Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 13:27
Static task
static1
Behavioral task
behavioral1
Sample
c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe
Resource
win10v2004-20241007-en
General
-
Target
c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe
-
Size
2.6MB
-
MD5
182f21b27e16563b886f80ef812443a0
-
SHA1
6a9337e726f7b69933e635a8110a0cf514a77c8a
-
SHA256
c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783
-
SHA512
bb15152bd76248bc351705e741a412668828333bb175747b953bfcbdf3a5c9057026497acf997e23fd549ecd31fe5958256a9cc12477bc025791f2947b636190
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBoB/bSq:sxX7QnxrloE5dpUprbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe -
Executes dropped EXE 2 IoCs
Processes:
locadob.exedevbodec.exepid Process 2300 locadob.exe 3560 devbodec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeDO\\devbodec.exe" c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxSM\\optidevloc.exe" c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exelocadob.exedevbodec.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exelocadob.exedevbodec.exepid Process 2156 c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe 2156 c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe 2156 c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe 2156 c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe 2300 locadob.exe 2300 locadob.exe 3560 devbodec.exe 3560 devbodec.exe 2300 locadob.exe 2300 locadob.exe 3560 devbodec.exe 3560 devbodec.exe 2300 locadob.exe 2300 locadob.exe 3560 devbodec.exe 3560 devbodec.exe 2300 locadob.exe 2300 locadob.exe 3560 devbodec.exe 3560 devbodec.exe 2300 locadob.exe 2300 locadob.exe 3560 devbodec.exe 3560 devbodec.exe 2300 locadob.exe 2300 locadob.exe 3560 devbodec.exe 3560 devbodec.exe 2300 locadob.exe 2300 locadob.exe 3560 devbodec.exe 3560 devbodec.exe 2300 locadob.exe 2300 locadob.exe 3560 devbodec.exe 3560 devbodec.exe 2300 locadob.exe 2300 locadob.exe 3560 devbodec.exe 3560 devbodec.exe 2300 locadob.exe 2300 locadob.exe 3560 devbodec.exe 3560 devbodec.exe 2300 locadob.exe 2300 locadob.exe 3560 devbodec.exe 3560 devbodec.exe 2300 locadob.exe 2300 locadob.exe 3560 devbodec.exe 3560 devbodec.exe 2300 locadob.exe 2300 locadob.exe 3560 devbodec.exe 3560 devbodec.exe 2300 locadob.exe 2300 locadob.exe 3560 devbodec.exe 3560 devbodec.exe 2300 locadob.exe 2300 locadob.exe 3560 devbodec.exe 3560 devbodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exedescription pid Process procid_target PID 2156 wrote to memory of 2300 2156 c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe 87 PID 2156 wrote to memory of 2300 2156 c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe 87 PID 2156 wrote to memory of 2300 2156 c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe 87 PID 2156 wrote to memory of 3560 2156 c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe 90 PID 2156 wrote to memory of 3560 2156 c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe 90 PID 2156 wrote to memory of 3560 2156 c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe"C:\Users\Admin\AppData\Local\Temp\c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2300
-
-
C:\AdobeDO\devbodec.exeC:\AdobeDO\devbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3560
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5da021311a877ad92428dadf37b62effc
SHA1208eac6390b879473ff82902156fc17fe51ec5a5
SHA25687b5ba3764a9c636815a3958141b01bcb58b3bf4dad3cd664070330f9096a0be
SHA512ad2d2df65a9eb7f7e3f9da8c5e0fad4f7778c1cf5e480bae9dcb120d44590eadba96a9be506273b081e637f9e744f041065cf5e05ea2eafa001e77056a9a00de
-
Filesize
2.6MB
MD58173e9adcc429086444ee929a8cd8b97
SHA1f8e88bdbb67203b3d601586119945ec615ba73d4
SHA256223dba21fce6654e1d4c3994e18d42bedc8fc466e81bb99970deca48a840ebff
SHA5125316c077f735b6a0b5abceb8aa07279a5a95bd7fb1a13f62b9d7b79a0c8a1cd83abd11e4bdab4429ac0cebafc71776c045e8b01068d0cd584dd44e9081c3a23a
-
Filesize
191KB
MD5c003ad024f7a20ea22a7e854edb21a28
SHA10802eb527b76e43f3fb6152ae1441bea475f4f80
SHA256b7db689568c60d34cb2a6089105b0e15aa241524bfdd1168e4d93b2976c98574
SHA5127331d783c9650cfb44470322ebc00ff2d28c322c6fb7ee6ebd11c28ecb3d817621db908f683360426842f072f84b46e38909b1fb3b10ae473d84c26b5ccd29d2
-
Filesize
205B
MD5eb23fb0691d5be39cc1bef1d515d5b34
SHA1efd919013290c8cc5433801789c557badac31345
SHA2562ab3431ba546a2ba596d80b9cfa2c9c8aec8fe20499ee563e96fb0c75e68ee7d
SHA512a7bff44fbd2f9cb1b8c6cda10da2eac91e7e9a5f2628092953c1d49687459615acb83d75702b963902a11819a45bacb6cbc6d4a1b31f70baccd9963ef441afbe
-
Filesize
173B
MD5384a9b70ce458578ed7dc3201117957d
SHA1246268d2aaec1b220d2ca04af171fb09dd67f22b
SHA25622d8c2d93af75efb6de5e79b78f0f1df30adf50f961891139916f6a9e49e5bc0
SHA5129f534b79a4615d88c2533cc920f43bf5c91b04ae5b7c8abe108fda722d5f59fe3c3b055b484649c87c368eafac79903ffcbad9d42577a331c2d5862ae2982b45
-
Filesize
2.6MB
MD53becd49dd4617a5ea68af95f3504433f
SHA1b9a1ae8882c68dd40d2fdd62aa5696452564172c
SHA2560d7be94a58b6355020875bb5076b30dbcdea4c953e17ad36e375f6c30cefd488
SHA5127b90d6b0ff94fb88ac551fcc4f84fb3daaee8f58a57a872a7058193ba1175215cbf8c17cd07ee8ed4fd6f09518a5ac93c667c60c0d1d5cf2305570f7a6d4e546