ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 04:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe
Size

2.6MB
MD5

5903a8fc3b180ffaaa182ed6c0e09040
SHA1

4e866daf5724641728cc5a44d6042752db832838
SHA256

ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048
SHA512

c27708f9505317ee7f6c1285ec53e66ddc7d93575050deef4f1332017c5037f0a034e04cbc6fed7e89bb5d1f935b6bca18c6719bdb63aa6e56a8d844412bd98e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bS:sxX7QnxrloE5dpUpsb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe

Executes dropped EXE 2 IoCs

pid	Process
2992	locabod.exe
2912	xbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeM3\\xbodsys.exe"	ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ3P\\dobaec.exe"	ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4388	ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe
4388	ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe
4388	ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe
4388	ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe
2992	locabod.exe
2992	locabod.exe
2912	xbodsys.exe
2912	xbodsys.exe
2992	locabod.exe
2992	locabod.exe
2912	xbodsys.exe
2912	xbodsys.exe
2992	locabod.exe
2992	locabod.exe
2912	xbodsys.exe
2912	xbodsys.exe
2992	locabod.exe
2992	locabod.exe
2912	xbodsys.exe
2912	xbodsys.exe
2992	locabod.exe
2992	locabod.exe
2912	xbodsys.exe
2912	xbodsys.exe
2992	locabod.exe
2992	locabod.exe
2912	xbodsys.exe
2912	xbodsys.exe
2992	locabod.exe
2992	locabod.exe
2912	xbodsys.exe
2912	xbodsys.exe
2992	locabod.exe
2992	locabod.exe
2912	xbodsys.exe
2912	xbodsys.exe
2992	locabod.exe
2992	locabod.exe
2912	xbodsys.exe
2912	xbodsys.exe
2992	locabod.exe
2992	locabod.exe
2912	xbodsys.exe
2912	xbodsys.exe
2992	locabod.exe
2992	locabod.exe
2912	xbodsys.exe
2912	xbodsys.exe
2992	locabod.exe
2992	locabod.exe
2912	xbodsys.exe
2912	xbodsys.exe
2992	locabod.exe
2992	locabod.exe
2912	xbodsys.exe
2912	xbodsys.exe
2992	locabod.exe
2992	locabod.exe
2912	xbodsys.exe
2912	xbodsys.exe
2992	locabod.exe
2992	locabod.exe
2912	xbodsys.exe
2912	xbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 2992	4388	ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe	86
PID 4388 wrote to memory of 2992	4388	ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe	86
PID 4388 wrote to memory of 2992	4388	ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe	86
PID 4388 wrote to memory of 2912	4388	ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe	87
PID 4388 wrote to memory of 2912	4388	ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe	87
PID 4388 wrote to memory of 2912	4388	ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe	87

C:\Users\Admin\AppData\Local\Temp\ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe
"C:\Users\Admin\AppData\Local\Temp\ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2992
- C:\AdobeM3\xbodsys.exe
  C:\AdobeM3\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeM3\xbodsys.exe

Filesize
2.6MB

MD5
4b2088e090e5893a7768ec711d00a49c

SHA1
256e1ded872502a14606d657562086ebb2571f37

SHA256
7660d905f958334fb3d917fd2a8cc4ae12e494d39ca310f4171f5cdb9c960095

SHA512
10d2fad6176a53198489ab9c1844c97f942328b605d701fdd6552a42a50a6d3cc5c4e46d8767070c26724f710ae196cd248caa907e604f824cd7b730fbb7d9f0

Download Submit
C:\LabZ3P\dobaec.exe

Filesize
2.6MB

MD5
223544dc8c97ffee78f9887ca8b7b85d

SHA1
f2f7318dac665eed8a2bf695622d0b5d558f3a56

SHA256
7808a4b7c819f2c8c4597ed0268ba9ffa2738e689d330af4680b2a64ef4e141b

SHA512
58dbaf881a199f319a91b976cc3b9ca4321c23feeae176d90487a7febdc5dc9120f0ac5e72cf3cecade8192d5af30381cf66cc0bdb1715e750859a6216f0cfdb

Download Submit
C:\LabZ3P\dobaec.exe

Filesize
2.6MB

MD5
06e1d54d39871e752b4944ddb71486cf

SHA1
fcd415cd81bdcd0002d18cdacb8f6efe4e6e56fc

SHA256
8d7648459820ab6a301116423e027999096c1f599a43136916b85e1a31a8d31c

SHA512
6e03786cbcb7c20d8ed67f31a80628a6102bcb8f94d19eee91aed59fe4257b668a057fa2c5db70959f29f08b52e5a24851ab1d9f86eee9b10379f57f811aefc0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
199B

MD5
12279a4f6eed7f2a38ae1bc76153da50

SHA1
47b7602b444b6236548edb5825a6df20b7fe30c1

SHA256
15fc6676e1bcb7157f12b6ea19be7ad88b892b7bcc88275f964cf068b0578eca

SHA512
d470a4f22d9cf15aeb55301697fbff20eaf42264e3be7197224309593f45e3b6d757309aed6ea581f28a80218e2a49b24f98e58a6ece6de87cf1240752545b92

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
167B

MD5
5cd51f01d77c92cf9a5b57862ed1d465

SHA1
cba3d06c41e91c962c9b13b8f8d1f3999dc57e31

SHA256
d35f7e8638f7f96fb8ac0d8519054c42dff2eff666bbdf5891ad617f9262381f

SHA512
395dcbba7cf4bb9f5453696f3b71aa334d9de48f035d0675eb34836eecbffe62552767e150309d28966e6ae3b41a8fb40bc0d07edadaf560a4d0d976e239d770

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
2.6MB

MD5
3846925cf90f87d6869d6fc20f17d8d7

SHA1
0d1f856ae6766fa838f8e154b591ab0889411528

SHA256
173a19f8e518a36b76f8557031aac71965290482e6555e2e69297288fc4e80b2

SHA512
0ab62f96d735c36e577b5cc6f609e87ea667a2c7a91a4fc0bf38d0f22b835f185795ca1afb9760fc405f1e7cf7fc0becb9e7996a82a117826700ef8e9c2d96b4

Download Submit