1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
01/06/2024, 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe
Size

3.1MB
MD5

31cab91b730e265033025e4a309695e0
SHA1

308b1965cdb522f8342ab9585d1cda5d084a8fd5
SHA256

1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e
SHA512

e82c2c61d81d5ae730fa965555a06146f67fd9b4a72c0ff529a683298b758b181b8a347ba18cdeff3a9556d6d2fcfc47e8bb7c5083982b09ce4988f3f8720160
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpYbVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe

Executes dropped EXE 2 IoCs

pid	Process
1748	locxopti.exe
2712	xdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2184	1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe
2184	1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeXU\\xdobsys.exe"	1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidHV\\bodxsys.exe"	1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2184	1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe
2184	1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe
1748	locxopti.exe
2712	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 1748	2184	1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe	28
PID 2184 wrote to memory of 1748	2184	1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe	28
PID 2184 wrote to memory of 1748	2184	1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe	28
PID 2184 wrote to memory of 1748	2184	1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe	28
PID 2184 wrote to memory of 2712	2184	1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe	29
PID 2184 wrote to memory of 2712	2184	1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe	29
PID 2184 wrote to memory of 2712	2184	1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe	29
PID 2184 wrote to memory of 2712	2184	1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe	29

C:\Users\Admin\AppData\Local\Temp\1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe
"C:\Users\Admin\AppData\Local\Temp\1cebad6e254fc608c339b86e882b4b71a5bfd5920655117daeac3b0203ea1f1e.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1748
- C:\AdobeXU\xdobsys.exe
  C:\AdobeXU\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeXU\xdobsys.exe

Filesize
3.1MB

MD5
e8fedb6ea6f75359985c7d4ddf5919e9

SHA1
fe06ae71df660cae403ddf3b2d6bc1567a6b03b2

SHA256
6e52e820b187cc67e86739fdff79e8032b940cb8adf6fad262905c96d3637180

SHA512
553bcc4a72415d4cda9f0862c8d92b4b6a6e4b73e0dfdfa680a353fdea575f5195aff293eb01a8c4bcb6a2ced6e41b322785594fafb89b7d4936bf6b167d9788

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
22a2f1f3cc03784b3af7ae02e0f492d0

SHA1
80a3c91602f2eccf9ba4c4a14172ca2a94a1658d

SHA256
f1430af27793af52bd7419897ba156acaba36fb46096172b51faea0742e38855

SHA512
26c8eba973a734e30093d0a7149a3ced32a20b5d385a87113dde94fce90b36d7604ac674e861257d5b17cdf124c05bb5c2f0a07d67a3d101893baeda55393efa

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
09cc8e722e454d81883f31b13e20c058

SHA1
6220cef9a029d6a345783abf38a9b742ed409b02

SHA256
374112cd82fdb6527bca8bc29763cdea4c6221a23ae20b5cd78bf63af8fb7bcc

SHA512
8db58ceb0fd4912a4350dfc52aba6b369fe525fdb72802ffb7779ab135c11b38c034667664f808f8ee4453b9e7e29086c449c4e2b18a7c7f32ca720f1a727869

Download Submit
C:\VidHV\bodxsys.exe

Filesize
3.1MB

MD5
7cb8966b4a157cd9f517705fbcec5d0b

SHA1
b0fa878ef17bff7afa8e4a81a08d9238dbe79109

SHA256
8195c72e5290d74bb19ee42edec7311e7dd94f1c46b081124ccae78e5ce9ee7c

SHA512
c081861f8b21acd8f12e447659cc822c1cb80728d617fd5d4a05cc6cb9fdbc0f34c0dc67ae62f714e0a0e3692842a3fcbec4eb1e6e77d5ad6b243a0f12e69c6e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
3.1MB

MD5
541a9fd56b2c5387df078a0823fba069

SHA1
8686003af24b288a48f9de597c9bfc4a4b68dff1

SHA256
6b728dad0951978c12ee1b42cf5161cf55560e1e2987e12efe96f973dd29f254

SHA512
49ab978d0d581ea7d1842a48b069a4572dd4bc01dd48a9455521b5b210cff74a3ac4f03598c8c087beeb937d4cf99205d80b4cf57cd91b5f5e3c8983ab8f7ca1

Download Submit