16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd

Analysis

max time kernel
150s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe
Size

3.0MB
MD5

7ac408baa8038cfc6a553f93a168b35a
SHA1

387099e5299f285ad0ece8ed2d67aa4fab0ac31d
SHA256

16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd
SHA512

c5724a3dce76482fa15a44e8854c40b211ee05c0ae18b3f3ea2282f8fd75a8aeb23c36abf7046e98f4ed6ed0aca18f8060bfb589787a097b5b203f54c2548d80
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBsB/bSqz8b6LNX:sxX7QnxrloE5dpUpTbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe

Executes dropped EXE 2 IoCs

pid	Process
4596	locadob.exe
1952	xbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvPC\\xbodloc.exe"	16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZDD\\dobdevec.exe"	16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2320	16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe
2320	16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe
2320	16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe
2320	16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe
4596	locadob.exe
4596	locadob.exe
1952	xbodloc.exe
1952	xbodloc.exe
4596	locadob.exe
4596	locadob.exe
1952	xbodloc.exe
1952	xbodloc.exe
4596	locadob.exe
4596	locadob.exe
1952	xbodloc.exe
1952	xbodloc.exe
4596	locadob.exe
4596	locadob.exe
1952	xbodloc.exe
1952	xbodloc.exe
4596	locadob.exe
4596	locadob.exe
1952	xbodloc.exe
1952	xbodloc.exe
4596	locadob.exe
4596	locadob.exe
1952	xbodloc.exe
1952	xbodloc.exe
4596	locadob.exe
4596	locadob.exe
1952	xbodloc.exe
1952	xbodloc.exe
4596	locadob.exe
4596	locadob.exe
1952	xbodloc.exe
1952	xbodloc.exe
4596	locadob.exe
4596	locadob.exe
1952	xbodloc.exe
1952	xbodloc.exe
4596	locadob.exe
4596	locadob.exe
1952	xbodloc.exe
1952	xbodloc.exe
4596	locadob.exe
4596	locadob.exe
1952	xbodloc.exe
1952	xbodloc.exe
4596	locadob.exe
4596	locadob.exe
1952	xbodloc.exe
1952	xbodloc.exe
4596	locadob.exe
4596	locadob.exe
1952	xbodloc.exe
1952	xbodloc.exe
4596	locadob.exe
4596	locadob.exe
1952	xbodloc.exe
1952	xbodloc.exe
4596	locadob.exe
4596	locadob.exe
1952	xbodloc.exe
1952	xbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 4596	2320	16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe	87
PID 2320 wrote to memory of 4596	2320	16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe	87
PID 2320 wrote to memory of 4596	2320	16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe	87
PID 2320 wrote to memory of 1952	2320	16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe	88
PID 2320 wrote to memory of 1952	2320	16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe	88
PID 2320 wrote to memory of 1952	2320	16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe	88

C:\Users\Admin\AppData\Local\Temp\16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe
"C:\Users\Admin\AppData\Local\Temp\16692ca9f6eb1961288deebe491ef894e07af904a5149072be4573e8eba59bfd.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4596
- C:\SysDrvPC\xbodloc.exe
  C:\SysDrvPC\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZDD\dobdevec.exe

Filesize
3.0MB

MD5
917506bbc83d4e952fdb5445644b1f72

SHA1
789e00616c1928b303baa5b544002f791627b9b2

SHA256
c5125a055cda0b02cd2f07c58c6225f44ddf625ef7b4b5d53f624a82b714c7df

SHA512
10a79afd0ccb22abbdfc1654f2b94ded73bc8a826d6838305cd0d79162a30f8c7d3738f6a4c20196c4f1322b747012bdd629b808c89fdb5b29e3d7248c9b5b27

Download Submit
C:\SysDrvPC\xbodloc.exe

Filesize
3.0MB

MD5
7112b07c7fb918981734cd8daa650299

SHA1
3ff8fa8ec3fad4f900decf405c1478d58e238ae9

SHA256
b7e476f78135867a2b4da94ab5c9c8aa6aa60785e5460962f0160ebc860ba64a

SHA512
cf7326b684e84779ca4968d74f0a1601159b6de6eca47f0ce1bdc6796ce37ba7f64424ebe3270c4fb56c4c1a1c3f95493931113e9ac065c1b266ac76c4a5a95f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
b8c14a5de3af68d933947e498827a3d7

SHA1
a1275df5bdac01f89696a2b35c8e507312655d23

SHA256
1edb1acb583d9e959083a6d55ee72fe2502c37b57bc228ff887097ef88848b5c

SHA512
9cd32d14e4b2506c6cd0565041f0200fc03468868603c39b493b208671e48640a53e8b7767be45c226f2e82513619be3a850f7328b9427c3e28b6b2d7e8f8152

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
1db5d494f7655a8e50e1a5ddcc51ae8e

SHA1
c4bcaa8c50503b57bac271c51153e3554dba4bdf

SHA256
3eaaf656e7a5481f915d6d5fb5036459d773b014ca6837893583a24c631e7f1c

SHA512
48882aded34aca0742298b071962d0064cdefeea7eab91786cdd02444648f9fbbf2a6bcd8296bf37a1ccf560c03b144bae733c4e70e9ce95a17f8cafc23b95e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
3.0MB

MD5
b12cd42f3d561af651dd13734079e811

SHA1
f1a80aa74ff6d384e6545e29a201770138824188

SHA256
d92dcd9ba3c8b9f5d2e8537f28043d53f73b8f67c00ca988e819e0b14694e881

SHA512
331a5dfce6a3fe89688464a1ec7474364e464bdbbd5e86f76a930ca11d2e99a76b2146f99a0360903c5bd1592856ae8dafd616178e22761a00fbd2a5966ea26d

Download Submit