715fd746529f53fee988fe5e32af80afe09a7786661706fdbd8a75b9ab95bbe9

Analysis

max time kernel
119s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 06:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9872c782ca9c86fc45b8fa21c66feba0N.exe
Size

3.1MB
MD5

9872c782ca9c86fc45b8fa21c66feba0
SHA1

d066975adccc4e228d7b382eb42758a0c2ffc423
SHA256

715fd746529f53fee988fe5e32af80afe09a7786661706fdbd8a75b9ab95bbe9
SHA512

f8ec7d9e47dd4f2d798ee42bf4c55204a9ec84dfda3a83b02d30b0f46154e92b1e4e959ed69789bce2fec2a268d2663ffd3e609c53816515b64867dd16f8839e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpwbVz8eLFc

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	9872c782ca9c86fc45b8fa21c66feba0N.exe

Executes dropped EXE 2 IoCs

pid	Process
1740	locxopti.exe
996	xdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocFD\\xdobsys.exe"	9872c782ca9c86fc45b8fa21c66feba0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZYD\\bodxloc.exe"	9872c782ca9c86fc45b8fa21c66feba0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9872c782ca9c86fc45b8fa21c66feba0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3556	9872c782ca9c86fc45b8fa21c66feba0N.exe
3556	9872c782ca9c86fc45b8fa21c66feba0N.exe
3556	9872c782ca9c86fc45b8fa21c66feba0N.exe
3556	9872c782ca9c86fc45b8fa21c66feba0N.exe
1740	locxopti.exe
1740	locxopti.exe
996	xdobsys.exe
996	xdobsys.exe
1740	locxopti.exe
1740	locxopti.exe
996	xdobsys.exe
996	xdobsys.exe
1740	locxopti.exe
1740	locxopti.exe
996	xdobsys.exe
996	xdobsys.exe
1740	locxopti.exe
1740	locxopti.exe
996	xdobsys.exe
996	xdobsys.exe
1740	locxopti.exe
1740	locxopti.exe
996	xdobsys.exe
996	xdobsys.exe
1740	locxopti.exe
1740	locxopti.exe
996	xdobsys.exe
996	xdobsys.exe
1740	locxopti.exe
1740	locxopti.exe
996	xdobsys.exe
996	xdobsys.exe
1740	locxopti.exe
1740	locxopti.exe
996	xdobsys.exe
996	xdobsys.exe
1740	locxopti.exe
1740	locxopti.exe
996	xdobsys.exe
996	xdobsys.exe
1740	locxopti.exe
1740	locxopti.exe
996	xdobsys.exe
996	xdobsys.exe
1740	locxopti.exe
1740	locxopti.exe
996	xdobsys.exe
996	xdobsys.exe
1740	locxopti.exe
1740	locxopti.exe
996	xdobsys.exe
996	xdobsys.exe
1740	locxopti.exe
1740	locxopti.exe
996	xdobsys.exe
996	xdobsys.exe
1740	locxopti.exe
1740	locxopti.exe
996	xdobsys.exe
996	xdobsys.exe
1740	locxopti.exe
1740	locxopti.exe
996	xdobsys.exe
996	xdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 1740	3556	9872c782ca9c86fc45b8fa21c66feba0N.exe	90
PID 3556 wrote to memory of 1740	3556	9872c782ca9c86fc45b8fa21c66feba0N.exe	90
PID 3556 wrote to memory of 1740	3556	9872c782ca9c86fc45b8fa21c66feba0N.exe	90
PID 3556 wrote to memory of 996	3556	9872c782ca9c86fc45b8fa21c66feba0N.exe	91
PID 3556 wrote to memory of 996	3556	9872c782ca9c86fc45b8fa21c66feba0N.exe	91
PID 3556 wrote to memory of 996	3556	9872c782ca9c86fc45b8fa21c66feba0N.exe	91

C:\Users\Admin\AppData\Local\Temp\9872c782ca9c86fc45b8fa21c66feba0N.exe
"C:\Users\Admin\AppData\Local\Temp\9872c782ca9c86fc45b8fa21c66feba0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1740
- C:\IntelprocFD\xdobsys.exe
  C:\IntelprocFD\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocFD\xdobsys.exe

Filesize
3.1MB

MD5
35bc985fc197f388145f1b92df838d38

SHA1
b048a310892f8405153502839b473344d410463d

SHA256
0d66b97873159f379bb58b3365d50b90d978e4adeb7c4839c5c6d3954b3ba91e

SHA512
3c96522faddbca33970051d6a079f3ad8b2af5261c2ebd5811e219ed8f7c46589c27808de2a0ce660fb3c961bea119f84110f52663df3739fef8254ec91deea4

Download Submit
C:\LabZYD\bodxloc.exe

Filesize
3.1MB

MD5
da1037dfe6c896817879048fab63c67f

SHA1
13855f0c444ae2303f69f3253614490a28f05ce9

SHA256
1d7e5984259ec0f126098161e43ad9f0bd29eca6cc18077b235089f68dfb0766

SHA512
5152edc8e4123edaa567ad91b7d7e2fcff31e7f470a640d8b123950abe7766ada8246ad593f9ba3fb93e0671562b0303e04d1e32e66fcd9396e2073469263ff9

Download Submit
C:\LabZYD\bodxloc.exe

Filesize
2.9MB

MD5
e1e8fc8e4b4194b106da5027bd5408fc

SHA1
00d6f0c1b4d0977feb2e53098103306f71d3aed6

SHA256
f6fb00f5bf20e2e5659e46269d75ef17ae51166b0bf94f61e63b5ce942ba0efe

SHA512
982f9e3327e4f6b91482702c8efac1e4afe86663795a2bf81a73e579696f71094d12183d588a488b47300f4b59c65012f7082064e1e56345b53d5259f476fd96

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
b755093dd25335f647c3273b7e9c92c7

SHA1
65d0ce06575369b29b8a9f9ce4ce2856c165d6ae

SHA256
7831e9064befc2432d689641969ba63199afe5675b303b50657ec00d6163c09a

SHA512
f0df023608b0a77d3af0674c6e95d232dc3bd4bd24979a840a773d5b2532fb8c0cc7a1ed7e23c691486d6162019592e76cb1c039c163edaefd4c02ea85bd3b6b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
f47d8bcaa02fb519aa6bfadc5456fa29

SHA1
fb760d268644b9e3affe80fd1ec88930fc509b76

SHA256
67c0b530f095fccaadd65a52b5debaaaf23f019f0d1e7b8e724c69c8920dbc10

SHA512
63f251ee6d2ab6e3c03ca25b76b6eb2e3526a5742a5fed2b0f505d8550b26d6c139cd3149595d2aec8b3a2adae7c8e39ca78fbf3aafedf12ded4da31d0a0359f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
3.1MB

MD5
55f4aae8b904b2f4fa7ae9dcfe5cf540

SHA1
a3cd8ddb15df253fbaec2e422ea4565a7408824e

SHA256
dd30dd66f5395a522aab084b18f03975aa00b3669642974f28fae41fbfda193a

SHA512
54cc57b1bdc52c2cfcdcb117c564ab94b579068ac7858b145cd7aaa7b43a035af39c6712b83c9b20e5deb392bc336e2fc235b8ba45a9bd86ac26df235681bde6

Download Submit