Analysis
-
max time kernel
120s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 14:01
Static task
static1
Behavioral task
behavioral1
Sample
b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe
Resource
win10v2004-20241007-en
General
-
Target
b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe
-
Size
2.6MB
-
MD5
d4c8b342860af7931743f80fbfb54cc0
-
SHA1
ba046149dd5e0f82d0745e59dc3bb60e07b8ca82
-
SHA256
b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82
-
SHA512
62c565618d47a4f594da497b35e6168802192aa4fbfc07fe497878859550e42ebaf86715bc34786c1c4c2972000d275ad7d9d936ca3f81e98079c5e4bf6c6e67
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bS:sxX7QnxrloE5dpUpkb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe -
Executes dropped EXE 2 IoCs
Processes:
locdevdob.exexbodsys.exepid Process 1048 locdevdob.exe 3008 xbodsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe47\\xbodsys.exe" b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxDO\\optialoc.exe" b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exelocdevdob.exexbodsys.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exelocdevdob.exexbodsys.exepid Process 2240 b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe 2240 b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe 2240 b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe 2240 b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe 1048 locdevdob.exe 1048 locdevdob.exe 3008 xbodsys.exe 3008 xbodsys.exe 1048 locdevdob.exe 1048 locdevdob.exe 3008 xbodsys.exe 3008 xbodsys.exe 1048 locdevdob.exe 1048 locdevdob.exe 3008 xbodsys.exe 3008 xbodsys.exe 1048 locdevdob.exe 1048 locdevdob.exe 3008 xbodsys.exe 3008 xbodsys.exe 1048 locdevdob.exe 1048 locdevdob.exe 3008 xbodsys.exe 3008 xbodsys.exe 1048 locdevdob.exe 1048 locdevdob.exe 3008 xbodsys.exe 3008 xbodsys.exe 1048 locdevdob.exe 1048 locdevdob.exe 3008 xbodsys.exe 3008 xbodsys.exe 1048 locdevdob.exe 1048 locdevdob.exe 3008 xbodsys.exe 3008 xbodsys.exe 1048 locdevdob.exe 1048 locdevdob.exe 3008 xbodsys.exe 3008 xbodsys.exe 1048 locdevdob.exe 1048 locdevdob.exe 3008 xbodsys.exe 3008 xbodsys.exe 1048 locdevdob.exe 1048 locdevdob.exe 3008 xbodsys.exe 3008 xbodsys.exe 1048 locdevdob.exe 1048 locdevdob.exe 3008 xbodsys.exe 3008 xbodsys.exe 1048 locdevdob.exe 1048 locdevdob.exe 3008 xbodsys.exe 3008 xbodsys.exe 1048 locdevdob.exe 1048 locdevdob.exe 3008 xbodsys.exe 3008 xbodsys.exe 1048 locdevdob.exe 1048 locdevdob.exe 3008 xbodsys.exe 3008 xbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exedescription pid Process procid_target PID 2240 wrote to memory of 1048 2240 b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe 89 PID 2240 wrote to memory of 1048 2240 b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe 89 PID 2240 wrote to memory of 1048 2240 b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe 89 PID 2240 wrote to memory of 3008 2240 b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe 90 PID 2240 wrote to memory of 3008 2240 b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe 90 PID 2240 wrote to memory of 3008 2240 b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe"C:\Users\Admin\AppData\Local\Temp\b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1048
-
-
C:\Adobe47\xbodsys.exeC:\Adobe47\xbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3008
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD560ceba79d69ac964383983a1c796c46e
SHA1655f32f8766944928611dfa3ca01cadcfc744712
SHA2568ac4cc9453d85c06c4ead65c07a3f61c1148d6c8b54b31dac7769704cf3b2c48
SHA512848b2d6ddb28491fafbcce7db48b07a843eca866f6835c80e7b1e5da14b87c130eda7989ca31d4f68f3eed7761ae712158bb5398399a55266d27f025b45e3613
-
Filesize
1.1MB
MD5039d3fab34ed62c8c001a02ddd8c2a26
SHA130ee4cbb8888ccc89e767285e1e310051bbdf3b1
SHA25619e905f5a464f191728015ac56dde9f9bdb0103b3ad369ea0e31a85cfa3236b4
SHA5128e10f5f1a5ed47b78a7ac7fbeba625f27c8a86396a90fc17cadd2ef511194ad87cfe17b92868a99c6891511ba8bae210230be0dc7b32fa8d63f6970fb116626e
-
Filesize
572KB
MD5153ced5118521513e7eec00f7a1b74ff
SHA1ddf23f712b8177756236cbb00a334db930a103e2
SHA25639cb7d40df2124fd76a0c3d8604233ba63ee964fa44c88746709a730aa5f3310
SHA512c0fb2f6c471d63f561172d8d067f05746e22a40542e1e2e392b5bb2b4300fc103a637bb5fc1951b2e0727c67d1b918c2b6e3a8f6e9e803c2237a62659db7cce5
-
Filesize
204B
MD5819dfa4b8981ac1ba0f66aa2fbecab0a
SHA15430bef53f9f87755400e40d34fce9d0794cc997
SHA256c21e6e67115d6e6ad86f42695fc838bebeecc0d579cf21e5215b10ff0c44dd74
SHA512464ebe4ed0d451fc2946d39dfa547d0b4712b77664e3a10377db28cd81fae8645379145bf25dae43a11f810ab8ea15c23c99560e0d9928e04dda984df8b47621
-
Filesize
172B
MD55d974e0d192f5044c626ddb6ca9be3ff
SHA1fc1e3e525309136a75dd5ee6689740d0704c9a83
SHA2563eca18f942dc345c76388f469964af097bf6470c47fe391b62cb8fd995fbf575
SHA5128b58b47b682d37b288f075b7d07de722427899f694483a76a51c7cc983166366a7c719e073179cacf2a585da382e9ce6c0d15c12649b02d5be7004d5843558ce
-
Filesize
2.6MB
MD55c7361fb1a33a640588fd3a611ed1638
SHA120996988ec57bc588ea055015a9c56e000626787
SHA256d6914638af78194b21251965d910e98a6f3bc212bbaf6802a0a2f8fd2a934b18
SHA5127b805fddb81a2f93881e3377bdbbf938290d8319cf50f145efef052d5511ceb9ac7d4a251724a4d4a3cc7db84aa793560c5f37c62a9b77eebb1a453ba419bef4