Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 13:51
Static task
static1
Behavioral task
behavioral1
Sample
778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe
Resource
win10v2004-20241007-en
General
-
Target
778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe
-
Size
2.6MB
-
MD5
f24829d54377deba94bd4b8fde70b726
-
SHA1
cdbc61b458a50d33cb68270e9b077a0a0af70fc4
-
SHA256
778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb
-
SHA512
4e644377691dba3b04413d3c35a1801aa207bc45cf1c04efa9971786541fd5a6629d332d2d230b16b1318d6ba49863bf21f85741767665240e8cd1f6a741adfa
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB3B/bSi:sxX7QnxrloE5dpUpMbl
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe -
Executes dropped EXE 2 IoCs
Processes:
locxdob.exedevbodec.exepid Process 3112 locxdob.exe 5024 devbodec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocC6\\devbodec.exe" 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2S\\optidevloc.exe" 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exelocxdob.exedevbodec.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exelocxdob.exedevbodec.exepid Process 2648 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe 2648 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe 2648 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe 2648 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe 3112 locxdob.exe 3112 locxdob.exe 5024 devbodec.exe 5024 devbodec.exe 3112 locxdob.exe 3112 locxdob.exe 5024 devbodec.exe 5024 devbodec.exe 3112 locxdob.exe 3112 locxdob.exe 5024 devbodec.exe 5024 devbodec.exe 3112 locxdob.exe 3112 locxdob.exe 5024 devbodec.exe 5024 devbodec.exe 3112 locxdob.exe 3112 locxdob.exe 5024 devbodec.exe 5024 devbodec.exe 3112 locxdob.exe 3112 locxdob.exe 5024 devbodec.exe 5024 devbodec.exe 3112 locxdob.exe 3112 locxdob.exe 5024 devbodec.exe 5024 devbodec.exe 3112 locxdob.exe 3112 locxdob.exe 5024 devbodec.exe 5024 devbodec.exe 3112 locxdob.exe 3112 locxdob.exe 5024 devbodec.exe 5024 devbodec.exe 3112 locxdob.exe 3112 locxdob.exe 5024 devbodec.exe 5024 devbodec.exe 3112 locxdob.exe 3112 locxdob.exe 5024 devbodec.exe 5024 devbodec.exe 3112 locxdob.exe 3112 locxdob.exe 5024 devbodec.exe 5024 devbodec.exe 3112 locxdob.exe 3112 locxdob.exe 5024 devbodec.exe 5024 devbodec.exe 3112 locxdob.exe 3112 locxdob.exe 5024 devbodec.exe 5024 devbodec.exe 3112 locxdob.exe 3112 locxdob.exe 5024 devbodec.exe 5024 devbodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exedescription pid Process procid_target PID 2648 wrote to memory of 3112 2648 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe 89 PID 2648 wrote to memory of 3112 2648 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe 89 PID 2648 wrote to memory of 3112 2648 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe 89 PID 2648 wrote to memory of 5024 2648 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe 90 PID 2648 wrote to memory of 5024 2648 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe 90 PID 2648 wrote to memory of 5024 2648 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe"C:\Users\Admin\AppData\Local\Temp\778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3112
-
-
C:\IntelprocC6\devbodec.exeC:\IntelprocC6\devbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5024
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5ba90945c50dc76629b19a2d3736c46be
SHA123916a68c2708b157c8f45bd791d53fcbf528bbb
SHA2565c734b18e6a604d0ffc61ac3d4e729013e576db11cd3afb3f37f29c89cb85552
SHA5124cca798af1519e8f14d4dde5f8c792665132be6f052a75c52daec3d40375c95da8ca91d5da5b91fe378c1db1a35bfb6cffdfc7020ef076723ab9c28c4aea11f1
-
Filesize
256B
MD5bae5eb085a9f023b8d36e2a083933bdd
SHA1c8f3b383d6ce74e8606027a03db4b0ae08c513b1
SHA256b505b72bbec0ac5ef11559a9e1cd5d9b176f6b03b0dc9296023c144e105605ab
SHA51293d15b5bec81644cf4030f24c5941cb76efb1e539e47e25ee9c722db4b1b52b8ec129fef26b9080ad23fe6b7d1f0752e3a263040aa5557656967acd4d5e485f3
-
Filesize
202KB
MD54503f43350c98c8ae658355212079b8e
SHA186a7c7b6166b332571b70f2c7968ccd7041910ad
SHA256d3ef657c1718994cb918dfe420c88ca1b61057911ac87c1c6259f4b6c7efd3d5
SHA512429556b723819c1abb3db86673b150b85b621667926e1510e8ace318e36bf638cf4531a27c8a9a224e1acc8279e94e041f50e88c9b5b824c6bb8f7dabcaa6307
-
Filesize
208B
MD59f22aaa0f43d47cf3e91fd643d4e6b60
SHA1ee688f0699c2ee569074c443bc9ab9f9b7e21a78
SHA256e17ea0e1dbf000af8477d8d9ff80633c1312207c8272f103845dd012df772349
SHA5121d26fe7954b2d8efc5b465cc25f823b03818fe10cebfcd3af95d644a5b78bd5be2c8de1c0f2e9065594fd5d99c2d2c8c71b570dfd56825527f699e9f2c08fa0b
-
Filesize
176B
MD57c97a222141cfe806981508621c31d23
SHA12a4ada46e919b83cf01e2cc92d9c93ead6748c0d
SHA2568cb9339849b15b433e7a0b987657ca000781a84520cabdfddb5a4d41569b091c
SHA5129a0acf843fad85fd09ae54f8a793ec395b13730293eeb8972e41ae9f550a887d081bd20fe0ebeb002d17571571f4711b277fee308ee2424dc6b28099789746a7
-
Filesize
2.6MB
MD525575e7168bc8168a14f556a89928e56
SHA119dd3ff4588c0b4f07dcdead51612798695e613c
SHA2562445ed3fc264b0ad40cc03fa7aa05239d3211d1763879d67855e4f7e4d95f5a9
SHA512cd58a26082f76ee3808e4230c2620523afba86f75b4421d6942899d888e922d539755c7dff605d2578242a112eb0dcd0f6002ba9403bfe48cd1198395a93652c