50dff465a2b9c4019d124fff7379f583a44783ae92ee7b4c9259171f35267ff2

Analysis

max time kernel
119s
max time network
20s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
27-07-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2972ce932617f5d4de02389a7865dd0N.exe
Size

2.6MB
MD5

b2972ce932617f5d4de02389a7865dd0
SHA1

06d0d34e44e8fa53c6ec9ca2bef5bf082a4c8fcd
SHA256

50dff465a2b9c4019d124fff7379f583a44783ae92ee7b4c9259171f35267ff2
SHA512

960d2cbce67fdc186d5313dc79e07f4770d0784699603d58a969adabdb1e88006ef055a98700056eb1d435ec5b3e863a557c2e149705db20d0abbc419b69bad5
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bS:sxX7QnxrloE5dpUpLb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	b2972ce932617f5d4de02389a7865dd0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2736	locadob.exe
2924	xbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2768	b2972ce932617f5d4de02389a7865dd0N.exe
2768	b2972ce932617f5d4de02389a7865dd0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv7X\\xbodec.exe"	b2972ce932617f5d4de02389a7865dd0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxVH\\optialoc.exe"	b2972ce932617f5d4de02389a7865dd0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2972ce932617f5d4de02389a7865dd0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2768	b2972ce932617f5d4de02389a7865dd0N.exe
2768	b2972ce932617f5d4de02389a7865dd0N.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe
2736	locadob.exe
2924	xbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2736	2768	b2972ce932617f5d4de02389a7865dd0N.exe	30
PID 2768 wrote to memory of 2736	2768	b2972ce932617f5d4de02389a7865dd0N.exe	30
PID 2768 wrote to memory of 2736	2768	b2972ce932617f5d4de02389a7865dd0N.exe	30
PID 2768 wrote to memory of 2736	2768	b2972ce932617f5d4de02389a7865dd0N.exe	30
PID 2768 wrote to memory of 2924	2768	b2972ce932617f5d4de02389a7865dd0N.exe	31
PID 2768 wrote to memory of 2924	2768	b2972ce932617f5d4de02389a7865dd0N.exe	31
PID 2768 wrote to memory of 2924	2768	b2972ce932617f5d4de02389a7865dd0N.exe	31
PID 2768 wrote to memory of 2924	2768	b2972ce932617f5d4de02389a7865dd0N.exe	31

C:\Users\Admin\AppData\Local\Temp\b2972ce932617f5d4de02389a7865dd0N.exe
"C:\Users\Admin\AppData\Local\Temp\b2972ce932617f5d4de02389a7865dd0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2736
- C:\SysDrv7X\xbodec.exe
  C:\SysDrv7X\xbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxVH\optialoc.exe

Filesize
2.6MB

MD5
7158516e0e93759b7c7f69ae855d985f

SHA1
30dfbcac5c5ee3cef1c323fc1e69da7f6224ac46

SHA256
39c5eb9aea15730c1c8e159dd9411e371df2cb2300598e7d8be5dc293a79045e

SHA512
a53557f7fba87d00bd8e0407829b111e1b71d4d0c3fc7962d196f4c6dab26559a69f3d3ef6f49763a488f9c3e50352bf6c4b545e617bb007ed9079977363e571

Download Submit
C:\GalaxVH\optialoc.exe

Filesize
2.6MB

MD5
77b988293a59fdd4f2471dd1e46ccb35

SHA1
958a1a0cfc8651c92dd7eb8046f2ecef4b97197a

SHA256
c28be5ed560a6aa3e3a10e3d7a0be556ea9f84bb345e3272e06241612cba431b

SHA512
33247ff40f7ef359066a4f43690119eb5c4c06deb002cd0b865b22db7f3e1e24bfdab041491b9e56fcd0e611c0f7c400d6bc5d1dc2ef7706a3ca77461ea179ba

Download Submit
C:\SysDrv7X\xbodec.exe

Filesize
2.6MB

MD5
d0c767bac6b0af4ad01feb1ee3f521a3

SHA1
2f97d6e74324c2d24ca93002a12b86b162bbcfa3

SHA256
48bc92d7bbe0e45a33424d6a9e4f4dc220fb92280dca52414a0d4896e71c5653

SHA512
b47f691a098700b7355cd42bd87b1077c4a84eebb19f14cf04faf88e70501f31054f6ca1f1f0dba4b2962927ddb440e8f52dac691589d9d6136be40cd251ce05

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
41cc54b27f8c9830723c0a66631be559

SHA1
734399721374e64d67db17933b5d927d51604e17

SHA256
df4ab3769903a8938cd5e2a507cbc452646ae01bce2ee595d8eb51f2486e232a

SHA512
7d2f60f7f92942193325de3433c4c40850a0a2074a3d7a27cd1f1ea07696325278d098ece73a7921a2e5d8b614860dbd074208e625e35e1de93b9458414534cb

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
55d9d5ae71b5e23e4597322d821fa03e

SHA1
f7857cc17a138702c7dddefb69dd1a7141f48695

SHA256
5798b1cef39ca6d630a20f72ff9031aefb6182f63ec34ae04d5cc0b1b9be8b25

SHA512
85e80b841fed5935bd4d9725574d4f643eaeeeb0c77c83de32e1b531f7fd83f228bf4d183dc4091c0ffaa950ffc65d8f4826d649b8db7e08b4167e36e177f1e6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
2.6MB

MD5
3d403cb7f9183f622e99643c1a14c014

SHA1
03e25379c03f06e6b4dc533a2dc7a8e7c9b8b993

SHA256
49e2467ccf705cdc2701066575789558d9e669a3fa3fab790d6ac4f1777f5db5

SHA512
17d611d0d8f5396a7f88c4e0bc9db2dac09fc124c5ea90729a068a2dc05ac49af00251cf52c1a809d3888308e26fc08ad44524d2f65bcdc13c824cd8f7ed568c

Download Submit