a4b704b8cab0a138c0a552025ee403ecb0853bf003d2b0ca0ef73d9477c30993

Analysis

max time kernel
150s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 01:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a4b704b8cab0a138c0a552025ee403ecb0853bf003d2b0ca0ef73d9477c30993.exe
Size

3.6MB
MD5

26831bdd1e0b6b006d800b8abba36d8c
SHA1

a0fa71674bf01d93a68975f3595d8bfb1fd1c82f
SHA256

a4b704b8cab0a138c0a552025ee403ecb0853bf003d2b0ca0ef73d9477c30993
SHA512

b1a9067a0770d7372e3cbede8c4cb84eaedc83d57314a24d682b465cf54915774b94743175a2effabd26ebc22c0fbd6ecb191fca0a763afbac350757eecfaf6f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bSqz8:sxX7QnxrloE5dpUpUbVz8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	a4b704b8cab0a138c0a552025ee403ecb0853bf003d2b0ca0ef73d9477c30993.exe

Executes dropped EXE 2 IoCs

pid	Process
2460	locabod.exe
4292	xdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeGP\\xdobsys.exe"	a4b704b8cab0a138c0a552025ee403ecb0853bf003d2b0ca0ef73d9477c30993.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintBM\\optialoc.exe"	a4b704b8cab0a138c0a552025ee403ecb0853bf003d2b0ca0ef73d9477c30993.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4b704b8cab0a138c0a552025ee403ecb0853bf003d2b0ca0ef73d9477c30993.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
116	a4b704b8cab0a138c0a552025ee403ecb0853bf003d2b0ca0ef73d9477c30993.exe
116	a4b704b8cab0a138c0a552025ee403ecb0853bf003d2b0ca0ef73d9477c30993.exe
116	a4b704b8cab0a138c0a552025ee403ecb0853bf003d2b0ca0ef73d9477c30993.exe
116	a4b704b8cab0a138c0a552025ee403ecb0853bf003d2b0ca0ef73d9477c30993.exe
2460	locabod.exe
2460	locabod.exe
4292	xdobsys.exe
4292	xdobsys.exe
2460	locabod.exe
2460	locabod.exe
4292	xdobsys.exe
4292	xdobsys.exe
2460	locabod.exe
2460	locabod.exe
4292	xdobsys.exe
4292	xdobsys.exe
2460	locabod.exe
2460	locabod.exe
4292	xdobsys.exe
4292	xdobsys.exe
2460	locabod.exe
2460	locabod.exe
4292	xdobsys.exe
4292	xdobsys.exe
2460	locabod.exe
2460	locabod.exe
4292	xdobsys.exe
4292	xdobsys.exe
2460	locabod.exe
2460	locabod.exe
4292	xdobsys.exe
4292	xdobsys.exe
2460	locabod.exe
2460	locabod.exe
4292	xdobsys.exe
4292	xdobsys.exe
2460	locabod.exe
2460	locabod.exe
4292	xdobsys.exe
4292	xdobsys.exe
2460	locabod.exe
2460	locabod.exe
4292	xdobsys.exe
4292	xdobsys.exe
2460	locabod.exe
2460	locabod.exe
4292	xdobsys.exe
4292	xdobsys.exe
2460	locabod.exe
2460	locabod.exe
4292	xdobsys.exe
4292	xdobsys.exe
2460	locabod.exe
2460	locabod.exe
4292	xdobsys.exe
4292	xdobsys.exe
2460	locabod.exe
2460	locabod.exe
4292	xdobsys.exe
4292	xdobsys.exe
2460	locabod.exe
2460	locabod.exe
4292	xdobsys.exe
4292	xdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 2460	116	a4b704b8cab0a138c0a552025ee403ecb0853bf003d2b0ca0ef73d9477c30993.exe	86
PID 116 wrote to memory of 2460	116	a4b704b8cab0a138c0a552025ee403ecb0853bf003d2b0ca0ef73d9477c30993.exe	86
PID 116 wrote to memory of 2460	116	a4b704b8cab0a138c0a552025ee403ecb0853bf003d2b0ca0ef73d9477c30993.exe	86
PID 116 wrote to memory of 4292	116	a4b704b8cab0a138c0a552025ee403ecb0853bf003d2b0ca0ef73d9477c30993.exe	87
PID 116 wrote to memory of 4292	116	a4b704b8cab0a138c0a552025ee403ecb0853bf003d2b0ca0ef73d9477c30993.exe	87
PID 116 wrote to memory of 4292	116	a4b704b8cab0a138c0a552025ee403ecb0853bf003d2b0ca0ef73d9477c30993.exe	87

C:\Users\Admin\AppData\Local\Temp\a4b704b8cab0a138c0a552025ee403ecb0853bf003d2b0ca0ef73d9477c30993.exe
"C:\Users\Admin\AppData\Local\Temp\a4b704b8cab0a138c0a552025ee403ecb0853bf003d2b0ca0ef73d9477c30993.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:116
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2460
- C:\AdobeGP\xdobsys.exe
  C:\AdobeGP\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeGP\xdobsys.exe

Filesize
841KB

MD5
6ec9ea3c51f998c25fc949451f94c586

SHA1
ce6ca38afad9da4a56c4779362aaee05afb59c5d

SHA256
c9d6e4e807b28531c4fb076fccafe18c5b47f984058267c51534ce10fd80daf1

SHA512
f68cf63077a2636ab1594bd4d173c07f30a78127124977123a0886d84456c53dc8d90eee83e96072852324180d3a108369c7ca4ca9c066f29be358d931f78240

Download Submit
C:\AdobeGP\xdobsys.exe

Filesize
3.6MB

MD5
775f1833286905368c2c2d787a229299

SHA1
7c2739142870ddbf14f1d5b7490b3ae74fb4d805

SHA256
ee0e7ff425c49b34aed0ef2128cba7cb94fd819bfa5ccbd7a55983d7e7486924

SHA512
dbe4b84b8dede4ab8a6359728021c3a951964a314773c993316dafb4b641236668734f7168f9ebd374c1c0dab8bf87f47388bcedd6b6db94b40c23844073e4c2

Download Submit
C:\MintBM\optialoc.exe

Filesize
14KB

MD5
eea4aa3d13cff294fb9de101050d3b95

SHA1
8be9253d0215e54c585f56eadb2280278a3ef3fa

SHA256
4bfbd1374923be20f98b58ddc780be3cd5a3714124580ccf4631700f056077a5

SHA512
8793ab23bc508ea67a7d382f851f692b10c6141d6a08aea34676af615c93c597ab6a7bab354d52cfa7c84c568a31eee4521a37ed280aa9a5c1a200be1d176b44

Download Submit
C:\MintBM\optialoc.exe

Filesize
3.6MB

MD5
22421ccf9109972469e4e7000bb8ed62

SHA1
797eb2ce741b06be9acbbcc9807b13efb0a78d09

SHA256
26d30d7a64e596da5cb494fc30a258e9f2935ce8ae17d54d46e873308e113e9f

SHA512
0c5c890f3462d3084c93d2ef1f22730bec4deb9fafe60a504e4e3d6a09f1a5f2eb4fe645c168d3d904d3cf2497cefe0a43ca06a79fab1ac13dc2092322c8ce7c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
06a7a73d46a554dcceb721dc5f2bee3d

SHA1
bbb9eb9f2b66c7202a0cee7b8c90033b88300076

SHA256
fbf3c85ec0895c1ce28574b379c57042f23fe7b73fbc435fcdab2fb4ce7f1027

SHA512
9ba690d668de46c8cf95f86138cbb711d9271152c791f943fba340d0f1c53737a76e5115428cf2237cc0210b095882f993be25b0d4cd4f2512f25546df2686b5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
cea7a1155b6e2b7976567a6a2eb76f1b

SHA1
7c528e3d2585234a2cbc7129b7a879cdc233a295

SHA256
d190455239b5005df181a77482dd6ff50d222a2a3e8265164a2cf6aedd3c3db8

SHA512
67b63695b50b0ed136b98ee6ee4192db9e66bde18fa5fc8afe8d99e50e7b6cec986e76cbc663013ae88c5f7ed8e8a9729ec71f15a8644ca3fb73ac21898ddce2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
3.6MB

MD5
23eb0ff31563d110eed5b20e720994cb

SHA1
b5c1c6acdb79ddb579e424d3d0290bbd590df8a4

SHA256
040e167f5201d49ef08d8dd4a3ff5727b193192edba46dc6727e39e2626d69c7

SHA512
3c8eb1958f6c571cc8730c9997f60c5fafc07841b5cd0f39657305164896ed0a6719551f567ad71b7e98c6575447185cb81e8ba85a205e460e7bf77f1389d768

Download Submit