3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9

General

Target

3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe
Size

3.9MB
MD5

3303d48d7c9e208b2a472cdfbedb92e6
SHA1

4af1ca5dd9e7e2706b3413b15253b54ece573086
SHA256

3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9
SHA512

c9820dc4209ea43cc65a915531c1b42ff759b56f94af9bbd7185e109d2634f03caa1d0c269c2295e7d6b493aa12fc04a4f37fb18f3ab4152a1aa6ede7727df57
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bSqz8:sxX7QnxrloE5dpUp7bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe

Executes dropped EXE 2 IoCs

Processes:

locxbod.exeadobsys.exe

pid process

5084 locxbod.exe
2936 adobsys.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
5084	locxbod.exe
2936	adobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocD2\\adobsys.exe"	3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZRP\\optiasys.exe"	3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exelocxbod.exeadobsys.exe

pid	process
1400	3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe
1400	3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe
1400	3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe
1400	3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe
5084	locxbod.exe
5084	locxbod.exe
2936	adobsys.exe
2936	adobsys.exe
5084	locxbod.exe
5084	locxbod.exe
2936	adobsys.exe
2936	adobsys.exe
5084	locxbod.exe
5084	locxbod.exe
2936	adobsys.exe
2936	adobsys.exe
5084	locxbod.exe
5084	locxbod.exe
2936	adobsys.exe
2936	adobsys.exe
5084	locxbod.exe
5084	locxbod.exe
2936	adobsys.exe
2936	adobsys.exe
5084	locxbod.exe
5084	locxbod.exe
2936	adobsys.exe
2936	adobsys.exe
5084	locxbod.exe
5084	locxbod.exe
2936	adobsys.exe
2936	adobsys.exe
5084	locxbod.exe
5084	locxbod.exe
2936	adobsys.exe
2936	adobsys.exe
5084	locxbod.exe
5084	locxbod.exe
2936	adobsys.exe
2936	adobsys.exe
5084	locxbod.exe
5084	locxbod.exe
2936	adobsys.exe
2936	adobsys.exe
5084	locxbod.exe
5084	locxbod.exe
2936	adobsys.exe
2936	adobsys.exe
5084	locxbod.exe
5084	locxbod.exe
2936	adobsys.exe
2936	adobsys.exe
5084	locxbod.exe
5084	locxbod.exe
2936	adobsys.exe
2936	adobsys.exe
5084	locxbod.exe
5084	locxbod.exe
2936	adobsys.exe
2936	adobsys.exe
5084	locxbod.exe
5084	locxbod.exe
2936	adobsys.exe
2936	adobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe

description	pid	process	target process
PID 1400 wrote to memory of 5084	1400	3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe	locxbod.exe
PID 1400 wrote to memory of 5084	1400	3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe	locxbod.exe
PID 1400 wrote to memory of 5084	1400	3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe	locxbod.exe
PID 1400 wrote to memory of 2936	1400	3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe	adobsys.exe
PID 1400 wrote to memory of 2936	1400	3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe	adobsys.exe
PID 1400 wrote to memory of 2936	1400	3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe	adobsys.exe

C:\Users\Admin\AppData\Local\Temp\3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe
"C:\Users\Admin\AppData\Local\Temp\3b46017e8da370fcee7a9aa58cbfc64e6f366fcc42c50c2633a709b8f6b001a9.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5084

C:\IntelprocD2\adobsys.exe
C:\IntelprocD2\adobsys.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2936

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocD2\adobsys.exe
Filesize
3.6MB

MD5
f5e91bb52e257ca6dea123e46f0f7883

SHA1
13e0284293d7a2014bb93695623a7b3b04d76269

SHA256
7a5683268bb344fd97c3e72b5625e2ad7ecf2cd9dee16eb9f5a4f77b1fe83008

SHA512
e1837807d52685b33ce26f3f2f8c14452023779dc9df93788f76d4fcd3323f051ae458b899745ec802c5edf7f40cebab5c5d93671288a4e800ea1f8a0883bc56

Download Submit
C:\IntelprocD2\adobsys.exe
Filesize
3.9MB

MD5
7b20ae60ba476684b621cbc9423ff040

SHA1
3327441ed8c27b5e349eb62d4bd4014d52160da8

SHA256
dac3c4695074d9e891967dfc17b6aa2d09e6bf6d36ae48f6df0b8d8275296f14

SHA512
7009aaa965327ffad78c912d129da71a78afe1ceb1af2098abeb62ae8b4c1ce06c8cd78aa8110fb8b79e44829463d2dec3aa7b120a9e84f4907a0d1880afb480

Download Submit
C:\LabZRP\optiasys.exe
Filesize
256B

MD5
bae5eb085a9f023b8d36e2a083933bdd

SHA1
c8f3b383d6ce74e8606027a03db4b0ae08c513b1

SHA256
b505b72bbec0ac5ef11559a9e1cd5d9b176f6b03b0dc9296023c144e105605ab

SHA512
93d15b5bec81644cf4030f24c5941cb76efb1e539e47e25ee9c722db4b1b52b8ec129fef26b9080ad23fe6b7d1f0752e3a263040aa5557656967acd4d5e485f3

Download Submit
C:\LabZRP\optiasys.exe
Filesize
3.9MB

MD5
719b34fa15005fecf2fe6ae6d01011cf

SHA1
ad80a406c6d201703cf087289cd3dba717256679

SHA256
3b2c949cf698e786b99c0041f6244632cf38500755f9574a498f301632c65239

SHA512
bd9a575ebebc1c3f8e22b0383b223814a6cf68749790559305c49f0f8d2f6d1571cd125e475d9c5b031ab114138c05a0db10a0eadb08c0bc79d9058872ca37e5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
205B

MD5
2e55aa950d7b02739f5aeee444452f20

SHA1
b129bed0568a343caf2b01c651e441f94c7aaf53

SHA256
e711dd9197323103962f85b45f356ade422dd48c56c00a2025eb43e8f0fecfe6

SHA512
3140842105ea63db34accfed5f3651b0e2877428948541c3c65be052077616420631368c765ce50aef68f46ff4eab94aac251e7729842e46873e6311f9b151e9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
173B

MD5
5fb7b15a3660c95ef935bad346374776

SHA1
9a21480d02b935730181dbe3f6a08ab08913f5d5

SHA256
9d40a25ba5f8d3f019f82fbcaa7f9271f715353646a6b7f8c3af97a7b19d778b

SHA512
93ef12845bc597da8302883a6a87dc4eb47dc13628ba68fc0dd818260a1737888b03440095ff6e503ae48d6cfe344187d5d1c4ff9f290d87b69cd21de6c2d6ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
Filesize
3.9MB

MD5
de064091cb7d95b1b57cad7ea0acd79c

SHA1
256dde2aed1d872babea7d590d7892d649a469d8

SHA256
524109bb1b0d241b108df6860b03520a6869262df05f2b1d299729feb2e8ce3f

SHA512
dd0b645197b23aefb84be1bbfa77004f31e7c9c93b5c9966af9f85d9498d6632ab47d0ae705cb97d8b3b3d3819034a7ee53a3de65ba9a04d4a0607a50c83a003

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads