236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe
Size

4.1MB
MD5

9e9873acfe2fcac0cee011ab34ebfcbb
SHA1

0328aede3e09727d6e236222e827ce011715f385
SHA256

236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5
SHA512

8270985a4d7fce79d3de6769e65a7bb66bd5ba177ce61ce764b4c60d1b782ace4df7e6eb0488816c0f59670279e1b186ea2f5af83bba123455b8a57f8a1aca1e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp3bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe

Executes dropped EXE 2 IoCs

pid	Process
3000	locxdob.exe
2844	xdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2968	236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe
2968	236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZXW\\bodaloc.exe"	236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocCZ\\xdobloc.exe"	236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2968	236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe
2968	236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe
3000	locxdob.exe
2844	xdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 3000	2968	236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe	28
PID 2968 wrote to memory of 3000	2968	236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe	28
PID 2968 wrote to memory of 3000	2968	236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe	28
PID 2968 wrote to memory of 3000	2968	236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe	28
PID 2968 wrote to memory of 2844	2968	236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe	29
PID 2968 wrote to memory of 2844	2968	236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe	29
PID 2968 wrote to memory of 2844	2968	236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe	29
PID 2968 wrote to memory of 2844	2968	236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe	29

C:\Users\Admin\AppData\Local\Temp\236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe
"C:\Users\Admin\AppData\Local\Temp\236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3000
- C:\IntelprocCZ\xdobloc.exe
  C:\IntelprocCZ\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocCZ\xdobloc.exe

Filesize
4.1MB

MD5
ad87c8d1b7d0d6a8112dc5865e68e182

SHA1
19885ea4974f95c984bd8706b6fe6d569051e0e0

SHA256
2f61ee00a0acbbc425d0dd01778520fbc2d1fc058dd434623d081244a1d33dd1

SHA512
ca6a874d26e5cab7ce50c04f46e71edb8cc63ba1301f3c53fdaa4fa3bd2bdc01d043b7e61a38196ee05595a5254eeef775e0486b7c95f629ac7b6357f16ab9c7

Download Submit
C:\LabZXW\bodaloc.exe

Filesize
4.1MB

MD5
430601e7e5c79435e3c6c54546d1ba90

SHA1
eb2991869237c5c18fd10a0f1bb90be8eae6820f

SHA256
57bc8e3e605750e06477f957a5de5e783b173dc4807a55f09b437c553aea63a1

SHA512
9e22533c75f6e3926ee4a087b0f93033a65eec8040492d6744561ed98efa23c887ad585c445c69bac8231147662fcf13ec5b61b32c171a2f827b332975491347

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
d02ea01526212a6cc75d88584d25c7f6

SHA1
c86635952237fd0f4bf3301c4101760361f23449

SHA256
03b2384a7046697755767b8b9fe688b1bd15d20aeed00a3908128cbcee1bb09e

SHA512
dfe0c225d3ac7213375e39352a5ca5dcac65ff4cbfdd33851f3ea3bb9c6e6fcef561357a8a7f53fa51336c4d9d6c4a7b927adf45ac328d24752bac234dafb833

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
d00445955a24ed87e92bb0c62ff84e79

SHA1
268f79e0c8f59f4292c83c4dad5ea33bab6f7fbd

SHA256
f45d96e5bb539bc4e43b9b8fe0697a355d41a9be0b4771689109af7ac1320529

SHA512
4a72df74505c4d869201c95bc1a4462cf28fa51e15aa018c591ab7c05238484fbfa016658e8efc5dc228b13f23b17cd8940fb5b741dc6f838ec35afad831b775

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
4.1MB

MD5
9043ec4abc4ac8c1dabc647b7cd41e87

SHA1
7641abceb815388ef03db732bf057825ce1493aa

SHA256
beadfc880449771056c65c1eddb935293ebdc07851fb92480eb081b6612eab25

SHA512
894f48c5a927c8d82f9cb3c0c7ded97759e1bd6335c2e201c2dc35a90d93d5974985d0cdbf6fef06e032b104e9125136f678950fac1b3e7efad96bc612e89828

Download Submit