Analysis
-
max time kernel
120s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 13:59
Static task
static1
Behavioral task
behavioral1
Sample
1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe
Resource
win10v2004-20241007-en
General
-
Target
1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe
-
Size
2.6MB
-
MD5
c36ab471590b1748155fd280cf12245c
-
SHA1
b2536fb5858b058629ad1fd9a3e2e1caed757f71
-
SHA256
1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2
-
SHA512
2f053d576b94cedc7a704c6ba10a50a74f462d9bc98194b04b520b1ae4a185324491fd75f9e38011f069b40cd1b24d8f87a87267cfb8748cd04037f7ae748ab9
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSq1:sxX7QnxrloE5dpUpUbV1
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe -
Executes dropped EXE 2 IoCs
Processes:
locxdob.exeabodec.exepid Process 2532 locxdob.exe 2176 abodec.exe -
Loads dropped DLL 2 IoCs
Processes:
1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exepid Process 2172 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe 2172 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeWY\\abodec.exe" 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ4Y\\dobasys.exe" 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exelocxdob.exeabodec.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exelocxdob.exeabodec.exepid Process 2172 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe 2172 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe 2532 locxdob.exe 2176 abodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exedescription pid Process procid_target PID 2172 wrote to memory of 2532 2172 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe 30 PID 2172 wrote to memory of 2532 2172 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe 30 PID 2172 wrote to memory of 2532 2172 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe 30 PID 2172 wrote to memory of 2532 2172 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe 30 PID 2172 wrote to memory of 2176 2172 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe 31 PID 2172 wrote to memory of 2176 2172 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe 31 PID 2172 wrote to memory of 2176 2172 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe 31 PID 2172 wrote to memory of 2176 2172 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe"C:\Users\Admin\AppData\Local\Temp\1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2532
-
-
C:\AdobeWY\abodec.exeC:\AdobeWY\abodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2176
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD579c1d0ffd19c6b0daa00acd02f9fd6af
SHA1b296cbb3f67e84da56231b87c9b75b6c1e35f7be
SHA256e159097b9821ccc3c0e9cb83ab94b83b362011ccf5e8df06b51ec96b09cb02ce
SHA5120eb80c58a306a15911be284699158e3f06962dcdf605305b4c7c0cd5f1b83a6bf71e78397c212ae2b56e96ec611058c1bc3a71782ebf1d293dbe7520a00f0f94
-
Filesize
2.6MB
MD5708932e6ae8cdaf469effad64bb6eed3
SHA1601e30e4950ad84519ec8ce5338c3b2836532c78
SHA25637502e81349981825e41e7ef01b573cb99675fa369858df75464d676947b4f18
SHA51225d7b9285cbbc479c3a66d07bde5e84dd2d268e33ffa9bd02f587225ca5930415b677a4debc7c9cea3d858ec06c927b757190ed934f1b2dcaea3821741911214
-
Filesize
2.6MB
MD59916434bb785eb16d7ce86fba8a7da45
SHA1fda3f8dd493adb0b7ac243f159baa0c367788af2
SHA2566a8a4313ec147e22f3c44e1601125b05b42de7b9be5e816b37bf8dd28db008f4
SHA512b1439c4f5c269f9588f91368d88eb35da535694727c58218e639e27fe99a4904e1f9e092492cf1f718be116f362230edb642b900e447da3b1cf56f83d3745165
-
Filesize
167B
MD507063418c10263ca3c058f8cdac66369
SHA1fd2c6f995e4848ae14ad452664b65b17a5400433
SHA2564b42773b6cab7dbaa5e54e512b652c9a1c6a2a6b3a015846276150ede1cf64d7
SHA5129e0b4aae1e5f595143697859369f09c6e49a4c9e8e27a835e4d0829e12cbe5369308f4f368bd3b426561c04710e88ff85825553486f3f4e825f95791b785a35a
-
Filesize
199B
MD526452f54233da6f964b6f36f10bb841a
SHA13b9151d63690177d6a4bb7d6534568ecb9c4ad0a
SHA256371616bb1bb39a6d70ecb9febc9c813c4a73a2523be4362a9f65240e278a56e6
SHA5121bf72208e9a31eb3496d276e2ed2a0649baec983c584141140bb41c45c3a36488f309d09159bb91a5c4619ce405418d841c31f849e04e6432848e5b441b9fa8a
-
Filesize
2.6MB
MD5c5f4f454d930578c2b2e5f2888216f34
SHA1d3c331d34db7d28970662c50582a32594338c175
SHA25689af68403bee92e321882e3b6c9db43f2bf1f02e1bb3493edf37a7d787d1ab3e
SHA5122c7728b2877d5f4e1cc3d07953a94914fd3b6f03f30f65e0b1a34fac896193c1caa20ac1ed8081e1612f0787d45d7a9ab4cbe692023f07012503cf51de34c9da