5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe
Size

4.1MB
MD5

f7a6e8b52783d562ede808feff502dbe
SHA1

5c9b367dbd9e126011bc04cc78e12ebbb236c2df
SHA256

5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb
SHA512

09c7f17365370cfba4f7e02915d753e8d6a3a5feffae1c5574353024626c463f0ebd1eaa593267f59371676da2c14932fbfaa6035cc7cb814fd8e02e4776c0f7
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpxbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe

Executes dropped EXE 2 IoCs

pid	Process
2800	locabod.exe
2128	adobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2288	5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe
2288	5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocOM\\adobloc.exe"	5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxBP\\bodxec.exe"	5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2288	5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe
2288	5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe
2800	locabod.exe
2128	adobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2800	2288	5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe	30
PID 2288 wrote to memory of 2800	2288	5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe	30
PID 2288 wrote to memory of 2800	2288	5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe	30
PID 2288 wrote to memory of 2800	2288	5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe	30
PID 2288 wrote to memory of 2128	2288	5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe	31
PID 2288 wrote to memory of 2128	2288	5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe	31
PID 2288 wrote to memory of 2128	2288	5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe	31
PID 2288 wrote to memory of 2128	2288	5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe	31

C:\Users\Admin\AppData\Local\Temp\5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe
"C:\Users\Admin\AppData\Local\Temp\5f49042f0b4b5fd86cf3aef8a285723879c7af16cb1bcd588fab712c6f58d2fb.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2800
- C:\IntelprocOM\adobloc.exe
  C:\IntelprocOM\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxBP\bodxec.exe

Filesize
4.1MB

MD5
fefca6b5369c818430548336e934450d

SHA1
47caf40b94e86777c8e67dd13ff22ddb24a9bfa3

SHA256
cab9ad52bbe2e0493bb815809ea9fecb46934574ee404b386b958233f52f22b6

SHA512
831a18d60756ed7e4e8190ad15873e5760a230a672042a9462ee4a0b9cec7f91ee1662abed991410e2037dcbe3e75dc101812c558476af0b04a7dad6b0a8181e

Download Submit
C:\GalaxBP\bodxec.exe

Filesize
4.1MB

MD5
e02fce76fd36d89cb2e68bb98a7137ec

SHA1
8493472d1fa20108f0de416056e5d234c6041266

SHA256
cc2f9da0f2de5369d02825a6abb6321c3a48391e62026ad227bf8c76ccb6c69b

SHA512
01612aa8c38132a3724ba4e235c364f8562914014abaf40bc8b293f02c02b8933c90a9a22000c328839065152b398e5e7440d656aa38a00217ad954ebca4ef34

Download Submit
C:\IntelprocOM\adobloc.exe

Filesize
4.1MB

MD5
52105dda5685a179f979a5b5dbaf9bfc

SHA1
264416bc333d37f6291e7d7410f1f2592b6e5c85

SHA256
9d015e436d0cb75ac03f02c46fafeb74c68e0e77065c474371655eb9c86fd0a8

SHA512
adae1f00838dd1a95a0b83f7a919e1536cb8131de2d63af0d7703c6ff39b5e775dd9f182e5f515008315c0e5b49bfaccc98f20ecdaa7eb386db278e84af00168

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
623fe141506e5c942efe17b55c188da4

SHA1
3f07f60ab984245782c11abbc4edbea607180540

SHA256
b9efeb3d32d62a49d1d0e533b98a9d2f07dec4a4a318e8b5d3b601722a511cd1

SHA512
a8f6aa24d7c85e023c0fcfd1d71f74a2d33b504fce2e0de30923c0a49aa1c5bd53089cf15166f1fefcce5ece59e897e1df38398a01cee55c8ce0421bdae7a76e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
97bf0e14126e0fb2e601c6c57caaf5d4

SHA1
2675a85e736412329462478d6ea3f2761193da0f

SHA256
f6858a20ec928d2cf0ef5f555ca5e47d3a4076b60ffa4e94ab0603db31c1bfaa

SHA512
feda2f40dd9794237e63b80afc4dbac6c98c3f2f1c372a77d3f920c84f61e5f35b0f8f1e301a9575a43ee2bff965444b3c54d6cfb1e4cd1546aa008b5e021073

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
4.1MB

MD5
520763e91bfb98739aa0b48e7f16b2a7

SHA1
e019edc924bf7ddef9de30dbccbc6e14b4cefd47

SHA256
907fa55fa4df295e6d4117cc0a1acb03c6175649ab0b4f016762011275e076a7

SHA512
839bc0fdb4cf87c31c317f5974f0e37ebd99b151497ddf639d59a1621d2ff866348ce052e31063ef4405180d6d2cc8264922045b892ee276546fc60b394eb2b1

Download Submit