Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 13:42
Static task
static1
Behavioral task
behavioral1
Sample
e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe
Resource
win10v2004-20241007-en
General
-
Target
e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe
-
Size
2.6MB
-
MD5
f7c91568e0ad74851e94df6c04f44f80
-
SHA1
ffc774105161917f47d12b6a9013ca3bc26e1f86
-
SHA256
e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352
-
SHA512
f8c0ea51c48762f4eb5681b0dd203b621e61d442f13f14084c5a50bff3901a3c0e4472ae88ed615b2291f47707fbbabadb3270faaff5a25ba0a8e49ed1cc0568
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bS:sxX7QnxrloE5dpUpob
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe -
Executes dropped EXE 2 IoCs
Processes:
locxdob.exexdobec.exepid Process 2368 locxdob.exe 2484 xdobec.exe -
Loads dropped DLL 2 IoCs
Processes:
e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exepid Process 2972 e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe 2972 e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocKT\\xdobec.exe" e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidQZ\\boddevloc.exe" e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
xdobec.exee47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exelocxdob.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxdob.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exelocxdob.exexdobec.exepid Process 2972 e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe 2972 e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe 2368 locxdob.exe 2484 xdobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exedescription pid Process procid_target PID 2972 wrote to memory of 2368 2972 e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe 30 PID 2972 wrote to memory of 2368 2972 e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe 30 PID 2972 wrote to memory of 2368 2972 e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe 30 PID 2972 wrote to memory of 2368 2972 e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe 30 PID 2972 wrote to memory of 2484 2972 e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe 31 PID 2972 wrote to memory of 2484 2972 e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe 31 PID 2972 wrote to memory of 2484 2972 e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe 31 PID 2972 wrote to memory of 2484 2972 e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe"C:\Users\Admin\AppData\Local\Temp\e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2368
-
-
C:\IntelprocKT\xdobec.exeC:\IntelprocKT\xdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2484
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5b7a0938561c03f53dd6693a80e33a2d8
SHA161e07d0a3cc14ff558a41d8ca22673d1649816f3
SHA2568e351def9669cccd284061eeb3d786846edf17f12f0b0e98de153feee47ba113
SHA5120ee2e50cfb075c5f33cdfdd74418ed4cc6beb7c51f56562ccc52bfa588f92ceb3e5f4e58cc63321180b11005b19b14a85092b21b2ba0bc23baab47c71dc43974
-
Filesize
172B
MD506f370af9732cf665d6651dd6ce5335b
SHA17568d18c536f61f43f605c68d4b507e16653a50d
SHA2560be0d0e1cb370e91241c36d888f54dd3b904835fdb468ff059dc700cb278b7bb
SHA5120fc39da54e812487b65df904d850aa936773d9dec00677b23ad533538e582cec7b46762eb2fc44928982b82548e7c769b513e2c4bf08fc824b62ae15a8e9262e
-
Filesize
204B
MD5ee0d2f62646a71604426b21aef165618
SHA1e2824c3e249f0a84d7426f7e223b5e858270a1d2
SHA256490214d5c66986af042293eb9e8cc518a1b8a8097b9e529e14262082ae9a20cb
SHA512f5c1d26193adbf42d0f066f743a9dc5460c3826103f2773bc2343e7692e12c81b24c2c727e22ca8e6ae7fbcff7afecf370ab2f23e59ce4de2fa402e0ed340baf
-
Filesize
2.6MB
MD534dacd3f975c6150bad652a7c69a80fa
SHA16009e79836ef7e2f74037f8653f8b990c4f92ff0
SHA256225352dcacd2f2bbf965e25a4c70fc6229f04a91ebd2cd6d58d6a639d045030b
SHA512c190f5a47d0e87f9f2c9c153a99f28a438faeacee32ef2ff754285c00893508109bc2e8abbb7479f3a85c4ff3c4512bea7762d2dc7119620f5683bc8a5a6abb4
-
Filesize
2.6MB
MD5c74f6be92edbdad4ca265931f65a1a14
SHA132fc28f18362c0a09607afc42730477f98f96682
SHA256cbb8e1bf8d9d17fb89d843d69bb619bea2267c1c31d377ebdb7204139fc13387
SHA51244ec3dd45ce3a8bac8ab5eee9de6f3f161d880f5472249e0f0056a9c3f4b464c3f1069f74a6fb02f7226b8601c829fd8a0f1e65f3afa5bcd6a5ae634c2242250