Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 20:07
Static task
static1
Behavioral task
behavioral1
Sample
17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe
Resource
win10v2004-20241007-en
General
-
Target
17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe
-
Size
3.1MB
-
MD5
77a1409ee27e5a0ce31964df8e2bd69b
-
SHA1
356f89bec6c0d05cbcc6ddc6f505086cc3a5903f
-
SHA256
17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d
-
SHA512
cd9058cc3f0301fa9038a2e303831bc17067242d04a35a2e5aa5ecc508911410461f2254548be443d0a7bbba6f8e9e6d5f29e642ec51dc9e6f4557e276a13ec1
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqz8b6LNXJqIM:sxX7QnxrloE5dpUpSbVz8eLFc/
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe -
Executes dropped EXE 2 IoCs
Processes:
locdevdob.exexdobloc.exepid Process 2940 locdevdob.exe 1724 xdobloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocFT\\xdobloc.exe" 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintNC\\bodaec.exe" 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
xdobloc.exe17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exelocdevdob.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevdob.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exelocdevdob.exexdobloc.exepid Process 3156 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe 3156 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe 3156 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe 3156 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe 2940 locdevdob.exe 2940 locdevdob.exe 1724 xdobloc.exe 1724 xdobloc.exe 2940 locdevdob.exe 2940 locdevdob.exe 1724 xdobloc.exe 1724 xdobloc.exe 2940 locdevdob.exe 2940 locdevdob.exe 1724 xdobloc.exe 1724 xdobloc.exe 2940 locdevdob.exe 2940 locdevdob.exe 1724 xdobloc.exe 1724 xdobloc.exe 2940 locdevdob.exe 2940 locdevdob.exe 1724 xdobloc.exe 1724 xdobloc.exe 2940 locdevdob.exe 2940 locdevdob.exe 1724 xdobloc.exe 1724 xdobloc.exe 2940 locdevdob.exe 2940 locdevdob.exe 1724 xdobloc.exe 1724 xdobloc.exe 2940 locdevdob.exe 2940 locdevdob.exe 1724 xdobloc.exe 1724 xdobloc.exe 2940 locdevdob.exe 2940 locdevdob.exe 1724 xdobloc.exe 1724 xdobloc.exe 2940 locdevdob.exe 2940 locdevdob.exe 1724 xdobloc.exe 1724 xdobloc.exe 2940 locdevdob.exe 2940 locdevdob.exe 1724 xdobloc.exe 1724 xdobloc.exe 2940 locdevdob.exe 2940 locdevdob.exe 1724 xdobloc.exe 1724 xdobloc.exe 2940 locdevdob.exe 2940 locdevdob.exe 1724 xdobloc.exe 1724 xdobloc.exe 2940 locdevdob.exe 2940 locdevdob.exe 1724 xdobloc.exe 1724 xdobloc.exe 2940 locdevdob.exe 2940 locdevdob.exe 1724 xdobloc.exe 1724 xdobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exedescription pid Process procid_target PID 3156 wrote to memory of 2940 3156 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe 89 PID 3156 wrote to memory of 2940 3156 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe 89 PID 3156 wrote to memory of 2940 3156 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe 89 PID 3156 wrote to memory of 1724 3156 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe 92 PID 3156 wrote to memory of 1724 3156 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe 92 PID 3156 wrote to memory of 1724 3156 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe"C:\Users\Admin\AppData\Local\Temp\17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2940
-
-
C:\IntelprocFT\xdobloc.exeC:\IntelprocFT\xdobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1724
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD589db457e2ffc5cbb17de8c3cdcf2a613
SHA1a7f80c8646df9bc20227833d0a09acd934594e70
SHA256fd8851833424620967ffec223b6ab828c39de0b8be134a041109bc607a7d49f8
SHA512acea3918f76d669f21b8ffcf4256b56b6675ffe16a4d1a6351e39f3d1b441fa2c86f54b755a945a447bca2b0e4290a44055f3692f63825a304e06cdd66082804
-
Filesize
3.1MB
MD5bf845aa8fed7c334e79467066e5cd0ee
SHA1140def44fac131579f5f4da3463c20b153235186
SHA2567ee55a06d189cb8d1299b582ea21657c46ddb041be44b0ed08c797a8ed24c03e
SHA512b2abf257c59ffa167b2a10925e00220f779c8011052d5e07f569b934d10ad5e54790042f64bf7a7be932d957756f668812ad03c854bf3072482e597a58ad1341
-
Filesize
16KB
MD57194af4ca8b5784e038c373119d798e5
SHA19c114add88126c1358d7020ca7697c5b0528ea2d
SHA256f49a5b25906bde4ad4744acd2ddf6b578eb40dcaee1e76a6cce91e836ac9e050
SHA512dea51aa435f72ea947472a3d1ccdf8ab4c514fe964d86c9fdfb0484772ee56ab728d2b0ca997da1d392b38e9abbc4526ec702dbc83c527a01e04264766012992
-
Filesize
205B
MD540878f1230354d0fd041f4f470710fe0
SHA111aa86d24de207762e1e586688f64e3cadc9d37f
SHA256b51c926cbd19bd14caff6ec099db0b349fd836209df5cc7debd30b693d9cc9ca
SHA51245007ad39d3b11c202caa8a86c8326933ff528c269fcdfbd7ccd1f08abc276d3a3e97b58df2141dfc451468b778f0ca59c0a76b7f4b224992c4767fb81bf7a97
-
Filesize
173B
MD5701dbf1ecd0054eedb47cd021b9cc453
SHA1162423eab564bbff4240251d14f2f0b698529519
SHA2567b89d3874842d56678d158e12aa922e0239f2ea08a454aa0de41fbe8283ef578
SHA51217f94b973e2749df11bec5b0c84a621bfb2d8431aeb417741d1441ed0112e3197b3d78e7e3f890471031080c23da8dbe473c58a5206083ad06a97617645c7283
-
Filesize
3.1MB
MD543fcfa2c72d552e9c05601722a0a718e
SHA19ab8e32fb1bc89b7967cbf8ca730202a96a07ff7
SHA256a770ee52f4b979eb467e667b24dbae74d8284f9c4ec504c73af3e108abbeb27e
SHA51200c5cf8d2df4fe23f36bcec6024dccd21ebb5fa640e90c6b4339bc632d24707c453bfb9f71a9dd91f0c5b4d7772eb3b3ad7288ddeb8d31817baf75c5c8012043