Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 19:45
Static task
static1
Behavioral task
behavioral1
Sample
107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe
Resource
win10v2004-20241007-en
General
-
Target
107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe
-
Size
4.1MB
-
MD5
b93004c132f8750522b7ef4097c3ca47
-
SHA1
c97e9f8203ce5dc89db93e734fea64dd8330e81b
-
SHA256
107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222
-
SHA512
8bdc2c4bc22243b578e0f06538f7acadfeee2fc6aff998b2b694866ce614459df28dd666e5161c6a5dee5884b119bbe4c8b4afab772c63a968d12454c5c03bab
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpLbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe -
Executes dropped EXE 2 IoCs
Processes:
locabod.exeadobsys.exepid Process 1592 locabod.exe 2352 adobsys.exe -
Loads dropped DLL 2 IoCs
Processes:
107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exepid Process 1968 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe 1968 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesQM\\adobsys.exe" 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZDF\\optidevec.exe" 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exelocabod.exeadobsys.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exelocabod.exeadobsys.exepid Process 1968 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe 1968 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe 1592 locabod.exe 2352 adobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exedescription pid Process procid_target PID 1968 wrote to memory of 1592 1968 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe 31 PID 1968 wrote to memory of 1592 1968 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe 31 PID 1968 wrote to memory of 1592 1968 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe 31 PID 1968 wrote to memory of 1592 1968 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe 31 PID 1968 wrote to memory of 2352 1968 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe 32 PID 1968 wrote to memory of 2352 1968 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe 32 PID 1968 wrote to memory of 2352 1968 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe 32 PID 1968 wrote to memory of 2352 1968 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe"C:\Users\Admin\AppData\Local\Temp\107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1592
-
-
C:\FilesQM\adobsys.exeC:\FilesQM\adobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2352
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD518c64931d62669fd19f74b4a069c4cfd
SHA19ac3c6b99c5224e66fb8630858cc64509c985af6
SHA256e788ea16494eec598d382df1002c57d5de963a2356195157df284738a60a744e
SHA5124300ab3891d106b74296c961ebcfd98970a18dd7101814f1f2a99155d0c114eca284e3e4d6199f5568d5e903006d6b4d8fcc29ebcb720d6be5473372695e8323
-
Filesize
4.1MB
MD576476119549b06888b3a983537f38a31
SHA10a92623bdce7a9daed099b8625042bd4e3cfabeb
SHA2562827619ea285784f62f965ae0fb30c9f5e38a0637a11c595e16ddacbdadadf71
SHA512fc255ac116ad54275b2452493e1114e86115432edc7b0b0be100f1999f17ef656ff7b78eb728b337d339ba180db7dc0d1aab6838268773c764f36477081e5848
-
Filesize
33KB
MD53421d48078becd2757242c799c1f76fa
SHA1f712b81d8b836313c299781997e39a5f2a55b101
SHA256903d682dfc442dcf9784154e15b1b6d129e7a7c43ac53e742d6a50faea2c2d21
SHA512511e1f4bb429fad3d667d12a8c03ec79d63524461ae510626eb716d362347be711fdba7cec3a84eb383418fb8cdbbfbbe56c4144955c563df913650fd87fa5b2
-
Filesize
170B
MD5b6c02d1a4d457bb2fbf2c065e1949c4c
SHA1225654c987afb8cf7f314b4fae5bcf99f1cac46f
SHA256743789c463aeb3bf22ff7fda914a7abdbb7796bd8e7a71323f891020b07e99c3
SHA512f96364c35bea997efaaadc0a41f2cb0b252f23bda11b6d332065e285aab7c4627a8fc1d145556ae680a77e5230f38a08a445aae7ebf6e8857f673bc30bf562f4
-
Filesize
202B
MD5bf2eeb6371d7b483bd3287e64e95df96
SHA19767b3dcc401453d243743c83a9bc450dbbf0f52
SHA256190b7bd24f0a14a9d76e49994c64653c02d5e55e3a38eebbfecc37dbd13211e5
SHA512205d4de35c7dd93457fba45e27ca239961d5dfc70973e80b9bd323d61af2089734f9e4b5ab315679e0edaea28d81e17f228fd1c0aa67ba915aa5ef0a22369ffa
-
Filesize
4.1MB
MD52f003592b102cbb9d6366e83a53461ac
SHA17212c674319c2b605c10c2c68ec705e7b01fab0c
SHA256f1e00dede2ab76590a2f16a9566793d4c5f8eadb3464fc6a331398da65cdbaed
SHA5123a0701b69e3679dc09561cba4ceaa35726c3809b6df7b2c7a90869b63ecd4916771bc8035f5992f0eccedbc10bd7ff22d1af47c2e57770c6bfb081c48c4b91ad