1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe
Size

4.0MB
MD5

b9918b8a5af2690286d9d02ac190e48b
SHA1

28fe6e317e00d8447b86d88b20444d3854fad150
SHA256

1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e
SHA512

dcf7c7bc1f63bae070059984cd11e3ce4b2d28dde39d6d01e8298bfe513998146e2a3d27d87fe0172633cc6a1c255be65e2d7158ea1b4d8d33181d377bebf3f7
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpDbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe

Executes dropped EXE 2 IoCs

pid	Process
800	locadob.exe
1424	xdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeZI\\xdobec.exe"	1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxAE\\bodxsys.exe"	1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3048	1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe
3048	1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe
3048	1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe
3048	1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe
800	locadob.exe
800	locadob.exe
1424	xdobec.exe
1424	xdobec.exe
800	locadob.exe
800	locadob.exe
1424	xdobec.exe
1424	xdobec.exe
800	locadob.exe
800	locadob.exe
1424	xdobec.exe
1424	xdobec.exe
800	locadob.exe
800	locadob.exe
1424	xdobec.exe
1424	xdobec.exe
800	locadob.exe
800	locadob.exe
1424	xdobec.exe
1424	xdobec.exe
800	locadob.exe
800	locadob.exe
1424	xdobec.exe
1424	xdobec.exe
800	locadob.exe
800	locadob.exe
1424	xdobec.exe
1424	xdobec.exe
800	locadob.exe
800	locadob.exe
1424	xdobec.exe
1424	xdobec.exe
800	locadob.exe
800	locadob.exe
1424	xdobec.exe
1424	xdobec.exe
800	locadob.exe
800	locadob.exe
1424	xdobec.exe
1424	xdobec.exe
800	locadob.exe
800	locadob.exe
1424	xdobec.exe
1424	xdobec.exe
800	locadob.exe
800	locadob.exe
1424	xdobec.exe
1424	xdobec.exe
800	locadob.exe
800	locadob.exe
1424	xdobec.exe
1424	xdobec.exe
800	locadob.exe
800	locadob.exe
1424	xdobec.exe
1424	xdobec.exe
800	locadob.exe
800	locadob.exe
1424	xdobec.exe
1424	xdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 800	3048	1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe	87
PID 3048 wrote to memory of 800	3048	1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe	87
PID 3048 wrote to memory of 800	3048	1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe	87
PID 3048 wrote to memory of 1424	3048	1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe	89
PID 3048 wrote to memory of 1424	3048	1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe	89
PID 3048 wrote to memory of 1424	3048	1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe	89

C:\Users\Admin\AppData\Local\Temp\1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe
"C:\Users\Admin\AppData\Local\Temp\1c45b18a2aecf015dd5ac6500f9e924334a602bfa325910f3c3426084cc53a1e.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:800
- C:\AdobeZI\xdobec.exe
  C:\AdobeZI\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeZI\xdobec.exe

Filesize
4.0MB

MD5
246954f3e279a089ed803ba45936d2ef

SHA1
fb15091268d0b311af5077e1d396c980e03706d3

SHA256
af1245434f1a95662605005db38c02ee578e6b206cb13c71324aba4d3de1e7e1

SHA512
6112cc4d4e7fd05cb26e3011c36344ecc93e2dfd1175e2b929561d20ec45238815e6f496857ef76d4055419d6aee0a778092e58b3c7d419b3a7ce6dd8cb3a0c0

Download Submit
C:\GalaxAE\bodxsys.exe

Filesize
4.0MB

MD5
7a5342122a8a725227e4201af7289e4b

SHA1
5c398b7e0d650ea3c35c31f604c9793c3515aea9

SHA256
19f10eb8841a92571c7d25d5f536055b82c411d5d37574a569810f10cdbb8263

SHA512
00bb0f3f08392ec18a08e8f84ea5ccf2eada270427902fc82e07374d784f0d0f533aa5a0155502fde05737c6d6a617e65a9d9e21b449dae175aea13111b236d5

Download Submit
C:\GalaxAE\bodxsys.exe

Filesize
4.0MB

MD5
bf8b66810c9b4b682d777394168eb4f6

SHA1
7c7fbb43cd71c84762a06e3a71786c64f8a2f563

SHA256
e86acef183078769dff58d8b594e8c6cac048dff2404869455565746803abd26

SHA512
0588c5989a66aad7a900592cf32e3964396bec82b43b50a1affbed9582cad343aebe84af4a94629705b90023861c85d795b1afc65a976011d45720b83fc2db19

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
c5f0896b6e13cdc24a6cb780c7b5394f

SHA1
50f5885213fda5871e992c7905de5851f0c93bd6

SHA256
fd31a3c990ad54a88a7fe2083556e21747f24ec775d00552828baad2f0f2b73b

SHA512
2bc587e9a9d841c46405cefe9b0ee7f4bbe97c455f526a2f7fb35dd8903164b8fcc0ca758d3a2ccbe73fb80e509c2e588bc821eeea1df68f65e01a1d890e5ed9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
fd1a94a30aa73281cf86eaf30a61720f

SHA1
dcf2bd1df1114f24a92742060e432028ed79c221

SHA256
dba63a505a3f77fa24db2f8076af4d4841cd3a19f6be0e9c6d10bd429c7e6b1e

SHA512
fc1e22c29ec99b10975db1ff9dd749a101c6759e996c934b7a232bd9fbe765912866a7ff1503f2abb0cc3228105186146a628790801504cac7ac97d1b68b4ab0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
4.0MB

MD5
14a2ef968f503a4ab3d8d7edc17cb049

SHA1
cfe7e371581f0f09860fe5d186ca472c5f06be41

SHA256
73bcf58265e3608c4a07b7cd97b16f13e774c2d4fc5bdf6be9f3563c6f7a0d3c

SHA512
794c55fb6400f1fb681097df776600957e9e60d0d19e0b847f23431baa006ce9e4f5ee0bc9b03038e7dfbca232fc6030209704ec90341eecabad6e85e6a79526

Download Submit