Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 14:01
Static task
static1
Behavioral task
behavioral1
Sample
b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe
Resource
win10v2004-20241007-en
General
-
Target
b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe
-
Size
2.6MB
-
MD5
d4c8b342860af7931743f80fbfb54cc0
-
SHA1
ba046149dd5e0f82d0745e59dc3bb60e07b8ca82
-
SHA256
b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82
-
SHA512
62c565618d47a4f594da497b35e6168802192aa4fbfc07fe497878859550e42ebaf86715bc34786c1c4c2972000d275ad7d9d936ca3f81e98079c5e4bf6c6e67
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bS:sxX7QnxrloE5dpUpkb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe -
Executes dropped EXE 2 IoCs
Processes:
locdevdob.exexdobsys.exepid Process 1992 locdevdob.exe 2084 xdobsys.exe -
Loads dropped DLL 2 IoCs
Processes:
b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exepid Process 2408 b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe 2408 b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocRD\\xdobsys.exe" b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxIR\\boddevloc.exe" b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exelocdevdob.exexdobsys.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exelocdevdob.exexdobsys.exepid Process 2408 b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe 2408 b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe 1992 locdevdob.exe 2084 xdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exedescription pid Process procid_target PID 2408 wrote to memory of 1992 2408 b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe 30 PID 2408 wrote to memory of 1992 2408 b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe 30 PID 2408 wrote to memory of 1992 2408 b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe 30 PID 2408 wrote to memory of 1992 2408 b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe 30 PID 2408 wrote to memory of 2084 2408 b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe 32 PID 2408 wrote to memory of 2084 2408 b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe 32 PID 2408 wrote to memory of 2084 2408 b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe 32 PID 2408 wrote to memory of 2084 2408 b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe"C:\Users\Admin\AppData\Local\Temp\b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1992
-
-
C:\IntelprocRD\xdobsys.exeC:\IntelprocRD\xdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2084
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5da8bcc6ebcbdacba8fe89ebd44e85bac
SHA17c369e2f2be0b6bc4a64de460e54e9e9a186f1ef
SHA256ca2389213049d67f68da9ffacdd6c3704849acfe3ee1512413d0db54dbb9394e
SHA5125c53bec4875ed32828d3a3bc9b48865484504253d712aad9498dd62d6db716ea3efd7ac9513f86b127007d168e2b9c6c77e5b9ba6ca6e43a99f7478b1241f638
-
Filesize
2.6MB
MD5dac147a8c3d9fe57b952ef158f23fdb8
SHA1b31bc539f2555ad8b895f7f85980efbd1d68c151
SHA2563779d3148bc855d4bb404ae14248b22c6e54f6dd006382c1c2473fb39a396887
SHA512d5da2d77ed048ca3879ebafcf5e7dce2558f64001c3d89034094df79bce469ebb9d21675bb54dcac35abbc5a70d0373a28559f930fa77e623914cedca6f49853
-
Filesize
2.6MB
MD595e5ab406dd96730838f0cc849018587
SHA17e022e553e25e3e3701bae8c867c67c0445b0eb5
SHA2568d61bebc12695dfdfe584478d375c6f20b7695baa5aa1ac14b5a9f5aab8d555c
SHA512ad284e0e2edef304ba7da9c20b1f713908c77bf8f53c63731b0836fca8293086c6fa3932cc98c4a9755e324cdb76c4a10619477b69bbb06e2a2ab7290c4f43d1
-
Filesize
177B
MD53d91fa2c74ddb8c0de7ee8274d1686b9
SHA1b2ddc2c36a1c6f06736d250d5daef112e8c05027
SHA25687891a03b79fe92640a8ca90f88647391b686fe616e1558b0bcf789da3a80b50
SHA5126c38ea2a4c784879acbdb7275f3689af1453f33faac05fc2e1d0de718b01d980d0a50ae761a3456124161d5b5899e27fb756e124e8741e1541aeff34b998dfc3
-
Filesize
209B
MD5a36b973a46c9503a9f84964da9baa1ce
SHA1a78a6010d4b1fb95558026302ba2a0aa3b95ac6d
SHA256381ea41fb22beb9450de04cf7743a219485fd42369bfe052360ec0df5fabdba0
SHA5126897c12deeddff7479f144d262d748d1c4a552af2880c7b2ae15f7f06556dd47a97e5ad2120bcfb7aa905d428df70aeaa1e0733219dd825203efe8dc21de05df
-
Filesize
2.6MB
MD588685b262a5780558f3fb6ee6e8f6f47
SHA157ca49dc1c15765c80ffe43be4e3da2362db92c8
SHA256186476bbe9bf38cf4605c16a100760d2351eebdcc6c3661c39ece056304c2c54
SHA51293f1417f70afd7c8fe3f36fd7c496a32798aae4b323f663b8c316b575f3d07d6f2975a330113bb4f5b709b1ce929dc6a4f71c37548d42742b4471dc571ecad1c