Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 20:12
Static task
static1
Behavioral task
behavioral1
Sample
b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe
Resource
win10v2004-20241007-en
General
-
Target
b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe
-
Size
2.6MB
-
MD5
8bc258d93c9660e6bab845d73bf1741e
-
SHA1
b20ae60359f874b72be577665ba9f2c1eef75a12
-
SHA256
b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580
-
SHA512
03716287275c54d878f34baedc60e265dd3f37394f175583c2ddf71827e23642d59365414f1617f09ce9a5b4d7649695bdd74f44ede20a3d6ce34deff65e8a9e
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bSQ:sxX7QnxrloE5dpUpfbP
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe -
Executes dropped EXE 2 IoCs
Processes:
locdevdob.exexdobsys.exepid Process 2104 locdevdob.exe 1648 xdobsys.exe -
Loads dropped DLL 2 IoCs
Processes:
b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exepid Process 2148 b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe 2148 b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocTR\\xdobsys.exe" b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZPY\\optidevec.exe" b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
locdevdob.exexdobsys.exeb4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exelocdevdob.exexdobsys.exepid Process 2148 b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe 2148 b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe 2104 locdevdob.exe 1648 xdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exedescription pid Process procid_target PID 2148 wrote to memory of 2104 2148 b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe 31 PID 2148 wrote to memory of 2104 2148 b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe 31 PID 2148 wrote to memory of 2104 2148 b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe 31 PID 2148 wrote to memory of 2104 2148 b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe 31 PID 2148 wrote to memory of 1648 2148 b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe 32 PID 2148 wrote to memory of 1648 2148 b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe 32 PID 2148 wrote to memory of 1648 2148 b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe 32 PID 2148 wrote to memory of 1648 2148 b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe"C:\Users\Admin\AppData\Local\Temp\b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2104
-
-
C:\IntelprocTR\xdobsys.exeC:\IntelprocTR\xdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1648
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5954651f7d00d3350594c12944fb2f9b0
SHA1c5efe6c66b4ec6ffc2558f5452aca3bc836100cf
SHA2567c1e922f41454239fe9b58c6f0642523def71218aace0f3ca0a10d75fcb32ff2
SHA51238ac7473fc933c8508eeb4949450b0b8e163bdb1db087ebd0d6e8770d8c20da7935cebbed815389e417f984d487fd4f84369dac169c2aec800001c9761088c43
-
Filesize
2.6MB
MD595ad5aa58c62b771b1327e70d47ad40b
SHA1df42c055d2a39e205e849ebf838f8fc7d5020594
SHA256b2baaed62f5a76863af5dc60c0cb415bc28ad2c599db3841793f2afadcfe0af8
SHA512c6f418390b90758b048f847da8d1a89de7fd98e8b5b34a1b2da4cc2b2b78e2d164a651c129d7e54914a53740652ebfccf147a1805dc9d333f0ea631e9496fd28
-
Filesize
2.6MB
MD52d3ad9db8a8a621130acb365546f89ce
SHA199c1811274afe910d71c8169aebe85ced123e0d7
SHA2565631889a0d0e354f2ce334eb3c064ef01e7276937a23eeae6b79e06aa25367cc
SHA5128e6915f41544101a9c0f2d360d56c813f98ec9f69a7b9436c749a024078d3ce19ed3e0086e79517f1ddc7933688033a79761cc2b4f30be8905f818f7a3458269
-
Filesize
176B
MD5ca5d6a9470b6d5305d79fa33af8deb7c
SHA16384c27e3a8a5c9da9c6292e72d61a1eef5a87ed
SHA2567f05b9340f9a0ccd9fafd7f67da610d792b7980413f15003588b66e2316b32be
SHA5121583d62e172ee15bbffae15a40fbbaba25ad9c5b7da09526c90da2b58fa14258b60dfbb81abd6bf8f51e2252ed33712bf74e7038938aed160754383301276e87
-
Filesize
208B
MD5f791eb6af039cbe646b3cd54cc906bcd
SHA16f156bceff6747e652ed203e009724f0b87ed0cc
SHA256b34448bfa3fc25613666acf494e1e6469a4bb3b7c5da9bc67383d8f14859143b
SHA5126116fbf29f9d4ae1e3ae7b396fcf0df8cb1856ad1bad18b7f25b7a100fc3269fd13dc488153ae56224f4127707f7705e7c9849cb06fc696695e282931d6628b5
-
Filesize
2.6MB
MD5bb899895dc086b946535079615b0b558
SHA1a7370f790e954929d740d12cd3f47140e2b29e5e
SHA25645fe8e43e996dceb53fd70eeb1191e6ab6ba3e906b08b91479b8beb9aaa13471
SHA512aa830945b206dfa4242f11619852516c61a03f6f362acf7754b3ad66124e34e591ac09cc34eef3e1fc52231dbdd8fa9f16cb2a6d2a99d33be24244e5f7307a8f