Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 17:22
Static task
static1
Behavioral task
behavioral1
Sample
b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe
Resource
win10v2004-20241007-en
General
-
Target
b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe
-
Size
2.6MB
-
MD5
c8e6cd3b257f0fbbcbe9d47e89be9380
-
SHA1
ac72c5c60b9d1f31636772e7db3070cceb9c1353
-
SHA256
b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7
-
SHA512
d7111cb2a21ac5de9a89b875151a85a3d0233f7f9a84893407ed588702f2398c222d28c57954dac6a90fae2710daf597f6ef56e3e79bd09ca2f74560df747a68
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBgB/bSq:sxX7QnxrloE5dpUpLbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe -
Executes dropped EXE 2 IoCs
pid Process 1436 locxdob.exe 3152 adobsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeWO\\adobsys.exe" b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidDZ\\optixloc.exe" b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 776 b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe 776 b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe 776 b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe 776 b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe 1436 locxdob.exe 1436 locxdob.exe 3152 adobsys.exe 3152 adobsys.exe 1436 locxdob.exe 1436 locxdob.exe 3152 adobsys.exe 3152 adobsys.exe 1436 locxdob.exe 1436 locxdob.exe 3152 adobsys.exe 3152 adobsys.exe 1436 locxdob.exe 1436 locxdob.exe 3152 adobsys.exe 3152 adobsys.exe 1436 locxdob.exe 1436 locxdob.exe 3152 adobsys.exe 3152 adobsys.exe 1436 locxdob.exe 1436 locxdob.exe 3152 adobsys.exe 3152 adobsys.exe 1436 locxdob.exe 1436 locxdob.exe 3152 adobsys.exe 3152 adobsys.exe 1436 locxdob.exe 1436 locxdob.exe 3152 adobsys.exe 3152 adobsys.exe 1436 locxdob.exe 1436 locxdob.exe 3152 adobsys.exe 3152 adobsys.exe 1436 locxdob.exe 1436 locxdob.exe 3152 adobsys.exe 3152 adobsys.exe 1436 locxdob.exe 1436 locxdob.exe 3152 adobsys.exe 3152 adobsys.exe 1436 locxdob.exe 1436 locxdob.exe 3152 adobsys.exe 3152 adobsys.exe 1436 locxdob.exe 1436 locxdob.exe 3152 adobsys.exe 3152 adobsys.exe 1436 locxdob.exe 1436 locxdob.exe 3152 adobsys.exe 3152 adobsys.exe 1436 locxdob.exe 1436 locxdob.exe 3152 adobsys.exe 3152 adobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 776 wrote to memory of 1436 776 b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe 88 PID 776 wrote to memory of 1436 776 b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe 88 PID 776 wrote to memory of 1436 776 b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe 88 PID 776 wrote to memory of 3152 776 b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe 89 PID 776 wrote to memory of 3152 776 b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe 89 PID 776 wrote to memory of 3152 776 b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe"C:\Users\Admin\AppData\Local\Temp\b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1436
-
-
C:\AdobeWO\adobsys.exeC:\AdobeWO\adobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3152
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD55ffab038d17d47771c031d3b701e0cc5
SHA174d331d26e5210e7e523c750b0080e1641bb61f5
SHA2561b2bb8b0c13c9e1418b1e48501e2a62606e0e890934e027d746c196943068982
SHA512fad3e0cee5656b4fb350050395b6d8039f870087a145394dfc2eab77587a10e53b2e421be937a90a9a80244cbd3096e07f785a35d7df3b5efb0e258ca75678ec
-
Filesize
2.6MB
MD5c96dc72408f960e75ef8a6138820772d
SHA13dd72e937c15158cdab3b4ffe00aca12edebd60f
SHA256f3ce1349895b9d7eb03506e83faeadc291aecf7276ff9bf565c6985bb3bcc6e6
SHA512a08648bc812a7ea103f0bd2e8908b1bd63da2659e1ddb7d4cae8c8981597ed58e4856c9657d01bf97214b50268f7571e98ba16f66f3145bb9f10d23c113f4353
-
Filesize
200B
MD5c44c6677df279fa89b36e1da00cd0dba
SHA15e115c4e02a879202d4ce534339526324e26600a
SHA256578af5eaf313f387380ac03b18c8b3c3351072dd1b7aff73cf20288d1451d96a
SHA5128a3f07b88fc6638cbe0593b44920b7702c74c47a12dc738da9d67df853da84daf27417725eaaebb3e0ad42b2e7257dbad2796b13dbfc8467e2db0752a0e03d2b
-
Filesize
168B
MD56d30d6f5ea332597da6acb08d8717e25
SHA1cb68bda2c8d91bca756cf017933ac72229297a42
SHA256bdfff1edb63e88961a83075974d0d391b0c4452e1184ffc9882604456f6370e7
SHA512fb0a0476bbb13c6c9f658e9a44692c0add81a899a2b3a6130cc7d4df7d0f2fcd90dca907350b2b2efe106fd408b42a98ce0f215c2d7346e068685e197dfc66c0
-
Filesize
2.6MB
MD55f04dad6081f60786100da8710df08a8
SHA12646731d5cbc33323aafbe7d9a5d54c3a2baba46
SHA25614f4eed85794cfe1b9e3ee3114012b974fdf06c12830f332f8899a60058623e5
SHA512970d0423ba88b46f2342ecfeebd2c4fba7b3f5eda657faf60dffeb9ccb0da70c558aea6bdb9904c5c6adcc9823c0001412eb89cd000b0c9e0107887267ed1cfb
-
Filesize
554KB
MD592c97bfb8cc7475e4f1c3e33de026bf6
SHA199ea6e9e089849197f004b7fa08f6814440a4b63
SHA2560c387b7d3108e0ae782f62c43808c86147736720709fb884b45776064efa41bb
SHA51242d0b1e0206b7a2d020284d3bfb89850e931359be68057134dae0a1539bcfdfa198ec470d85786e7a077fa50913dd28833e4912a69bfa522df718ca4b073c5a4
-
Filesize
1.7MB
MD5faee513dd743d3b3ccd609363833fd30
SHA1499396fe99172ba38f27cc9739c744e96b35078a
SHA25653e08c514c6373f5158ae7cef7322b3fc4703e369ea67e3eeb527cf4ae6124f8
SHA512f120134684300c7cec1196568d5185bf25a7b154e40a966c5333fe259531028c00aad15bc961c5be153964c6a0e2f8a4637f8dbbc8f35257f6289b6ce344bc9e