5573c4947536bb470112bf7819a196499d33e819ab4e0154eae70b75daf14790

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12ad68c32f9a52205f86d844c5cd0e40.exe
Size

3.2MB
MD5

12ad68c32f9a52205f86d844c5cd0e40
SHA1

22873f5c4b7150d635d90b51ba9447b9ecde26a2
SHA256

5573c4947536bb470112bf7819a196499d33e819ab4e0154eae70b75daf14790
SHA512

c73d7cf86638c23a8255662f062445207f2b2432ee5ce02dda8d6e4956d40c1bc90754b485ec90277d1ca9a7fd59497e157a7305578371aac5c01ad59fa0313c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp/bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	12ad68c32f9a52205f86d844c5cd0e40.exe

Executes dropped EXE 2 IoCs

pid	Process
3068	locxbod.exe
2416	xdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2424	12ad68c32f9a52205f86d844c5cd0e40.exe
2424	12ad68c32f9a52205f86d844c5cd0e40.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeLN\\xdobec.exe"	12ad68c32f9a52205f86d844c5cd0e40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax4Y\\dobaec.exe"	12ad68c32f9a52205f86d844c5cd0e40.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2424	12ad68c32f9a52205f86d844c5cd0e40.exe
2424	12ad68c32f9a52205f86d844c5cd0e40.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe
3068	locxbod.exe
2416	xdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 3068	2424	12ad68c32f9a52205f86d844c5cd0e40.exe	30
PID 2424 wrote to memory of 3068	2424	12ad68c32f9a52205f86d844c5cd0e40.exe	30
PID 2424 wrote to memory of 3068	2424	12ad68c32f9a52205f86d844c5cd0e40.exe	30
PID 2424 wrote to memory of 3068	2424	12ad68c32f9a52205f86d844c5cd0e40.exe	30
PID 2424 wrote to memory of 2416	2424	12ad68c32f9a52205f86d844c5cd0e40.exe	31
PID 2424 wrote to memory of 2416	2424	12ad68c32f9a52205f86d844c5cd0e40.exe	31
PID 2424 wrote to memory of 2416	2424	12ad68c32f9a52205f86d844c5cd0e40.exe	31
PID 2424 wrote to memory of 2416	2424	12ad68c32f9a52205f86d844c5cd0e40.exe	31

C:\Users\Admin\AppData\Local\Temp\12ad68c32f9a52205f86d844c5cd0e40.exe
"C:\Users\Admin\AppData\Local\Temp\12ad68c32f9a52205f86d844c5cd0e40.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3068
- C:\AdobeLN\xdobec.exe
  C:\AdobeLN\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeLN\xdobec.exe

Filesize
3.2MB

MD5
5828e8acbbb540e4a16de88a486cee25

SHA1
2b666de883aaac75f214e25a8b17a419f90a2501

SHA256
9b0eb9ffee1d26f6516c7c8ae57e3d5bb2043f029df5c1f960884826998a15d5

SHA512
8fa11095201471dc8338b00cf998be92a41b5d9d8ef2a87556f6f2ee0a029a46ba62c0a3bc793ce915d2fd74146ab4c44d836be8c6e7feb67fa1f3b1396586de

Download Submit
C:\Galax4Y\dobaec.exe

Filesize
3.2MB

MD5
8a86856a272cda29071320d87e5001b3

SHA1
8b88c98efa599647089b468bc8c8828cfaa1f724

SHA256
4dd0aecea751ce726c4624fdeeeda8136c691873c9d4e64d5f6d0485a873fe7e

SHA512
ec3f0be41befc3550a0771bc305471ba2794440c78700fcc59fe8d6c4bb4204eff8737abe121b96b4b7092aefebf9f0ef9d0b8a199d18ae21d0623523fcf0a0c

Download Submit
C:\Galax4Y\dobaec.exe

Filesize
3.2MB

MD5
e6bececd78113ebae368d91860ba9df1

SHA1
6543893b3c159f9f64743a7628e33d261e5d33cc

SHA256
3c95653420978ee39f045ab800d2cc4cd71532182b34a05de7436e26dbbfa6f2

SHA512
7710984b8c7960fe2087c1cb16daeba90edd6eb628fbc7439f6920866d146fdc04b0e408ae3f566b5593175d27ad23c9cf6f02a1203fa22c35d63873fdf07528

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
167B

MD5
dc76dbabb5ff7a8e03ce4c7f91bd0906

SHA1
730384fcdc33bf22ffa808aeee5b931de67c3760

SHA256
b5f165de811893f61739d97797d0701a0d8470abb0d8c303019e559344007c85

SHA512
e6ade982148816d8839185085e1b716d2c73fdd0bdeefd57c6b9da27dd8b32238ed2c8ceffba0772ee5a8727fd2ddaa158ef06fbde89963b0e1eff4e1996982b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
199B

MD5
516939f89b394287fde4c0a47b19ee53

SHA1
1adf69fcb33d98a6c229e3fa8e750ade7c8aa0e7

SHA256
8f6744fc0604ad5be6d5c64775e07cc2d9c2c804e4bbe06e37bf52f94b894872

SHA512
bd14a198ebc6dc5d84cf7bc031a213705e8d2ef96fff5e688eb209c8ff8c6198ca51ae678c5298312e645d527d97888b800763012a29b171c490c355106560e4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
3.2MB

MD5
d9fa8831352e0e75dbbc237e91671683

SHA1
434bb767619cde601a1c8992c37e9732645fe23d

SHA256
f134b563a48788ca9cc3a98b28ba810171bd77d737bb80324ea6f8faeb0a7870

SHA512
ca5668774c780701079251471aacacfa59dbd8ad7bc82fad7a411eb55421a178347183f88d609a13b88710f11daf83d05ab7aec7713a2aa4f614dc0cbc867335

Download Submit