16f0eb7b82242596337674e6237e96a3ddd00169569b38f1b23dc3f4a3ce634f

General

Target

16f0eb7b82242596337674e6237e96a3ddd00169569b38f1b23dc3f4a3ce634f.exe
Size

3.6MB
MD5

6e157fe8c0e3182b338df1380d2564b8
SHA1

a254d17e7e34006e1b04d997cd14e9d77c0cca88
SHA256

16f0eb7b82242596337674e6237e96a3ddd00169569b38f1b23dc3f4a3ce634f
SHA512

328b1cc0b40eba9b1ad3814859b8f490b5e72259206ac750bf8906ca16b7781bec692195505ee8c5bd9b0e0555ca8b9c74263d660c08dfcb88051e1b758e29de
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBVB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp2bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

16f0eb7b82242596337674e6237e96a3ddd00169569b38f1b23dc3f4a3ce634f.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	16f0eb7b82242596337674e6237e96a3ddd00169569b38f1b23dc3f4a3ce634f.exe

Executes dropped EXE 2 IoCs

Processes:

locxdob.exexdobec.exe

pid process

1580 locxdob.exe
2408 xdobec.exe

pid	process
1580	locxdob.exe
2408	xdobec.exe

Loads dropped DLL 2 IoCs

Processes:

16f0eb7b82242596337674e6237e96a3ddd00169569b38f1b23dc3f4a3ce634f.exe

pid	process
3000	16f0eb7b82242596337674e6237e96a3ddd00169569b38f1b23dc3f4a3ce634f.exe
3000	16f0eb7b82242596337674e6237e96a3ddd00169569b38f1b23dc3f4a3ce634f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

16f0eb7b82242596337674e6237e96a3ddd00169569b38f1b23dc3f4a3ce634f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvKT\\xdobec.exe"	16f0eb7b82242596337674e6237e96a3ddd00169569b38f1b23dc3f4a3ce634f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintXR\\optidevsys.exe"	16f0eb7b82242596337674e6237e96a3ddd00169569b38f1b23dc3f4a3ce634f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

16f0eb7b82242596337674e6237e96a3ddd00169569b38f1b23dc3f4a3ce634f.exelocxdob.exexdobec.exe

pid	process
3000	16f0eb7b82242596337674e6237e96a3ddd00169569b38f1b23dc3f4a3ce634f.exe
3000	16f0eb7b82242596337674e6237e96a3ddd00169569b38f1b23dc3f4a3ce634f.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe
1580	locxdob.exe
2408	xdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

16f0eb7b82242596337674e6237e96a3ddd00169569b38f1b23dc3f4a3ce634f.exe

description	pid	process	target process
PID 3000 wrote to memory of 1580	3000	16f0eb7b82242596337674e6237e96a3ddd00169569b38f1b23dc3f4a3ce634f.exe	locxdob.exe
PID 3000 wrote to memory of 1580	3000	16f0eb7b82242596337674e6237e96a3ddd00169569b38f1b23dc3f4a3ce634f.exe	locxdob.exe
PID 3000 wrote to memory of 1580	3000	16f0eb7b82242596337674e6237e96a3ddd00169569b38f1b23dc3f4a3ce634f.exe	locxdob.exe
PID 3000 wrote to memory of 1580	3000	16f0eb7b82242596337674e6237e96a3ddd00169569b38f1b23dc3f4a3ce634f.exe	locxdob.exe
PID 3000 wrote to memory of 2408	3000	16f0eb7b82242596337674e6237e96a3ddd00169569b38f1b23dc3f4a3ce634f.exe	xdobec.exe
PID 3000 wrote to memory of 2408	3000	16f0eb7b82242596337674e6237e96a3ddd00169569b38f1b23dc3f4a3ce634f.exe	xdobec.exe
PID 3000 wrote to memory of 2408	3000	16f0eb7b82242596337674e6237e96a3ddd00169569b38f1b23dc3f4a3ce634f.exe	xdobec.exe
PID 3000 wrote to memory of 2408	3000	16f0eb7b82242596337674e6237e96a3ddd00169569b38f1b23dc3f4a3ce634f.exe	xdobec.exe

C:\Users\Admin\AppData\Local\Temp\16f0eb7b82242596337674e6237e96a3ddd00169569b38f1b23dc3f4a3ce634f.exe
"C:\Users\Admin\AppData\Local\Temp\16f0eb7b82242596337674e6237e96a3ddd00169569b38f1b23dc3f4a3ce634f.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3000

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1580

C:\SysDrvKT\xdobec.exe
C:\SysDrvKT\xdobec.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2408

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintXR\optidevsys.exe
Filesize
3.6MB

MD5
3b53908f1d1dc4bbe0fa27296cf8ca95

SHA1
6ec57fb6cdd4b52d489914c67c795decc39a2926

SHA256
d7529f903a35039998aca88ec072e5f7084749aaab5d8e5ce9e7e3a8cfcca32e

SHA512
db50731b47415ad22cbfe1141ec359d1765dc82b2b447d3cfb5e2b661477815001ffda6fddfeb1e22e6cec83e6c2adb41f889a81caba0c88d6196d7081f3ad02

Download Submit
C:\MintXR\optidevsys.exe
Filesize
69KB

MD5
1c4a30215ba856911933b14b4ccbac49

SHA1
dc919b9cdf706f9a6a2635d79afb78900cbdb380

SHA256
190605d60f8cfd702e985f5674f0f3b651aa02342315ac01dc5546919362efd0

SHA512
17da7dabb5684f8498f0e8ab91c80b7eb713b53b1c8fa15b1e4970410897da217f65a4638f90734ed58b298c61dc8736b4392185ae89c386bcdc3c27b2f94daf

Download Submit
C:\SysDrvKT\xdobec.exe
Filesize
3.6MB

MD5
e927aa4cd2ae269ef322ca890d7b88fe

SHA1
0c4ebbef731c3eb3cbe3e5d54649589f3fbcc7ba

SHA256
928b7a466a939553e061338de1970da35e48755a07e809c150f98c5d0590e237

SHA512
48102e0de8e4db6ab0298ea281643673d394a6ccb7eab4dd94ceff99e9781a204431328a062d091f0bea82d44a707881d16571347016934c9bf983adee9e321d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
171B

MD5
1249bdd97b826b651ff46082850fe01d

SHA1
efea490a1e324c53bf9eb347c68e19b62fb093be

SHA256
bbf90ff35e2708b784ee1da2c3fb30632413e72de32cea1a852915c9c8e1f9e0

SHA512
1153c4ac5053ba60674ceba1f8654d03f77c8a2722d3848c49cf9be180df5f3ca41951534d02caf19d6c8f53c25b802f6f21a1244f05ac9672a28d74d5599181

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
203B

MD5
2a68efc7aa247069043eda583bc97e60

SHA1
4ff55278a13f2445d0682f8d1f343d8fc1fd44f9

SHA256
aea2921e9e3d9c7c3685801d3dd2095f8b9e03518c0a159659ca751bddd906ab

SHA512
bb62f61801c48ab570754415711490e0d7fb6b1da49ef23407c724010aae38dfc89da60b3b5901f777c08389181cd7f82139705c3cb2cbb4764ad80f48b6e306

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
Filesize
3.6MB

MD5
4ad230ccfb46bd0339bd940b18e0018f

SHA1
b92e9c9864c8cc9f70702d094c5d74cf7a36b3e3

SHA256
3bc5d80048931796b28f8a4ff19b7cab4b878ecb25366a0ebd35f9a6fe38f7da

SHA512
3b97a372fef535450239505683118c7de9d2cfe8fca56f5ef6422f58cd1a5ea132df8a85370a130cd915f8908717e64c837b72d48debac8385a27621c22848db

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads