70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe
Size

3.0MB
MD5

be2234c150990775e1c873e7e6616739
SHA1

83730d07f202de46c71210f23bab03b09a537179
SHA256

70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04
SHA512

b92fa0345044253e5cb9d8f8e2eeadd48a293a43343b8622258bd1efe9e700d15c764ea2fc4c55ea1230a9a58cc1273a9abbf94ea9fd83e6b1d989cd5c666279
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bSqz8b6LNX:sxX7QnxrloE5dpUpEbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe

Executes dropped EXE 2 IoCs

pid	Process
288	locdevopti.exe
2748	xbodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2364	70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe
2364	70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesQJ\\xbodloc.exe"	70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBHQ\\dobxloc.exe"	70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2364	70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe
2364	70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe
288	locdevopti.exe
2748	xbodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 288	2364	70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe	28
PID 2364 wrote to memory of 288	2364	70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe	28
PID 2364 wrote to memory of 288	2364	70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe	28
PID 2364 wrote to memory of 288	2364	70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe	28
PID 2364 wrote to memory of 2748	2364	70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe	29
PID 2364 wrote to memory of 2748	2364	70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe	29
PID 2364 wrote to memory of 2748	2364	70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe	29
PID 2364 wrote to memory of 2748	2364	70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe	29

C:\Users\Admin\AppData\Local\Temp\70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe
"C:\Users\Admin\AppData\Local\Temp\70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:288
- C:\FilesQJ\xbodloc.exe
  C:\FilesQJ\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesQJ\xbodloc.exe

Filesize
3.0MB

MD5
abfc9b7ced28edac94441212c9d8b6d0

SHA1
0706da8bd796f1b760da87bc5f056ca6ee5589a6

SHA256
c6c4484d196445ed0f08114a4928760d5d072e7f26de0071634f7eb5ed1db988

SHA512
1f95a3b79654e4a8916e63296ea66792327a0c926caa6b7319ccb3e40d1cfe89ae6d25a1815e727a9181b9041a0a99df3ece52208746607279bfd6dbc22a9353

Download Submit
C:\KaVBHQ\dobxloc.exe

Filesize
3.0MB

MD5
47fb1b6bf72226dec27cf383cff5600c

SHA1
32343b16c119fef639ad2a8a34c5142c4f9e90d9

SHA256
873bbed8e0f6a8f21e7076b3905c14e73bd214c80cf2bdcb622b50ab5ffa49ca

SHA512
394efe323df40e154138d9b6a93b8f28ab76c77f4bb3e9d531ab44f54cb0668f1dd552d2686ec91e083de477df70f82f5afe3802f11ec6000b56894049121854

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
12206813997023742f515f8dbe5a2167

SHA1
69f0853a89b5f11c121cb292dd426531f5146c10

SHA256
0186ccf858dd38ec92d697bed11b10461b7f8e2198454f07da32e33cbd31e331

SHA512
30f52425ef4ff84b86e7f18355f82954371c63b538858f133a10739e40561603acdc6c5f07ac8e41a8a9d148f09f80097d0dc17d1099f20e7b5738377a7eebe8

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
7d003d23167064c34f85a21991a2a88a

SHA1
f87dbd351f638c519bed454577eeda7a2212957b

SHA256
c9b454c827f415026a9f6e42c645c343d884dd49b3bf3c3c2e671a1753adeb62

SHA512
a9e4a896a92e72af182d057d674b7423a568cbd041c20c49f9fe773778da1d3a8d63facab5b9f8536a154a377c5ff64e780727aa53594e6495dc08a5482b853d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
3.0MB

MD5
6c4dfcf6ce550c19ae773ad15545668f

SHA1
2d4ce26ebae8480a1220c1504ec5f2e280c4e963

SHA256
c9d61db6871bfcbeeeeac567a894c6dd762f892a41de6320da93f6d28481736e

SHA512
d2f7a362b39ba348b873f778711799290aaab389d379e4ea5ad820dacdfd206451d6303141931102fc333ce2021098a7a3438be3d56a5983c604bf2c8472ade2

Download Submit