cf48709cadd97735bcfaee52d323bdd6f08186620f5b5b56d3d7dacefeb4c63e

Analysis

max time kernel
119s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0c0f12bf23313126924bcb7fc18f4f0N.exe
Size

2.6MB
MD5

c0c0f12bf23313126924bcb7fc18f4f0
SHA1

09d6facd81ffae28f8f33488ca0aec9a4a14cc91
SHA256

cf48709cadd97735bcfaee52d323bdd6f08186620f5b5b56d3d7dacefeb4c63e
SHA512

8a0a1fbf81a0f7830b0c70076aef6db553f08192f3dfade8d111b11051d6dae57a2ec0d3b1e676d0da4ccdfdce961b22661a509839b60cc445a655bdbca3b56c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpSb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	c0c0f12bf23313126924bcb7fc18f4f0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2724	locadob.exe
2824	xoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2304	c0c0f12bf23313126924bcb7fc18f4f0N.exe
2304	c0c0f12bf23313126924bcb7fc18f4f0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotUL\\xoptiec.exe"	c0c0f12bf23313126924bcb7fc18f4f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB3R\\dobxloc.exe"	c0c0f12bf23313126924bcb7fc18f4f0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0c0f12bf23313126924bcb7fc18f4f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2304	c0c0f12bf23313126924bcb7fc18f4f0N.exe
2304	c0c0f12bf23313126924bcb7fc18f4f0N.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe
2724	locadob.exe
2824	xoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2724	2304	c0c0f12bf23313126924bcb7fc18f4f0N.exe	29
PID 2304 wrote to memory of 2724	2304	c0c0f12bf23313126924bcb7fc18f4f0N.exe	29
PID 2304 wrote to memory of 2724	2304	c0c0f12bf23313126924bcb7fc18f4f0N.exe	29
PID 2304 wrote to memory of 2724	2304	c0c0f12bf23313126924bcb7fc18f4f0N.exe	29
PID 2304 wrote to memory of 2824	2304	c0c0f12bf23313126924bcb7fc18f4f0N.exe	30
PID 2304 wrote to memory of 2824	2304	c0c0f12bf23313126924bcb7fc18f4f0N.exe	30
PID 2304 wrote to memory of 2824	2304	c0c0f12bf23313126924bcb7fc18f4f0N.exe	30
PID 2304 wrote to memory of 2824	2304	c0c0f12bf23313126924bcb7fc18f4f0N.exe	30

C:\Users\Admin\AppData\Local\Temp\c0c0f12bf23313126924bcb7fc18f4f0N.exe
"C:\Users\Admin\AppData\Local\Temp\c0c0f12bf23313126924bcb7fc18f4f0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2724
- C:\UserDotUL\xoptiec.exe
  C:\UserDotUL\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB3R\dobxloc.exe

Filesize
2.6MB

MD5
d61e1da5cd55ec68a4c922ddcc9a9842

SHA1
67b755662e9f1e7e885fcb725e668ee841e576b5

SHA256
421e5e9f7183d8ce7940398a5e6a8cbbed9f45d447de7b01fe96b107ffbd703b

SHA512
33b8130ce0b859e0da81ecae84e789bbc45a63f6b7d238eb82284f35d505356a0c4cf83d157d0fa6a09692f9052d6dd39cfb5cac003294586d404e59022bcb37

Download Submit
C:\KaVB3R\dobxloc.exe

Filesize
2.6MB

MD5
80b9e274e5d2fa3480f3bf6c1a927e14

SHA1
973d7bca4bcef2a26683182b674643c567d4e675

SHA256
8f0ec8d2757f09fcdc9f90624c466109212eb659db74c56e80e850f623795de3

SHA512
4dfb1e89281a5eec4e661f6144a2c3102eb79538ad89c7c7e5f7134c2efe5f6cc45c8675f5c03d60a7b3cbec38f34058ee61002a9e89230dcb947ec0103e11b3

Download Submit
C:\UserDotUL\xoptiec.exe

Filesize
2.6MB

MD5
45354b676e73d3f959c9f2b61a6a39b0

SHA1
9f66d5959f5c51d405e1de6b9ef5b0ac8d2d2a3e

SHA256
225fc31a0a2cb8d12546efd84c2947977e39ec2d2c52a1e8ff2dddce869743c6

SHA512
e72183d7bf72b4f8f5dbf7cbc008db83d63889d45f493e4fdcb8a3ea728d8062ce68f92aff16622686baa48bad82ada17863805a056ee923ed89613746daec04

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
84a4e434c475d7fe2ce60f7e80da6510

SHA1
f7bd4896a1e043fa1a4768d0ff4e233a284a7080

SHA256
1c23f44c4c28403d415d8719859322b2373599864875a07de4c0a01fbb8ab7b9

SHA512
6ea6b6d431f423da359e9151d9763dc89afb0aad2d3a6793962c75626dcc93cc2c05847665efd6f467951a6c427b3507f626d9d72f07aa956c530bde7315d4a9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
59bcebf001bea02673398640774fed20

SHA1
a980b77cf25b0272348d8e74acd190c62c3fbf75

SHA256
72ea1d7657182cee6860dc135cce76a64386b2a311ee282d6db24e9f1f4a8cee

SHA512
a3cfe9a01af231bf396583f03bddaa2dc149b96c68f07fa08caf841a688850a527def5f5d306d800596295a44bfe7a49a14293b2557b10045b86ba3a971a5886

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
2.6MB

MD5
d41646b308d033f8dbdcbfdd6ff642aa

SHA1
8899381fd74ac7b97cf5a1a5b1c9cae6af5802b7

SHA256
cd1d0c1c635de0be136e1150ae1e5254807c56cf25efadbb25f0ec75fde2c24f

SHA512
65e659a1a66f8c91f90c3c90c59f367ef3baa8253678f8a579acbe2bd322fcad35dbadd612153d26b9028fc478e1952fa817b939bf761a60d8a7dcd63929f2b0

Download Submit