Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 20:17
Static task
static1
Behavioral task
behavioral1
Sample
1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe
Resource
win10v2004-20241007-en
General
-
Target
1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe
-
Size
2.6MB
-
MD5
2ff31c5997c4d85234886775fe0ab0fa
-
SHA1
a12aefc6335e6604faba3e6de26bbe5050daeb52
-
SHA256
1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d
-
SHA512
16fe90c2ecb0f4efe32900e1d28a892c3637c7b833d782a88bb706023abb35fe27c39a9d871a18b791b23e14fa93739916a1df6468c31ee90ad41edf3421c02d
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bS:sxX7QnxrloE5dpUpTb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe 1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe -
Executes dropped EXE 2 IoCs
Processes:
locdevopti.exeadobec.exepid Process 2452 locdevopti.exe 5072 adobec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe09\\adobec.exe" 1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBJR\\dobxloc.exe" 1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exelocdevopti.exeadobec.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exelocdevopti.exeadobec.exepid Process 1924 1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe 1924 1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe 1924 1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe 1924 1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe 2452 locdevopti.exe 2452 locdevopti.exe 5072 adobec.exe 5072 adobec.exe 2452 locdevopti.exe 2452 locdevopti.exe 5072 adobec.exe 5072 adobec.exe 2452 locdevopti.exe 2452 locdevopti.exe 5072 adobec.exe 5072 adobec.exe 2452 locdevopti.exe 2452 locdevopti.exe 5072 adobec.exe 5072 adobec.exe 2452 locdevopti.exe 2452 locdevopti.exe 5072 adobec.exe 5072 adobec.exe 2452 locdevopti.exe 2452 locdevopti.exe 5072 adobec.exe 5072 adobec.exe 2452 locdevopti.exe 2452 locdevopti.exe 5072 adobec.exe 5072 adobec.exe 2452 locdevopti.exe 2452 locdevopti.exe 5072 adobec.exe 5072 adobec.exe 2452 locdevopti.exe 2452 locdevopti.exe 5072 adobec.exe 5072 adobec.exe 2452 locdevopti.exe 2452 locdevopti.exe 5072 adobec.exe 5072 adobec.exe 2452 locdevopti.exe 2452 locdevopti.exe 5072 adobec.exe 5072 adobec.exe 2452 locdevopti.exe 2452 locdevopti.exe 5072 adobec.exe 5072 adobec.exe 2452 locdevopti.exe 2452 locdevopti.exe 5072 adobec.exe 5072 adobec.exe 2452 locdevopti.exe 2452 locdevopti.exe 5072 adobec.exe 5072 adobec.exe 2452 locdevopti.exe 2452 locdevopti.exe 5072 adobec.exe 5072 adobec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exedescription pid Process procid_target PID 1924 wrote to memory of 2452 1924 1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe 87 PID 1924 wrote to memory of 2452 1924 1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe 87 PID 1924 wrote to memory of 2452 1924 1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe 87 PID 1924 wrote to memory of 5072 1924 1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe 88 PID 1924 wrote to memory of 5072 1924 1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe 88 PID 1924 wrote to memory of 5072 1924 1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe"C:\Users\Admin\AppData\Local\Temp\1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2452
-
-
C:\Adobe09\adobec.exeC:\Adobe09\adobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5072
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5b85ef880820ad2f02706b10170e533fb
SHA171378239fb161e35c8f79d7a951d7d09d4f45b33
SHA256824b6d312a2dde817fb21948332f4b59c54118a25d0c2deb5bfc92aa1a9daa78
SHA512f430b5b60b9ef1cf4efe9787c7b0f161b12f4212956a065e1f0b6a07907600fe307c8323482f6e6d85953fe9576ba09e3b9876d9c27e916f7ee62a9c3665a6d3
-
Filesize
2.6MB
MD54bcd56c0b024f85286a7b25c833420c8
SHA15653b493e3e6fa9e541a4979bd5223877a91348a
SHA256ff7d3a1e861340eba7f1f8cc678d1cae1136e2f6b73abdcf13fb4ed08f670293
SHA512638fdddba89c3ecabbb0708bef43b0763d6e4c86a51f449dd092ec9d905cada4d49504a3aa0451723eea56cd265001f48575eab0214a3a806c33ed05e9d0db29
-
Filesize
336KB
MD57a6ccd051b149b4819712a9ca8954bd7
SHA14c192974df9de201ae81421b4f62f983e1778181
SHA256f72f38204a58571bc57abc5403cc81f0a3948f7988e7a31064cc47fe6a1e7bca
SHA512fa5667bfeb78f70a02e8934ef81ef5c81b8b469f7322d136c0211ff7acd6cd0249fc975a3b33ab6bc739ed2ea0ec1bfbd38dec15eef50e35a4a71648a2ef8c97
-
Filesize
27KB
MD59066f9da2f6e14f558228b695e72cbf2
SHA191038a2a5cdbee686253b1163db1462b67afdc3e
SHA256afcec9da3d6ab02251f8cfb55fdbb99d8a48092388bebeb354a5ecbedcca04c4
SHA51241a27889d2f9e9fe12ceb02ebb86a9a7b9be8a9c8b34ddf510ffdc5876880d78e33cc31be4832bd57fa4af876e75459907f209f89f94d42328c4aa001f56117d
-
Filesize
202B
MD55c7bac193bfbc09abe0f9417f2d469da
SHA1b552d728ea434118f9174a30b2f81566d5387ff8
SHA25681157c6bd89dfe6c0343b2a2ff733a2d92c79335fc5d1fc890d31cd0629e0d17
SHA5122c2731b528645056f3aebd478cd26f6e339e97a69d021e28755276becf3dd3910fac2398360afef79201e5571939eaa0e048dac59d239f53e0c2031286cbf431
-
Filesize
170B
MD5549856c44910ab30e45fe7fe1083ffb9
SHA106195baf8a35dc93ade96c133043b07ba7e8da6c
SHA2563bc57ba1ef5ae459c734908388ade6f188790a79e07a8865d8ab22ab2fef035f
SHA51293170cf6dda6c34b8e5f23af9e08831929b3665f3683c571ad92c6d532b1e9961167fb924a9c82211aafabdcd02a886f4738c345ea27ab0efaee7787f05c2fa6
-
Filesize
2.6MB
MD5021eb4fcc749f28b9869ad1e92fc02f3
SHA15e803924990c1dda724f7c8677920fca84b92921
SHA256bccbd021cc4bd90a3e9f8a7f46bd5f28fc8d06ab31db83cac12d906bc0c7f017
SHA5125647ac3a37d13d48200c42b96177c0c04d3b512af6832504ec84a700ce22ade0a6555dd184f1130d5d9041c8463362303dc43670cc0074b666d66e53dbc5f7dc