53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372

General

Target

53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe
Size

3.9MB
MD5

12b87875d1ebf8529283f50efe31a200
SHA1

ec99628ef9bb5125d2b1c0e467177adfcae7590c
SHA256

53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372
SHA512

fe0d53cfa27e2051497e1821ccf8e4a496e9e3c99aede4a12794ce86f54f47231d360fabb1148966bdd56fa3cca623d6ac4dc18d2dc230182456d0339b416f61
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bSqz8:sxX7QnxrloE5dpUpBbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe

Executes dropped EXE 2 IoCs

Processes:

locabod.exexoptiec.exe

pid process

544 locabod.exe
2288 xoptiec.exe

pid	process
544	locabod.exe
2288	xoptiec.exe

Loads dropped DLL 2 IoCs

Processes:

53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe

pid	process
2972	53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe
2972	53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe0S\\xoptiec.exe"	53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintP0\\dobaloc.exe"	53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exelocabod.exexoptiec.exe

pid	process
2972	53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe
2972	53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe
544	locabod.exe
2288	xoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe

description	pid	process	target process
PID 2972 wrote to memory of 544	2972	53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe	locabod.exe
PID 2972 wrote to memory of 544	2972	53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe	locabod.exe
PID 2972 wrote to memory of 544	2972	53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe	locabod.exe
PID 2972 wrote to memory of 544	2972	53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe	locabod.exe
PID 2972 wrote to memory of 2288	2972	53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe	xoptiec.exe
PID 2972 wrote to memory of 2288	2972	53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe	xoptiec.exe
PID 2972 wrote to memory of 2288	2972	53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe	xoptiec.exe
PID 2972 wrote to memory of 2288	2972	53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe	xoptiec.exe

C:\Users\Admin\AppData\Local\Temp\53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe
"C:\Users\Admin\AppData\Local\Temp\53562890e0206c165519924186d68eebf0922542cb4a56be68917ae6fca4c372.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:544

C:\Adobe0S\xoptiec.exe
C:\Adobe0S\xoptiec.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2288

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe0S\xoptiec.exe
Filesize
3.9MB

MD5
c5ce815269cbcfe1054c60e60097cdf2

SHA1
52ce39dbeb79c40cbf812fb10bf61859e96fa84d

SHA256
6587e145355bd78ec3079e777e09375fb6484649a1468d8116a5f14ac451ecd1

SHA512
64bf83365fa0447637100e75a270d06117ea4f343c84d2317e8efafa28a32c528af83bc6d25d237032e123555a3e04238765f50e04d218a26e34c9b48b6ed4e4

Download Submit
C:\MintP0\dobaloc.exe
Filesize
3.9MB

MD5
db599ad49ccfb85a8c28efdf0b821969

SHA1
632caea2d85bfdace07bc5eeceef1929542853ff

SHA256
4a2ce1785e65941950ea7fff8a6f9b9974666d97cca617ca65ff11fef3ff9e30

SHA512
a66816589562d52b23f0752219aa68ddd0298eae89acddd69efb16673e5801bedf05e5155cdae3fdb9b5c7063cd7866b1860be313dcc5865ab76b03ca5cbc285

Download Submit
C:\MintP0\dobaloc.exe
Filesize
2.3MB

MD5
27672965ce7e0ac242d97a2c53aca434

SHA1
2be059453f5d7b10c738ed90258c5f79bb0fbd2b

SHA256
9c3f712ae1736f5afdaa99ec0013302b5ecc83fb36a3ffcfdc3524f269bdee0d

SHA512
dd4ecfb07273b5a276666f690520feec350e8a02e3dadb6d4e2b7d3d45ce81bfb56c2076d30db609d4033e58f6fa17813c8c91ee3f96e7d032291d73d2436b97

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
168B

MD5
5ef5e9b153c6c06228b95a709a8abd67

SHA1
f803c837f534f91a8afbc95d5cce7bbb2266464e

SHA256
67878f4eac93250baa7de5f609bac7b0668d1881c1b428e07ceb7403acce2852

SHA512
cf2d910d6f6e6e765715a0f128bb22bf1ef93a86d07a4c2d0d1088c0231bab7d7533855018ce593af98de36447adbdd3e3c8d64055f4b21b8f71e53fe2bb0eae

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
200B

MD5
2b195f8d7a534217008bf5186a79f723

SHA1
243e8aaef3c64a07175e8b88c158c525cc351f30

SHA256
cc2f4cbc8b1691232af154545a4c5c5674cdc642f29d64cd45917e188e31fe6e

SHA512
bd14b180768affed52c27780bc594a1b4534422e362a47933fc68c48851b89423f048b7205e932140becdb2a72c98ef975eb3ceabbec4b98a52bc9cf2cf200e7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
Filesize
3.9MB

MD5
28637b28a48c3c6975a15dadabe3d850

SHA1
cb4afa3be1eab133f73eb739d5d790270d6ef037

SHA256
3f02bef6b17921f4d271d38d57be541be7ce797211e56cf4031c6d2f6a4bf0bc

SHA512
38472833dd3b5b03d333d094bc9221aef8e9e28f2cda7056829f3d61ef4897352b84196dbd720066a3f51eecdb55483aa3ecfc0ea559bbcf450b2f7ebedcc3c2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads