9d920c24656eb8e0c66b77893f75b54c12e750876d369cfbf44a0191b0eb3ff7755fc7cfad6c6a2e705c25e32d5e84a2090cac9ec1f90145d9adaa
-
Filesize
199B
MD5f8af5861a3d58cf8d90a8725c01b631c
SHA1c75f7f7a74ac0f8c80409f73d84403fc94794aee
SHA2563ef4ebe87a719a675b91e827858f3cf5803ea6341032d1c4c29c83a362b338a7
SHA512c9b56f78c8a92cd29a7f50161816531a6b4ff3bf3baeea2b14876fb795cb8ed5ed02cfc785fff3fc9800fd619bbfb4b1917fba7ab2453291746e010b83057e4e
-
Filesize
2.6MB
MD51d818454819fd97802aa0746942d9765
SHA1e00a1e210f2ee2f70a387d9e600b2f7babbf6eb7
SHA256fce7314099fa1e4829cbeec1aa69b0b151cd5ee95dfaa3e987cbde4f034668c0
SHA5120385d2cdaeba185bcb722212a943e630082dc701c5046933b5b21bf51d07de5fca462c3cee866a53fcdb585c9f0fe89e67334c81cc65e82636648a430c6a5d88