d3bbf25e5244d5b0040ef5d88c20b141e63ec24811802a55a36b9e2879423698

Analysis

max time kernel
146s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2024, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97e5aa7dd600e756436350f7e27dbff1.exe
Size

3.0MB
MD5

97e5aa7dd600e756436350f7e27dbff1
SHA1

861d7d26ca1d25cc202ed24c253afff3166607b9
SHA256

d3bbf25e5244d5b0040ef5d88c20b141e63ec24811802a55a36b9e2879423698
SHA512

9a211832866375cf68d06b771959585afb19b3004440f7e618433b3d746ccbc28cba47a4624e30d1c51f140ef8bc102b28cb2ddbfc0c44dd90a8f8a23f9aadb3
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bSqz8b6LNX:sxX7QnxrloE5dpUpNbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	97e5aa7dd600e756436350f7e27dbff1.exe

Executes dropped EXE 2 IoCs

pid	Process
752	locxdob.exe
1572	xbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot2P\\xbodec.exe"	97e5aa7dd600e756436350f7e27dbff1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax09\\dobxec.exe"	97e5aa7dd600e756436350f7e27dbff1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
456	97e5aa7dd600e756436350f7e27dbff1.exe
456	97e5aa7dd600e756436350f7e27dbff1.exe
456	97e5aa7dd600e756436350f7e27dbff1.exe
456	97e5aa7dd600e756436350f7e27dbff1.exe
752	locxdob.exe
752	locxdob.exe
1572	xbodec.exe
1572	xbodec.exe
752	locxdob.exe
752	locxdob.exe
1572	xbodec.exe
1572	xbodec.exe
752	locxdob.exe
752	locxdob.exe
1572	xbodec.exe
1572	xbodec.exe
752	locxdob.exe
752	locxdob.exe
1572	xbodec.exe
1572	xbodec.exe
752	locxdob.exe
752	locxdob.exe
1572	xbodec.exe
1572	xbodec.exe
752	locxdob.exe
752	locxdob.exe
1572	xbodec.exe
1572	xbodec.exe
752	locxdob.exe
752	locxdob.exe
1572	xbodec.exe
1572	xbodec.exe
752	locxdob.exe
752	locxdob.exe
1572	xbodec.exe
1572	xbodec.exe
752	locxdob.exe
752	locxdob.exe
1572	xbodec.exe
1572	xbodec.exe
752	locxdob.exe
752	locxdob.exe
1572	xbodec.exe
1572	xbodec.exe
752	locxdob.exe
752	locxdob.exe
1572	xbodec.exe
1572	xbodec.exe
752	locxdob.exe
752	locxdob.exe
1572	xbodec.exe
1572	xbodec.exe
752	locxdob.exe
752	locxdob.exe
1572	xbodec.exe
1572	xbodec.exe
752	locxdob.exe
752	locxdob.exe
1572	xbodec.exe
1572	xbodec.exe
752	locxdob.exe
752	locxdob.exe
1572	xbodec.exe
1572	xbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 752	456	97e5aa7dd600e756436350f7e27dbff1.exe	71
PID 456 wrote to memory of 752	456	97e5aa7dd600e756436350f7e27dbff1.exe	71
PID 456 wrote to memory of 752	456	97e5aa7dd600e756436350f7e27dbff1.exe	71
PID 456 wrote to memory of 1572	456	97e5aa7dd600e756436350f7e27dbff1.exe	72
PID 456 wrote to memory of 1572	456	97e5aa7dd600e756436350f7e27dbff1.exe	72
PID 456 wrote to memory of 1572	456	97e5aa7dd600e756436350f7e27dbff1.exe	72

C:\Users\Admin\AppData\Local\Temp\97e5aa7dd600e756436350f7e27dbff1.exe
"C:\Users\Admin\AppData\Local\Temp\97e5aa7dd600e756436350f7e27dbff1.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:456
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:752
- C:\UserDot2P\xbodec.exe
  C:\UserDot2P\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax09\dobxec.exe

Filesize
94KB

MD5
41412268bcd2f5e76438ff9f445b21aa

SHA1
1aace4f65f832e0e80765a56e017d1939257caf4

SHA256
60cf7c04a4e85a0eb42928d6021a39368e0a69ff6afcfee79ad91ad52abd91e9

SHA512
54f2ce5c90adcac0a2d4592a1ec3a48be7d9b3245b8c76aee78373fd1a2aa0626a9aca98f622bb622a83085f459039069d9b4258b4e9bc666b6e1d2ebb9115ac

Download Submit
C:\UserDot2P\xbodec.exe

Filesize
94KB

MD5
ca43e41685a425dec187ac1e85a0115e

SHA1
070a7e4991f8ddfe9f3383b94739f330a7e2e8c8

SHA256
ea784e8b8c5b042108fadc13c8dced78598768762712201ce53239b62cca01f2

SHA512
ea78936857a270f663fc617b69d5c172afce6cf0f1e6fabe7d7b4c990b16de8059f5729f9e2046493ff860a7b288e1066d88f4107aebbc3153d7a7452e59853c

Download Submit
C:\UserDot2P\xbodec.exe

Filesize
94KB

MD5
c4697d8738b2735c9cfb2b85b37cd8f9

SHA1
4bcbc3d0c4e8bf0dc5a936a09e2cdee47eb55276

SHA256
f704ebd68eaad4393e2185bddfd7bff05d1575d094bc8375f1086fb06a01e727

SHA512
b5e65c93c968bb0eed2dccf1e806cf0f88a95a905a6885439f52ee42b5b4e6926f3b5c20649453dadfd599ac5c0d3a4f1a25e6ac6545c1abf7c268ab827be544

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
06c55e4d8b2cb9e7fb224c0e744bd1d4

SHA1
01f0b3b5cbcce2a211bb1832e110ae8ad18d3767

SHA256
783b2284c1656f47c45aa5af443714a0c31bd53b0d89e091ecbd2cde37337bc6

SHA512
12ec8b5d6d366ad310899fd89731caaf86ec703b11b844ad8441eb10800c44a1e6b54e1afe2f7b3efada798450423c9bb4fff8139a54e8cc504cfe4eb47a3a70

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
385KB

MD5
a5fc5d5cd67e1d2be9ccce3587206eed

SHA1
f97235a14591166c459a3b90cde6f3f2fd9e79dd

SHA256
9647906de558dbf6f980c04815449d410c62eacfb41609ff880dac4d3c98c222

SHA512
c2f03a04df5dfa129608d2b13abb56ba0ca70595d006eefbb93d3591b7c1ca3e1b795e75b126cbdfc3c223f20ce0bb32b6480ff916fb1c93b9b8bb1df3c82d2f

Download Submit