Analysis
-
max time kernel
146s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
10/01/2024, 17:45
Static task
static1
Behavioral task
behavioral1
Sample
97e5aa7dd600e756436350f7e27dbff1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
97e5aa7dd600e756436350f7e27dbff1.exe
Resource
win10v2004-20231215-en
General
-
Target
97e5aa7dd600e756436350f7e27dbff1.exe
-
Size
3.0MB
-
MD5
97e5aa7dd600e756436350f7e27dbff1
-
SHA1
861d7d26ca1d25cc202ed24c253afff3166607b9
-
SHA256
d3bbf25e5244d5b0040ef5d88c20b141e63ec24811802a55a36b9e2879423698
-
SHA512
9a211832866375cf68d06b771959585afb19b3004440f7e618433b3d746ccbc28cba47a4624e30d1c51f140ef8bc102b28cb2ddbfc0c44dd90a8f8a23f9aadb3
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bSqz8b6LNX:sxX7QnxrloE5dpUpNbVz8eLF
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe 97e5aa7dd600e756436350f7e27dbff1.exe -
Executes dropped EXE 2 IoCs
pid Process 752 locxdob.exe 1572 xbodec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot2P\\xbodec.exe" 97e5aa7dd600e756436350f7e27dbff1.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax09\\dobxec.exe" 97e5aa7dd600e756436350f7e27dbff1.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 456 97e5aa7dd600e756436350f7e27dbff1.exe 456 97e5aa7dd600e756436350f7e27dbff1.exe 456 97e5aa7dd600e756436350f7e27dbff1.exe 456 97e5aa7dd600e756436350f7e27dbff1.exe 752 locxdob.exe 752 locxdob.exe 1572 xbodec.exe 1572 xbodec.exe 752 locxdob.exe 752 locxdob.exe 1572 xbodec.exe 1572 xbodec.exe 752 locxdob.exe 752 locxdob.exe 1572 xbodec.exe 1572 xbodec.exe 752 locxdob.exe 752 locxdob.exe 1572 xbodec.exe 1572 xbodec.exe 752 locxdob.exe 752 locxdob.exe 1572 xbodec.exe 1572 xbodec.exe 752 locxdob.exe 752 locxdob.exe 1572 xbodec.exe 1572 xbodec.exe 752 locxdob.exe 752 locxdob.exe 1572 xbodec.exe 1572 xbodec.exe 752 locxdob.exe 752 locxdob.exe 1572 xbodec.exe 1572 xbodec.exe 752 locxdob.exe 752 locxdob.exe 1572 xbodec.exe 1572 xbodec.exe 752 locxdob.exe 752 locxdob.exe 1572 xbodec.exe 1572 xbodec.exe 752 locxdob.exe 752 locxdob.exe 1572 xbodec.exe 1572 xbodec.exe 752 locxdob.exe 752 locxdob.exe 1572 xbodec.exe 1572 xbodec.exe 752 locxdob.exe 752 locxdob.exe 1572 xbodec.exe 1572 xbodec.exe 752 locxdob.exe 752 locxdob.exe 1572 xbodec.exe 1572 xbodec.exe 752 locxdob.exe 752 locxdob.exe 1572 xbodec.exe 1572 xbodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 456 wrote to memory of 752 456 97e5aa7dd600e756436350f7e27dbff1.exe 71 PID 456 wrote to memory of 752 456 97e5aa7dd600e756436350f7e27dbff1.exe 71 PID 456 wrote to memory of 752 456 97e5aa7dd600e756436350f7e27dbff1.exe 71 PID 456 wrote to memory of 1572 456 97e5aa7dd600e756436350f7e27dbff1.exe 72 PID 456 wrote to memory of 1572 456 97e5aa7dd600e756436350f7e27dbff1.exe 72 PID 456 wrote to memory of 1572 456 97e5aa7dd600e756436350f7e27dbff1.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\97e5aa7dd600e756436350f7e27dbff1.exe"C:\Users\Admin\AppData\Local\Temp\97e5aa7dd600e756436350f7e27dbff1.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:752
-
-
C:\UserDot2P\xbodec.exeC:\UserDot2P\xbodec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1572
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD541412268bcd2f5e76438ff9f445b21aa
SHA11aace4f65f832e0e80765a56e017d1939257caf4
SHA25660cf7c04a4e85a0eb42928d6021a39368e0a69ff6afcfee79ad91ad52abd91e9
SHA51254f2ce5c90adcac0a2d4592a1ec3a48be7d9b3245b8c76aee78373fd1a2aa0626a9aca98f622bb622a83085f459039069d9b4258b4e9bc666b6e1d2ebb9115ac
-
Filesize
94KB
MD5ca43e41685a425dec187ac1e85a0115e
SHA1070a7e4991f8ddfe9f3383b94739f330a7e2e8c8
SHA256ea784e8b8c5b042108fadc13c8dced78598768762712201ce53239b62cca01f2
SHA512ea78936857a270f663fc617b69d5c172afce6cf0f1e6fabe7d7b4c990b16de8059f5729f9e2046493ff860a7b288e1066d88f4107aebbc3153d7a7452e59853c
-
Filesize
94KB
MD5c4697d8738b2735c9cfb2b85b37cd8f9
SHA14bcbc3d0c4e8bf0dc5a936a09e2cdee47eb55276
SHA256f704ebd68eaad4393e2185bddfd7bff05d1575d094bc8375f1086fb06a01e727
SHA512b5e65c93c968bb0eed2dccf1e806cf0f88a95a905a6885439f52ee42b5b4e6926f3b5c20649453dadfd599ac5c0d3a4f1a25e6ac6545c1abf7c268ab827be544
-
Filesize
169B
MD506c55e4d8b2cb9e7fb224c0e744bd1d4
SHA101f0b3b5cbcce2a211bb1832e110ae8ad18d3767
SHA256783b2284c1656f47c45aa5af443714a0c31bd53b0d89e091ecbd2cde37337bc6
SHA51212ec8b5d6d366ad310899fd89731caaf86ec703b11b844ad8441eb10800c44a1e6b54e1afe2f7b3efada798450423c9bb4fff8139a54e8cc504cfe4eb47a3a70
-
Filesize
385KB
MD5a5fc5d5cd67e1d2be9ccce3587206eed
SHA1f97235a14591166c459a3b90cde6f3f2fd9e79dd
SHA2569647906de558dbf6f980c04815449d410c62eacfb41609ff880dac4d3c98c222
SHA512c2f03a04df5dfa129608d2b13abb56ba0ca70595d006eefbb93d3591b7c1ca3e1b795e75b126cbdfc3c223f20ce0bb32b6480ff916fb1c93b9b8bb1df3c82d2f