23218db441faf206d342c4a4a0482943f801baf54b317c102b0d13be0ac30c6a

Analysis

max time kernel
149s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23218db441faf206d342c4a4a0482943f801baf54b317c102b0d13be0ac30c6a.exe
Size

3.6MB
MD5

8795d51e5f94f4d63b63e2557c8d8247
SHA1

0a7ba47463e29b0e4f788df89d5f959cd679825b
SHA256

23218db441faf206d342c4a4a0482943f801baf54b317c102b0d13be0ac30c6a
SHA512

fd3969bfbd1abcb4ee5e09047a71e69c828233bf18fe612e41c3b2c1c81feb3dbfa1b827d3be618d3b0719836b944be12ef3b510a8a014406cbf967205aa08a5
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUprbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	23218db441faf206d342c4a4a0482943f801baf54b317c102b0d13be0ac30c6a.exe

Executes dropped EXE 2 IoCs

pid	Process
3004	locxopti.exe
3012	xbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe4O\\xbodec.exe"	23218db441faf206d342c4a4a0482943f801baf54b317c102b0d13be0ac30c6a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBA4\\dobxloc.exe"	23218db441faf206d342c4a4a0482943f801baf54b317c102b0d13be0ac30c6a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4592	23218db441faf206d342c4a4a0482943f801baf54b317c102b0d13be0ac30c6a.exe
4592	23218db441faf206d342c4a4a0482943f801baf54b317c102b0d13be0ac30c6a.exe
4592	23218db441faf206d342c4a4a0482943f801baf54b317c102b0d13be0ac30c6a.exe
4592	23218db441faf206d342c4a4a0482943f801baf54b317c102b0d13be0ac30c6a.exe
3004	locxopti.exe
3004	locxopti.exe
3012	xbodec.exe
3012	xbodec.exe
3004	locxopti.exe
3004	locxopti.exe
3012	xbodec.exe
3012	xbodec.exe
3004	locxopti.exe
3004	locxopti.exe
3012	xbodec.exe
3012	xbodec.exe
3004	locxopti.exe
3004	locxopti.exe
3012	xbodec.exe
3012	xbodec.exe
3004	locxopti.exe
3004	locxopti.exe
3012	xbodec.exe
3012	xbodec.exe
3004	locxopti.exe
3004	locxopti.exe
3012	xbodec.exe
3012	xbodec.exe
3004	locxopti.exe
3004	locxopti.exe
3012	xbodec.exe
3012	xbodec.exe
3004	locxopti.exe
3004	locxopti.exe
3012	xbodec.exe
3012	xbodec.exe
3004	locxopti.exe
3004	locxopti.exe
3012	xbodec.exe
3012	xbodec.exe
3004	locxopti.exe
3004	locxopti.exe
3012	xbodec.exe
3012	xbodec.exe
3004	locxopti.exe
3004	locxopti.exe
3012	xbodec.exe
3012	xbodec.exe
3004	locxopti.exe
3004	locxopti.exe
3012	xbodec.exe
3012	xbodec.exe
3004	locxopti.exe
3004	locxopti.exe
3012	xbodec.exe
3012	xbodec.exe
3004	locxopti.exe
3004	locxopti.exe
3012	xbodec.exe
3012	xbodec.exe
3004	locxopti.exe
3004	locxopti.exe
3012	xbodec.exe
3012	xbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 3004	4592	23218db441faf206d342c4a4a0482943f801baf54b317c102b0d13be0ac30c6a.exe	87
PID 4592 wrote to memory of 3004	4592	23218db441faf206d342c4a4a0482943f801baf54b317c102b0d13be0ac30c6a.exe	87
PID 4592 wrote to memory of 3004	4592	23218db441faf206d342c4a4a0482943f801baf54b317c102b0d13be0ac30c6a.exe	87
PID 4592 wrote to memory of 3012	4592	23218db441faf206d342c4a4a0482943f801baf54b317c102b0d13be0ac30c6a.exe	88
PID 4592 wrote to memory of 3012	4592	23218db441faf206d342c4a4a0482943f801baf54b317c102b0d13be0ac30c6a.exe	88
PID 4592 wrote to memory of 3012	4592	23218db441faf206d342c4a4a0482943f801baf54b317c102b0d13be0ac30c6a.exe	88

C:\Users\Admin\AppData\Local\Temp\23218db441faf206d342c4a4a0482943f801baf54b317c102b0d13be0ac30c6a.exe
"C:\Users\Admin\AppData\Local\Temp\23218db441faf206d342c4a4a0482943f801baf54b317c102b0d13be0ac30c6a.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3004
- C:\Adobe4O\xbodec.exe
  C:\Adobe4O\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe4O\xbodec.exe

Filesize
602KB

MD5
9347fb43f89cc86e848d8cecc302186b

SHA1
d0b96f6843dac46726b0407ff35f810793f74510

SHA256
ad1a4a290930d9a8721759f49a8021cde6085c9bf1f5871146b900bc28db29ec

SHA512
7660a4805ccce503179b62c18df22f67e7141064c048db7cee9c5ea5465da95f0bfb7bb0409cf063c06c4a91fccc40de025715e5a2a50be3cdd91d7249e8905f

Download Submit
C:\Adobe4O\xbodec.exe

Filesize
3.6MB

MD5
128ca44ae5b199f9842eb6aa8a4dac50

SHA1
b7db1e68662bb65812f70947cf8917c5314c46bf

SHA256
fa04cf77f9d8fa1d7a60c616c3fd36fe6f623947452bbed4faae169cf1a6b68b

SHA512
2ba39ab74e588130271daba717dd369a4e0b9118031c240bbf31ce3d2f3ef51573b6fa9af8cacce6adbb5bec29c5cdc036449059aa4860809fb359f7f3c63b49

Download Submit
C:\KaVBA4\dobxloc.exe

Filesize
1KB

MD5
81306907a8898717e74eee7fe3ec9748

SHA1
6871f1f920d712de6120473f387e1497841b3829

SHA256
1b17bb743b1a2dfc12895dffa0a7b9b5daf090d66b71008fe29879bad1786322

SHA512
205b7de43c582a32ad49cb599becf76511d0269af1df1adea82987826d020f7e62e8b53e8f82da5c2f44154cdac459eaa4fb29ea6b720b0cf9d5e5148fb62730

Download Submit
C:\KaVBA4\dobxloc.exe

Filesize
3.6MB

MD5
b8de8ab6c53a6c193798b1f1d97d86cf

SHA1
f36b65c4fa85d3ef7afe2daafd24bec690a98861

SHA256
bbf3ee27fe346e02611f690809cb5053be5bda79043cd4a1998c71e019c2e045

SHA512
c3caf08cc7c069c27c6967e608b1065d7dbc3f049a67b7facbc3b5b39d05e6dca2fca6cd6a0e583602d5d66c6e7d31236570937c1292fe174cfd32fde3e88987

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
115fe58f24f73450b17614d0899f283a

SHA1
696f67867665034ea46ea853145413ff1d1e5aeb

SHA256
ed91409538b6a3c78f284157083f7bc6a5d7d9efea907e4c150b6f97e007afcb

SHA512
792ea6ff2ac93c55e84b822e4eb703adb910bb1521156f6be88518abc985f6951ac4616d714d6ba8a6957b53644cd28849f3afc3c5e730cef60af31bf1c1b01f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
a5b1af9b547b0a1731e346423a47e7f6

SHA1
5233ba4befb103b5df6209459373806eeb8346c0

SHA256
20678af71a4e47dd98ae1630e8b99eaf624c08f2efc76949999c711d7d3facb2

SHA512
0d90302b8e87e600e0c34517eb8a6b218565c84250ee97c954b6869fd06686c88105fcc9e4fa8e99ffd37490ecce0f235e549e407b5f7bfd407b76921f5cb402

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
3.6MB

MD5
472f01edff9ca6f1ec2ebccb06872f96

SHA1
aa83a7c795c79ea2919e26d14b1b3818eec88adb

SHA256
f3db384012a7dcd92f1a9bca8304213596436ee5ffc4a99493c0af08970c481c

SHA512
ec49a9fa4c0a90f4524b2603ed15a50ea187c5b0d30b4b087bf267d67fb4f5a814a9972f9242e41fc97c5bf924752c4bd9f8352ed3a965d33ac7787c47540a14

Download Submit