Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 19:54
Static task
static1
Behavioral task
behavioral1
Sample
2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe
Resource
win10v2004-20241007-en
General
-
Target
2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe
-
Size
2.6MB
-
MD5
de42ddd0cfaaf5429e5c4f361a97aefe
-
SHA1
87a201560bb2688b45f89ef1563899d7e97649bc
-
SHA256
2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a
-
SHA512
4e3d21c7b2fbc49dfae38f3f72a770faa265c73468b10a00b8732fb937287fbd101a0b5b0cce7a19ed64e7205693538b66ff14a6f57c2e0565b266b019d5789d
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bSG:sxX7QnxrloE5dpUpzbH
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe 2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe -
Executes dropped EXE 2 IoCs
Processes:
locdevbod.exexdobloc.exepid Process 2716 locdevbod.exe 2644 xdobloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe4Q\\xdobloc.exe" 2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZHP\\bodaec.exe" 2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exelocdevbod.exexdobloc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exelocdevbod.exexdobloc.exepid Process 2852 2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe 2852 2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe 2852 2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe 2852 2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe 2716 locdevbod.exe 2716 locdevbod.exe 2644 xdobloc.exe 2644 xdobloc.exe 2716 locdevbod.exe 2716 locdevbod.exe 2644 xdobloc.exe 2644 xdobloc.exe 2716 locdevbod.exe 2716 locdevbod.exe 2644 xdobloc.exe 2644 xdobloc.exe 2716 locdevbod.exe 2716 locdevbod.exe 2644 xdobloc.exe 2644 xdobloc.exe 2716 locdevbod.exe 2716 locdevbod.exe 2644 xdobloc.exe 2644 xdobloc.exe 2716 locdevbod.exe 2716 locdevbod.exe 2644 xdobloc.exe 2644 xdobloc.exe 2716 locdevbod.exe 2716 locdevbod.exe 2644 xdobloc.exe 2644 xdobloc.exe 2716 locdevbod.exe 2716 locdevbod.exe 2644 xdobloc.exe 2644 xdobloc.exe 2716 locdevbod.exe 2716 locdevbod.exe 2644 xdobloc.exe 2644 xdobloc.exe 2716 locdevbod.exe 2716 locdevbod.exe 2644 xdobloc.exe 2644 xdobloc.exe 2716 locdevbod.exe 2716 locdevbod.exe 2644 xdobloc.exe 2644 xdobloc.exe 2716 locdevbod.exe 2716 locdevbod.exe 2644 xdobloc.exe 2644 xdobloc.exe 2716 locdevbod.exe 2716 locdevbod.exe 2644 xdobloc.exe 2644 xdobloc.exe 2716 locdevbod.exe 2716 locdevbod.exe 2644 xdobloc.exe 2644 xdobloc.exe 2716 locdevbod.exe 2716 locdevbod.exe 2644 xdobloc.exe 2644 xdobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exedescription pid Process procid_target PID 2852 wrote to memory of 2716 2852 2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe 87 PID 2852 wrote to memory of 2716 2852 2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe 87 PID 2852 wrote to memory of 2716 2852 2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe 87 PID 2852 wrote to memory of 2644 2852 2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe 88 PID 2852 wrote to memory of 2644 2852 2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe 88 PID 2852 wrote to memory of 2644 2852 2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe"C:\Users\Admin\AppData\Local\Temp\2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2716
-
-
C:\Adobe4Q\xdobloc.exeC:\Adobe4Q\xdobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2644
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD53e5523ab2df6156c90e4f3f0bb84e1c0
SHA18885021008b119f6a17fc817320fca3bd45ece9c
SHA2563027099fb3fae256d1ad8c916b253f88fde3d107057cfa2ac674a595a529e4d8
SHA5123cabb60cc74ee1f7ecb8dc4167965514a4d72dbb5e376385736f6873bd86c5ea9da821fe79d9ae9b41929fa200b0c99652d1a4a1d4b07ca047486fdeb3eb5d81
-
Filesize
2.1MB
MD586377bd8c5909830c0e98079420c9876
SHA183104f268671b4f26978f7cbd4b73e50c8573a3f
SHA2564f9fb3eb84276ebd74ee9dceee4402a06e5a9eeb7c40194cd214710fc4e426db
SHA51212032b96a1c9cf59eb03af13f6ceebf60f06efd44af1529e0cfbb5de3828adf123cbac551b879229113bf4d3c50fccc27bbef4694ea68d29bcb9f16c2da8a443
-
Filesize
2.6MB
MD5b141eb981c5764914cb73b3fbf553710
SHA18e86a1ae2f0d5ce2ad3f1b1288e4ff99fdda0467
SHA256dbfaf9d88416ade5bc02c7cbab360cbecad52705faf5d877d3d9ef52c140fb75
SHA5123b5396b63291a79680e06d1ae531fca59c073a96541e5bb462198ef09af0a8f61d4dffd380ddccfbdd8efdfbea2a0a5de12883fd101ab9b0355b893dd9a6ab17
-
Filesize
201B
MD54b582fbb28a479608e8be68bdec97a7f
SHA1da116f16c2d24c63be2a0a040444f9ed42115559
SHA256f9300a24dacde446f7ea7480be488825d15c1738e4688cc5d3d87a4e5f833356
SHA5125a22815fc448f81285962740cab1ad72e73a9db39ebb1369469fa1214a6df6707c664c21a4d59c50985e12eec59e3d988cd383240915393731648c99616a6129
-
Filesize
169B
MD508b07645d48a0cb700fbf6117f1bb989
SHA1b83db46de1dbb4a3ed1d571dc16d84247ea2be17
SHA256ba86b4c4e5d4ce05e44354309d1ed31c0ae724682a161856310fb399a20422a4
SHA512b014aaedc0444c0b2d13022dcf8881f5042bdda434768a02b6c440472aabac30139642cc50b2a1722b89838de65d88ae710fb8f13ee243c5aec0f128d22dcb62
-
Filesize
2.6MB
MD58aeaa476dff1b058d2a6f3f82b5423a3
SHA173962357c1162f68e8481f4e68f078bed751fdaa
SHA256b7e4e1dfa63a16b372fb313e4415124ac7604be3a0c37e958ce07a6b8865135b
SHA512be6f3a6d527983510b63b3db3cc08da112179ed2855f66be4fb2a3505ad660bd95f85cf5de4b3c42b83eddfa43ebe25ea1ccebe644353def873f44dba51f967a