4f0d055b46a0b0a95444d5229c5861be8322dcb85de62a9497556c36ffd0f305

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
19/06/2024, 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f0d055b46a0b0a95444d5229c5861be8322dcb85de62a9497556c36ffd0f305.exe
Size

3.1MB
MD5

5d8f6d86dcae2dc942c49b6afab2d077
SHA1

67cee6617dcb58d4b5c1264d1e98a271d500d59a
SHA256

4f0d055b46a0b0a95444d5229c5861be8322dcb85de62a9497556c36ffd0f305
SHA512

5676733837d0b71fb0b5654e049c010067c0ca06ac769567ac7f87281a5c526112083cfed4fe79037a7e107b8c18bd35c5cc08fb9a903aa8071929e74cdf4c1f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBZB/bSqz8:sxX7QnxrloE5dpUp2bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	4f0d055b46a0b0a95444d5229c5861be8322dcb85de62a9497556c36ffd0f305.exe

Executes dropped EXE 2 IoCs

pid	Process
4668	locxdob.exe
4748	xdobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc1L\\xdobloc.exe"	4f0d055b46a0b0a95444d5229c5861be8322dcb85de62a9497556c36ffd0f305.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidON\\boddevsys.exe"	4f0d055b46a0b0a95444d5229c5861be8322dcb85de62a9497556c36ffd0f305.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2916	4f0d055b46a0b0a95444d5229c5861be8322dcb85de62a9497556c36ffd0f305.exe
2916	4f0d055b46a0b0a95444d5229c5861be8322dcb85de62a9497556c36ffd0f305.exe
2916	4f0d055b46a0b0a95444d5229c5861be8322dcb85de62a9497556c36ffd0f305.exe
2916	4f0d055b46a0b0a95444d5229c5861be8322dcb85de62a9497556c36ffd0f305.exe
4668	locxdob.exe
4668	locxdob.exe
4748	xdobloc.exe
4748	xdobloc.exe
4668	locxdob.exe
4668	locxdob.exe
4748	xdobloc.exe
4748	xdobloc.exe
4668	locxdob.exe
4668	locxdob.exe
4748	xdobloc.exe
4748	xdobloc.exe
4668	locxdob.exe
4668	locxdob.exe
4748	xdobloc.exe
4748	xdobloc.exe
4668	locxdob.exe
4668	locxdob.exe
4748	xdobloc.exe
4748	xdobloc.exe
4668	locxdob.exe
4668	locxdob.exe
4748	xdobloc.exe
4748	xdobloc.exe
4668	locxdob.exe
4668	locxdob.exe
4748	xdobloc.exe
4748	xdobloc.exe
4668	locxdob.exe
4668	locxdob.exe
4748	xdobloc.exe
4748	xdobloc.exe
4668	locxdob.exe
4668	locxdob.exe
4748	xdobloc.exe
4748	xdobloc.exe
4668	locxdob.exe
4668	locxdob.exe
4748	xdobloc.exe
4748	xdobloc.exe
4668	locxdob.exe
4668	locxdob.exe
4748	xdobloc.exe
4748	xdobloc.exe
4668	locxdob.exe
4668	locxdob.exe
4748	xdobloc.exe
4748	xdobloc.exe
4668	locxdob.exe
4668	locxdob.exe
4748	xdobloc.exe
4748	xdobloc.exe
4668	locxdob.exe
4668	locxdob.exe
4748	xdobloc.exe
4748	xdobloc.exe
4668	locxdob.exe
4668	locxdob.exe
4748	xdobloc.exe
4748	xdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 4668	2916	4f0d055b46a0b0a95444d5229c5861be8322dcb85de62a9497556c36ffd0f305.exe	86
PID 2916 wrote to memory of 4668	2916	4f0d055b46a0b0a95444d5229c5861be8322dcb85de62a9497556c36ffd0f305.exe	86
PID 2916 wrote to memory of 4668	2916	4f0d055b46a0b0a95444d5229c5861be8322dcb85de62a9497556c36ffd0f305.exe	86
PID 2916 wrote to memory of 4748	2916	4f0d055b46a0b0a95444d5229c5861be8322dcb85de62a9497556c36ffd0f305.exe	87
PID 2916 wrote to memory of 4748	2916	4f0d055b46a0b0a95444d5229c5861be8322dcb85de62a9497556c36ffd0f305.exe	87
PID 2916 wrote to memory of 4748	2916	4f0d055b46a0b0a95444d5229c5861be8322dcb85de62a9497556c36ffd0f305.exe	87

C:\Users\Admin\AppData\Local\Temp\4f0d055b46a0b0a95444d5229c5861be8322dcb85de62a9497556c36ffd0f305.exe
"C:\Users\Admin\AppData\Local\Temp\4f0d055b46a0b0a95444d5229c5861be8322dcb85de62a9497556c36ffd0f305.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4668
- C:\Intelproc1L\xdobloc.exe
  C:\Intelproc1L\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc1L\xdobloc.exe

Filesize
2.0MB

MD5
cbd7f17dc6e7975b88bcc1ff00cb973f

SHA1
b4835b5e0a682fcccb596676d572aa06c097a890

SHA256
8cbe7a4c6c8b0e4a116d53f43caa4ebf2c8d0cb0208604e4dc93784aac21b0d2

SHA512
5c01e75a9ddba79813127fe0ef59deddec8bd023ba7c1bf25dcf1ca3b00e5aeae74736869a3f97da90bfb00e2301c2be626fd52e09e096ce96418b4c9ae2437c

Download Submit
C:\Intelproc1L\xdobloc.exe

Filesize
3.1MB

MD5
2e1593a3d136786bdfbbefe9b50e17c3

SHA1
f36f370a0cb1efdadbac67fc78e2a2df67c81ae4

SHA256
2eab2f6280c8d284cd1fa7cc294212ba04aa1a477620d82f7b01bd6bb9b3a131

SHA512
7bb404102f0567ba430b1303ce67c4d3a92e4b2c80ba79bf492a86c46f4351a3cc36ab35911d0b79f47f477ad7ecca90ba52ad77448b741b720cef366c65d794

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
49690113bfbaec40b55f4a260981821d

SHA1
8c2379a1a1f2d6d5a0473b532b2d853243cbbc79

SHA256
3c61f4f33294fcbef447b5314a6ce88f86eeef1f6769812bf8d3304430bd42c7

SHA512
77df3a73594fe529ca56d82a1d5cd1d11a2f0f17d9490d5b282d211ae8aa6bfcd2e876fb913c1195004149effb42c1faffb95d7e3f8b25a1c9d6af64871e988d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
cf65679945cb89c40ae810bbbb55fe7e

SHA1
720fa14a742bfdad89cba8e6416afed661075a36

SHA256
98e4be964bd330e2d24fe48c6edf41c1b4e8e7a1a2cff471b75d1f1e5ddbd503

SHA512
842655e6513f652debda1e9b1c6d186ef789f23cf91cbadcd5b1878f21ecdf3da1bb97ac3dc83fff2ce5443dd04f78b4a102069fc2e2fea8efda9b9e55aaccd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
3.1MB

MD5
dde80edbab87b4508e84efc9f3a11caf

SHA1
8565f0c122f08b3a5e9343b19c2a38e9f2f563b7

SHA256
dc61b1d5d8310d7ba00e1268ff39c1be10653c83793bdad0f565d9cb28ee467a

SHA512
3821fad98830c50637c06d3d9f17d58208960b1d5195fdbff0a98f84d3112d501ab54894f6329e25c0f07727465598dc329ca09ae28b3a4a9fefedb84235473f

Download Submit
C:\VidON\boddevsys.exe

Filesize
3.1MB

MD5
76e747308e288a60a37a7b75d048528f

SHA1
0385ddb77518f33c4f0a07ece3b0e8f6a51083cc

SHA256
4b57798f08303e74724f5e967a3d1bf8927fc72a1f11c5a79f5c2cf1eaeb7de1

SHA512
113f4c49df8fcaf594ce75382e22db3c0267d66c1d10b93ec7f62a9ea593c3c44362cd63e6fd80eb0ac9586cd58d554b183dc02e1d58231f12b756f11589b139

Download Submit
C:\VidON\boddevsys.exe

Filesize
61KB

MD5
ec38d24cdd2704cd7db62f1730ccee06

SHA1
e2049a2c94b1c6e677b49ea70935de9ea3643765

SHA256
dcdd6114a98b576ae6e36fec702dfe98e8f8adf74b07ec2111ca048f4fecd7e0

SHA512
570d8219cd11a7c452cc809b72ea8f53aadbab44cdbe06aef7076161b03f0c7d026b8d3cd95f435d0ec3dc63e6be69c1d7513c8691273c62b52dad7642b076c5

Download Submit