f64581d4deefd87bb1930dac2da3e38b8aeb8c93ed12e88d535ddd0191f9e9b3

Analysis

max time kernel
120s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a35e3b3e0ce2ebf79ce73e6f187e580N.exe
Size

2.6MB
MD5

2a35e3b3e0ce2ebf79ce73e6f187e580
SHA1

365ee986520f66f4231667b0b31e3e0836253cf9
SHA256

f64581d4deefd87bb1930dac2da3e38b8aeb8c93ed12e88d535ddd0191f9e9b3
SHA512

af15d9b93f16600ddb2e98973545afac29505ea46e4312d973558819aa037e40354b8c22b67be8c478a0061e411a6a80ad00f06272c61f781bff5599b0a90849
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBsB/bS:sxX7QnxrloE5dpUpjb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe

Executes dropped EXE 2 IoCs

pid	Process
4520	locadob.exe
4732	xdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesH2\\xdobsys.exe"	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ1T\\boddevec.exe"	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3600	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe
3600	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe
3600	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe
3600	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe
4520	locadob.exe
4520	locadob.exe
4732	xdobsys.exe
4732	xdobsys.exe
4520	locadob.exe
4520	locadob.exe
4732	xdobsys.exe
4732	xdobsys.exe
4520	locadob.exe
4520	locadob.exe
4732	xdobsys.exe
4732	xdobsys.exe
4520	locadob.exe
4520	locadob.exe
4732	xdobsys.exe
4732	xdobsys.exe
4520	locadob.exe
4520	locadob.exe
4732	xdobsys.exe
4732	xdobsys.exe
4520	locadob.exe
4520	locadob.exe
4732	xdobsys.exe
4732	xdobsys.exe
4520	locadob.exe
4520	locadob.exe
4732	xdobsys.exe
4732	xdobsys.exe
4520	locadob.exe
4520	locadob.exe
4732	xdobsys.exe
4732	xdobsys.exe
4520	locadob.exe
4520	locadob.exe
4732	xdobsys.exe
4732	xdobsys.exe
4520	locadob.exe
4520	locadob.exe
4732	xdobsys.exe
4732	xdobsys.exe
4520	locadob.exe
4520	locadob.exe
4732	xdobsys.exe
4732	xdobsys.exe
4520	locadob.exe
4520	locadob.exe
4732	xdobsys.exe
4732	xdobsys.exe
4520	locadob.exe
4520	locadob.exe
4732	xdobsys.exe
4732	xdobsys.exe
4520	locadob.exe
4520	locadob.exe
4732	xdobsys.exe
4732	xdobsys.exe
4520	locadob.exe
4520	locadob.exe
4732	xdobsys.exe
4732	xdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 4520	3600	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe	88
PID 3600 wrote to memory of 4520	3600	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe	88
PID 3600 wrote to memory of 4520	3600	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe	88
PID 3600 wrote to memory of 4732	3600	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe	89
PID 3600 wrote to memory of 4732	3600	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe	89
PID 3600 wrote to memory of 4732	3600	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe	89

C:\Users\Admin\AppData\Local\Temp\2a35e3b3e0ce2ebf79ce73e6f187e580N.exe
"C:\Users\Admin\AppData\Local\Temp\2a35e3b3e0ce2ebf79ce73e6f187e580N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4520
- C:\FilesH2\xdobsys.exe
  C:\FilesH2\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesH2\xdobsys.exe

Filesize
1.0MB

MD5
058849551c3d3db861cb24a84107a170

SHA1
2db2e00de8830e04b389144cedd343e51140e685

SHA256
97275960ec08e29a238f85d93b34089d4ee57f78e932542c3dc6d74b15b2c09b

SHA512
68cc7e0fa66c640c410b9ec5239dc20aec6c0ccd42cca9524019aea933ca9e39aa809ed2f35e8ce4551f7823e585938e270005e6e83065f10af38011cd433834

Download Submit
C:\FilesH2\xdobsys.exe

Filesize
2.6MB

MD5
49285275c19733d830b7a143a4b2f11b

SHA1
6dec3625e898eea55fb916d918f1392c8ca212c0

SHA256
166fc3ed9c096889e6bdcd127359419cb4704e347e19a4fcbe632e8fc0f900be

SHA512
b558de10d35c4a4f45fe82a328a89553fabedc3f982c5c8c8a932b021923c86bd978cdcd7093fc664f4b8e6cfc7fb36e34282dd249a901f6b3e7787d7a768b86

Download Submit
C:\LabZ1T\boddevec.exe

Filesize
2.6MB

MD5
bbf254c8329355b4efed8dbf98b1564a

SHA1
40cd22786758075691778b3dd0b6678fe4cb2313

SHA256
eada2b79fdf92ccd5f5d5701b4e78f75535efa4ed74ac1849657e821686c91e8

SHA512
ba3f6a06ed23b31c4ccb2f772b9ca0697e1cb24a98f0a19c219aea27db072d309711b89c798bc9fa5f828b27b164636a63ea48a1174363b4382064bf5afbce86

Download Submit
C:\LabZ1T\boddevec.exe

Filesize
20KB

MD5
586dc09d5804dc54d44fbabe2f70a2f5

SHA1
1b5a9a763950331479ac1c498b03264cda1e5e0e

SHA256
33712f6263ec98ae8ff353abc33c5a663b2c766cbe5c8a49229dad2fbfb8f079

SHA512
54a9d8562e63f9b26ca5680b6e9a17abb896ba1d76fd279957335198bab32efc42361d0585349bd615b1859a022b024d4629234b578a41c99310d0b00c64998a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
4a8aa62e37e0bd5af058224c868f004d

SHA1
68fb69a3c5a958498131547ae0fad522dd07cb66

SHA256
28ee98041db9cb51108b05fdd152af61add5985824a7943d280f9cf1f2332b9f

SHA512
0452da3719c9564741a2577208da25f95a351b4f7e175f81d573667baa0b721b66650fc6b9900969b608a4e3722d14e0f3030ac5cca1201f3f526cafd1742a0e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
f97e845a260ba1b998499bc18b4a79b8

SHA1
3b998e23bc083dc75a30a2a90fa27b073e480448

SHA256
fddce4fb267cff12a1e9d65c772dc52db739e33d59d922e973aa0960323b67f2

SHA512
98b2a84262da49034c777f95c37aff93d031fe02c74a430c9c6a35339d75ff7729e07f25f3b199be8dc53e81b1b0f1f3bc1ba4b083717245d19b3aae402fb308

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
2.6MB

MD5
04f061b3e45a727c0556da7df2c54ad8

SHA1
f9ccfab06e23e592e6f04777ac8ca77b1b02c581

SHA256
f113602d9d248701a6159d6724ed0b4a6f7e37926d8e0119c0d3096024a36664

SHA512
efd22453fa0565ff1854677b5711f8e69e581d216958b9f72b344d6bc0a8386b7498c765c4db7f29a6344abe424082715f439ea2ee50d57d76c246a7d8e26225

Download Submit