Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 13:39
Static task
static1
Behavioral task
behavioral1
Sample
84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe
Resource
win10v2004-20241007-en
General
-
Target
84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe
-
Size
2.6MB
-
MD5
9bf4f468bf0478b72213306bda31c250
-
SHA1
6efc0ff3dda70bffbb144d9a1097622a16113c0a
-
SHA256
84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855
-
SHA512
56e9c10e59c98b5813a31cffcd23a3c2e28af4a19c5f30bfd62ff761872300167c81e227343327cdc2c5c913bd435b77e14e1a262078acc2c84638512910b9b8
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bS:sxX7QnxrloE5dpUpKb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe 84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe -
Executes dropped EXE 2 IoCs
Processes:
locdevbod.exedevoptiec.exepid Process 4748 locdevbod.exe 1664 devoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocKO\\devoptiec.exe" 84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintIS\\dobaec.exe" 84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exelocdevbod.exedevoptiec.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exelocdevbod.exedevoptiec.exepid Process 1644 84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe 1644 84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe 1644 84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe 1644 84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe 4748 locdevbod.exe 4748 locdevbod.exe 1664 devoptiec.exe 1664 devoptiec.exe 4748 locdevbod.exe 4748 locdevbod.exe 1664 devoptiec.exe 1664 devoptiec.exe 4748 locdevbod.exe 4748 locdevbod.exe 1664 devoptiec.exe 1664 devoptiec.exe 4748 locdevbod.exe 4748 locdevbod.exe 1664 devoptiec.exe 1664 devoptiec.exe 4748 locdevbod.exe 4748 locdevbod.exe 1664 devoptiec.exe 1664 devoptiec.exe 4748 locdevbod.exe 4748 locdevbod.exe 1664 devoptiec.exe 1664 devoptiec.exe 4748 locdevbod.exe 4748 locdevbod.exe 1664 devoptiec.exe 1664 devoptiec.exe 4748 locdevbod.exe 4748 locdevbod.exe 1664 devoptiec.exe 1664 devoptiec.exe 4748 locdevbod.exe 4748 locdevbod.exe 1664 devoptiec.exe 1664 devoptiec.exe 4748 locdevbod.exe 4748 locdevbod.exe 1664 devoptiec.exe 1664 devoptiec.exe 4748 locdevbod.exe 4748 locdevbod.exe 1664 devoptiec.exe 1664 devoptiec.exe 4748 locdevbod.exe 4748 locdevbod.exe 1664 devoptiec.exe 1664 devoptiec.exe 4748 locdevbod.exe 4748 locdevbod.exe 1664 devoptiec.exe 1664 devoptiec.exe 4748 locdevbod.exe 4748 locdevbod.exe 1664 devoptiec.exe 1664 devoptiec.exe 4748 locdevbod.exe 4748 locdevbod.exe 1664 devoptiec.exe 1664 devoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exedescription pid Process procid_target PID 1644 wrote to memory of 4748 1644 84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe 87 PID 1644 wrote to memory of 4748 1644 84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe 87 PID 1644 wrote to memory of 4748 1644 84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe 87 PID 1644 wrote to memory of 1664 1644 84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe 89 PID 1644 wrote to memory of 1664 1644 84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe 89 PID 1644 wrote to memory of 1664 1644 84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe"C:\Users\Admin\AppData\Local\Temp\84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4748
-
-
C:\IntelprocKO\devoptiec.exeC:\IntelprocKO\devoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1664
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD51158f86a0845ee6fe9ce7b682fd51439
SHA1caf9890ab05a6eef87827bb3ab60eaee3b254faa
SHA2563d1f80bce336609701c74a291ec5f27ae76b198dfc51fe6615349996dcba8ab1
SHA5123820fa06d8911561113535b4e01a0e4a3bcb87a566762f0995074fdd561e824454613a36d5347004f0370ff27867df4f962f498ca63e8e4b5e82c935860d3503
-
Filesize
2.6MB
MD57d947ac6e57ac0730960d5596aaf34af
SHA1af45b18a78f9f3fe3d8a505b167d137acc41d324
SHA2561923128e1cf75b23cd9ada3e493a628aebfc5e31f37dec27e5dde76028f269ba
SHA512c68f0ac1fc1479d72b3a94ca0508cd820ab03e4b2fbb2e8867c51ccb5b5c0229befd0ae6ce6e9fb7509e77b08f16890b243415f848a626e3e3dfd000046408bf
-
Filesize
2.6MB
MD58f9f7b627add6f3a754ed22ff4b23011
SHA1ba5682ee646fae8e19b380426cb82833d2478653
SHA2568dc84ceb78c8d499f4edd8cee3f693b5cd1e8ca217f83b26eb245d8deddd5ea6
SHA512c12be76524eed8b00d0a43f1f9112de169feb013f57b189d60a3013974bb12fc389139447da876a05f7ca8449cf55f516bdb9d4ca6916c1a43019913eb6d456e
-
Filesize
2.6MB
MD5815707e9d21e33dbd3b5e23e10e9c3f8
SHA10e0b4c7554e5dcf0563a1642b84c5de9cd3b405b
SHA25657589ef6a591e5817869287df50883dc76404650b9dceca07cd4d3648b12fb2e
SHA5120cb334eafce6258c3e2ebc48bd676fdf4275a458c820f5acebc14979b791895603f0ef5cf95b618fe08f0786bb3ae66df23cf05ec7134f27b0b5f5a386649fd0
-
Filesize
207B
MD5a34208f6f96ed9c762187e5ba7716bf2
SHA1da6792f9264ff6c326e6e17fffcb4c5ce2941955
SHA2563029128fec2068bfc746445ee8d57a630d33b6fa035bddef2e08bef5139e97be
SHA512cf4634af718eff51c0675df5b72c172453d531eb672573efdc307eabbc5a18b56b27a3ae9ed20539d14b9b958c651aa699cf81e0cdf656077cf37cdcac37828a
-
Filesize
175B
MD5158d8352e255d1ca9a49ff69faadbf10
SHA180d9ac37418cc0dfeba5c2191faa9396fea118eb
SHA2561e8d5bd2966143d945dcc7d3902a90e9d6fb3dabd49727f75dd08a663efc5c15
SHA512d9d56bfb06dda38e8b318b77f3ab35aa2a2c7b718c866b9377a8cbed2f17116783c276d2af2256dda50f851f2c2d1a8a9fcdf1c1b8c1ccbb23ac191cc0641e99
-
Filesize
2.6MB
MD5cb3ce4d489f2b888c54f910dcf98cf63
SHA1306dde41b9a3d334365df4f1b3dae07db5d1fe58
SHA25645fbe833021c134c890756472a0988eced345424c4067a897163b383e1c88460
SHA512e95c81237c6bf4082f37260e3c5340d79d14fbfb71e83e4f3175742174a821b80e7755a8691568b4c11d94e21cd2aff2eb93c58c452ef20bca8258bae0148c2a