e436b21d5745194129061bd98c96c1ad9b85cb40e30d7d195944acea45e22f07

Analysis

max time kernel
120s
max time network
18s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b424240f82869409f8c3328cc3589740N.exe
Size

2.6MB
MD5

b424240f82869409f8c3328cc3589740
SHA1

0b17cdecfb95ebc011a9e7d7becae40dfda74db9
SHA256

e436b21d5745194129061bd98c96c1ad9b85cb40e30d7d195944acea45e22f07
SHA512

c1fcac5db946f34d7e932d73afd06f08aab84e8b99ad85f3d0e39c55cb4fd9391b4dd0a050fa18dc7a6394714fc4a4f3cc5e90418e495c5eb879d2eb04519959
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBwB/bS:sxX7QnxrloE5dpUp7b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	b424240f82869409f8c3328cc3589740N.exe

Executes dropped EXE 2 IoCs

pid	Process
2800	locxdob.exe
3060	xbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2692	b424240f82869409f8c3328cc3589740N.exe
2692	b424240f82869409f8c3328cc3589740N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeIO\\xbodsys.exe"	b424240f82869409f8c3328cc3589740N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintDR\\dobdevec.exe"	b424240f82869409f8c3328cc3589740N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b424240f82869409f8c3328cc3589740N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2692	b424240f82869409f8c3328cc3589740N.exe
2692	b424240f82869409f8c3328cc3589740N.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe
2800	locxdob.exe
3060	xbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2800	2692	b424240f82869409f8c3328cc3589740N.exe	30
PID 2692 wrote to memory of 2800	2692	b424240f82869409f8c3328cc3589740N.exe	30
PID 2692 wrote to memory of 2800	2692	b424240f82869409f8c3328cc3589740N.exe	30
PID 2692 wrote to memory of 2800	2692	b424240f82869409f8c3328cc3589740N.exe	30
PID 2692 wrote to memory of 3060	2692	b424240f82869409f8c3328cc3589740N.exe	31
PID 2692 wrote to memory of 3060	2692	b424240f82869409f8c3328cc3589740N.exe	31
PID 2692 wrote to memory of 3060	2692	b424240f82869409f8c3328cc3589740N.exe	31
PID 2692 wrote to memory of 3060	2692	b424240f82869409f8c3328cc3589740N.exe	31

C:\Users\Admin\AppData\Local\Temp\b424240f82869409f8c3328cc3589740N.exe
"C:\Users\Admin\AppData\Local\Temp\b424240f82869409f8c3328cc3589740N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2800
- C:\AdobeIO\xbodsys.exe
  C:\AdobeIO\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeIO\xbodsys.exe

Filesize
2.6MB

MD5
db19640361c2efc7400f28c9301e387f

SHA1
95649e92f0782c9d4a8027934eaf5ffa5888e92f

SHA256
5d1e47ad1281f3cdc6a9c204db83093f432db6e4c44e8f6d436f00cd94df25b7

SHA512
0d60c359a78ba86f1596d4358f15145ab730944af96ffca8af99a7ce6dbc7ab6125809f665f506c9fae42aeffb27f87d649a6254c26060685bec62ddcd906c1a

Download Submit
C:\MintDR\dobdevec.exe

Filesize
1.6MB

MD5
a23f73456cf57f6942ff1fe1441b4cae

SHA1
2dc6db7f1898ce8fe16042906a0cca3004bcc464

SHA256
46a4a60f35788c824b4899fe1e178c160bc9f309a484bca43fa7273c2806a411

SHA512
862f33ca57f221b0f66a5fe456eff7a2deab22c377d53af64984166a25ef631f136997e8e3f4ab64cd0c55a335e2ea69edcce5dbf987c795617883b972d8bbb4

Download Submit
C:\MintDR\dobdevec.exe

Filesize
2.6MB

MD5
c3163f72519cd1d69844d2dcd610e548

SHA1
0acd95756faeeba93b4743099f46684168599439

SHA256
8eb1c518fa544f2c19bbea9df948ca7c784f33487e851bd5c2b072171a0e8504

SHA512
c70dc4f2fb0440de50fd906851f7a3a85dd5a931609ce2e9262f196f42b7c371fe49e607d364a9502c6ce143541b3d3b0770eb2a189ba9b4a4db7a1f621df6ca

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
b17316c2c6d2a23dae6f975d53446d8b

SHA1
fa4922875adfcff88f39b04b9795cc57a15dbc53

SHA256
a33b481b76f8b7ba6ff3d5be8972ae0c140489d0f2729f4e9cd2c4a17b1976fa

SHA512
2af6712ab247075da4c380e295d1546baf8f22dcf0fe507625ee789469371ac63a9403991b749baf6f9694059f3697b7aec1b5bb25fb99f9c9086e7a72f10b0e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
87d2ad61f052f4f0f8c23681ff635fb6

SHA1
40e07adccd7543cde42497c0d23279b05e7df7a5

SHA256
16417d92b20f29e74de6054d3ec879a881e84828dfd0a44e1b2d10d4d5801118

SHA512
4383c89f27a3b37a05e9a5d30eec126f109b030c1a005285ee7e64db072dec7b637721f6e8c45f6ae6e023dfac822120525bde7a3ddfa018260e4cebfb759a21

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
2.6MB

MD5
06cc3a4e152082be0ea13c78975662ad

SHA1
b4450f3928d27c435f96c5379c79939b6e936180

SHA256
d7745b96fa3d35bb3749a4562b13c5991a6f08ec3b14663edf246625e233e72b

SHA512
7edb84d3946d7044ad0432fdab6566f6818220666dc5ae26189f12b97d7ed44e6f04a76448fea2fbe9f1e91ff5f8b1bd803d228078423174fac41331864bbc12

Download Submit