Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 20:04
Static task
static1
Behavioral task
behavioral1
Sample
f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe
Resource
win10v2004-20241007-en
General
-
Target
f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe
-
Size
2.6MB
-
MD5
bd630a9ba2c922e4babf7a3500ea6147
-
SHA1
dec4b426fed27ada83c55fe2d396ddafe14110b1
-
SHA256
f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121
-
SHA512
a90ff75ef556aead376959100774cddf3f3594b0d592f7be7f061604da065f02744c06e0c98e97e256e1ff323b39cb12477288641f31567054333b4dca4a69ae
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bSqS:sxX7QnxrloE5dpUpobVS
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe -
Executes dropped EXE 2 IoCs
Processes:
locdevopti.exedevbodloc.exepid Process 2668 locdevopti.exe 2788 devbodloc.exe -
Loads dropped DLL 2 IoCs
Processes:
f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exepid Process 2856 f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe 2856 f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv5F\\devbodloc.exe" f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZTH\\dobdevloc.exe" f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
devbodloc.exef9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exelocdevopti.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevopti.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exelocdevopti.exedevbodloc.exepid Process 2856 f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe 2856 f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe 2668 locdevopti.exe 2788 devbodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exedescription pid Process procid_target PID 2856 wrote to memory of 2668 2856 f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe 30 PID 2856 wrote to memory of 2668 2856 f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe 30 PID 2856 wrote to memory of 2668 2856 f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe 30 PID 2856 wrote to memory of 2668 2856 f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe 30 PID 2856 wrote to memory of 2788 2856 f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe 31 PID 2856 wrote to memory of 2788 2856 f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe 31 PID 2856 wrote to memory of 2788 2856 f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe 31 PID 2856 wrote to memory of 2788 2856 f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe"C:\Users\Admin\AppData\Local\Temp\f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2668
-
-
C:\SysDrv5F\devbodloc.exeC:\SysDrv5F\devbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2788
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD55b98d0c89193911274755990d5dea2e5
SHA1f422d0ba046b7b507c750b06e866befb5ba7e356
SHA2562cb14d5c01c5e9bb48a20a9c60953b644519c7cda394b48922f08d3d955c592e
SHA5129bf80a83059d139004cac4e9da525de1b3eddb16b31945d1109aecb8255999484202b2c2bbba1ace8fa5fb0d18a26eed04fca6e349f5b3a2a4d722f784137711
-
Filesize
2.6MB
MD5136ecc167395b0d9639b9584ba09db6a
SHA17d8d4263ff96ce49e77f350dae872c9aaf52fea5
SHA256ee9243b37980a8b75dd505dcd93cf6caa883160c73be4249836bc28d4107c4dd
SHA51217ac7a986530c0ffbd2b105ace8b18ce318ade618ba003002e1e81175fbd7d40330721682e81ac07ce37a8263abdc9dc3b6e14f0459d5cd939283db083172592
-
Filesize
2.6MB
MD543817318a2d1b0a33a694c07491442ae
SHA1fe9651e3ef6d87b61ba50a813e0572c52d417841
SHA256647d28d27e6a2bf57fa96f0b3e561b696478b171d08c66483772dbb495831a6a
SHA5126f6826a862300ef7e44b3f21aef0cb1bcb8b79b3c77b9808c31f6d4b2fbb52fc424ff704e6748cd3c351f870c9bcc4e4e3d0d702281b598ab4415faade148072
-
Filesize
176B
MD5ebf263d2e3b73cd0a739d6c8e73cb40c
SHA1e2dc08203e02df75d34333462055b1018dcea041
SHA2561c859a8657866dd90b93d7b72073646bec9d4984896bd032e8e40032ddceee58
SHA512f94abe0acd23be33f790d9521b2ad14e2d97a1acd29fedd1a4d85b17d511ecfc8b2f2826318b15fb484ba94bc5927f4bc441781a5ded4bfcbbaabcd9bd5635b7
-
Filesize
208B
MD55a739c774074ff59bc5ab2b0bf5425f7
SHA1ffbb2ab5b54d79d91a927972ba085a6889ee70d7
SHA2564418574c7e1d776445e8d18ee75a2d93652f6bcbedb814f5f1f69a6b73fd2be9
SHA512e180c2e2731b24240996a78179d3bacdfddec9989a1371c3f14c29e7e8f3348998890569ce89d12a1d0d753749187c49a06bf7f9957a117f2c2f7060823eecc5
-
Filesize
2.6MB
MD57884e479b90646cc42e17896891a7717
SHA1ffa6844e624fda632fe0508f7630b6ff1f862eeb
SHA2563ee04ab6be3a84928ac60bdf0709514b52443a60e5cd19b3bf5b723c9f364b88
SHA512e0f2cb89c4a60393593a7a31861fec8325562923e0deeccb1d3040059221e107c5fcc06d0417c22d5a0425a92f628af2d5471538a3ba83351207c6cb3f8994a0