dbb04e0651d7074d029702704f647f94e95e4100d070d3959a23d0056ffd36ec

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbb04e0651d7074d029702704f647f94e95e4100d070d3959a23d0056ffd36ec.exe
Size

2.6MB
MD5

df7acbb7b51a8a9b20df6922b7714be8
SHA1

2e02a50e62e878028280a2ed23209a65c34f68f1
SHA256

dbb04e0651d7074d029702704f647f94e95e4100d070d3959a23d0056ffd36ec
SHA512

5b8b323479f6dc6fdf15dfc911afdbfb67f7b7de01aeac7fc496b1edf79e62927eaacccb42a9faa8f4301095907569d8fd7b7fb9fe9593812e3530ed1b4e89eb
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSq:sxX7QnxrloE5dpUpDbV

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	dbb04e0651d7074d029702704f647f94e95e4100d070d3959a23d0056ffd36ec.exe

Executes dropped EXE 2 IoCs

pid	Process
3436	locxbod.exe
2920	adobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidDN\\optidevloc.exe"	dbb04e0651d7074d029702704f647f94e95e4100d070d3959a23d0056ffd36ec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvV4\\adobec.exe"	dbb04e0651d7074d029702704f647f94e95e4100d070d3959a23d0056ffd36ec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbb04e0651d7074d029702704f647f94e95e4100d070d3959a23d0056ffd36ec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxbod.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4836	dbb04e0651d7074d029702704f647f94e95e4100d070d3959a23d0056ffd36ec.exe
4836	dbb04e0651d7074d029702704f647f94e95e4100d070d3959a23d0056ffd36ec.exe
4836	dbb04e0651d7074d029702704f647f94e95e4100d070d3959a23d0056ffd36ec.exe
4836	dbb04e0651d7074d029702704f647f94e95e4100d070d3959a23d0056ffd36ec.exe
3436	locxbod.exe
3436	locxbod.exe
2920	adobec.exe
2920	adobec.exe
3436	locxbod.exe
3436	locxbod.exe
2920	adobec.exe
2920	adobec.exe
3436	locxbod.exe
3436	locxbod.exe
2920	adobec.exe
2920	adobec.exe
3436	locxbod.exe
3436	locxbod.exe
2920	adobec.exe
2920	adobec.exe
3436	locxbod.exe
3436	locxbod.exe
2920	adobec.exe
2920	adobec.exe
3436	locxbod.exe
3436	locxbod.exe
2920	adobec.exe
2920	adobec.exe
3436	locxbod.exe
3436	locxbod.exe
2920	adobec.exe
2920	adobec.exe
3436	locxbod.exe
3436	locxbod.exe
2920	adobec.exe
2920	adobec.exe
3436	locxbod.exe
3436	locxbod.exe
2920	adobec.exe
2920	adobec.exe
3436	locxbod.exe
3436	locxbod.exe
2920	adobec.exe
2920	adobec.exe
3436	locxbod.exe
3436	locxbod.exe
2920	adobec.exe
2920	adobec.exe
3436	locxbod.exe
3436	locxbod.exe
2920	adobec.exe
2920	adobec.exe
3436	locxbod.exe
3436	locxbod.exe
2920	adobec.exe
2920	adobec.exe
3436	locxbod.exe
3436	locxbod.exe
2920	adobec.exe
2920	adobec.exe
3436	locxbod.exe
3436	locxbod.exe
2920	adobec.exe
2920	adobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 3436	4836	dbb04e0651d7074d029702704f647f94e95e4100d070d3959a23d0056ffd36ec.exe	88
PID 4836 wrote to memory of 3436	4836	dbb04e0651d7074d029702704f647f94e95e4100d070d3959a23d0056ffd36ec.exe	88
PID 4836 wrote to memory of 3436	4836	dbb04e0651d7074d029702704f647f94e95e4100d070d3959a23d0056ffd36ec.exe	88
PID 4836 wrote to memory of 2920	4836	dbb04e0651d7074d029702704f647f94e95e4100d070d3959a23d0056ffd36ec.exe	89
PID 4836 wrote to memory of 2920	4836	dbb04e0651d7074d029702704f647f94e95e4100d070d3959a23d0056ffd36ec.exe	89
PID 4836 wrote to memory of 2920	4836	dbb04e0651d7074d029702704f647f94e95e4100d070d3959a23d0056ffd36ec.exe	89

C:\Users\Admin\AppData\Local\Temp\dbb04e0651d7074d029702704f647f94e95e4100d070d3959a23d0056ffd36ec.exe
"C:\Users\Admin\AppData\Local\Temp\dbb04e0651d7074d029702704f647f94e95e4100d070d3959a23d0056ffd36ec.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3436
- C:\SysDrvV4\adobec.exe
  C:\SysDrvV4\adobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvV4\adobec.exe

Filesize
1KB

MD5
854d7024d6a3690861a5e13adeeebc56

SHA1
2ac1cc8c12d24dba6b5be96438f764753e2534af

SHA256
7bee14ad9ce88140df4a16649b935961e01da085178d766133129df3d97623d4

SHA512
83e4768567adea2aa5df900d4c232d5f8ccf5bfaeb8524a7641aa8d27412adf71a2c90d307b2a7c43f43dbc803b2ee2754ce4035888a928c3543f1c8912422a0

Download Submit
C:\SysDrvV4\adobec.exe

Filesize
2.6MB

MD5
667794cae445bd026506b87b76d62f97

SHA1
10279037f1d524de387dcbc9c8a69a12e311a22f

SHA256
9f66f57398ae0b22b725543b2341f17880e27d98811fdb68f6ff80b47f2f6dd9

SHA512
f227448e8621b4b6ab3bd5557edb7496ba3237168a7824bd40a8cd0bb11da70069abd8b36ed38e822d6bb574ff8cf08ee9eb9053f8a5af9150b4d5e60e762ca6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
f9897cec5247d291162bfbc2af4218ea

SHA1
d79df66827627f38234a362f40e5fa1178e5dda4

SHA256
5779b43fbbd41b29e67c920ba82c60adaf18cdaa603cbef7d385a9d619ed3163

SHA512
4898639eae701778ab3267b48e5d0a74f8c6d5397bb1eba3ee44e61b17a6fd83bbcbe67dcc87000511d90eab3afcbf15b9d5b0e9677c9d35d8bcdf3785695c1b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
a3d09f144f1b076e804fb00b749d0e7a

SHA1
6b735789525402678bac1dd4b580015b765677de

SHA256
9dc97ea4549faf7e4cd1ea5b4538e83f4a306c622052de7163c3958dcc1ea607

SHA512
6a0788afdc481ef7421fa251ce1476cf16f9f0c0a9f3ca7165920558b4b3996dc6a7d949eeb79cacb1ab8899bcdd194ce485974a01815dd9983973bcfad32fb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.6MB

MD5
8f12dc8b76f7b226cb11edba0c36ba07

SHA1
586e3ba13b23760a4cf76636a80e2053ae9e511a

SHA256
7940c7b1fa50da86cadbd351fe3412b5e1a03b81b71f5b51c883e6fa390f188a

SHA512
f0ab54a10e44fbc68c01045a7b31496e1eccaadd3078a0337a35690517426461c8f25eca6a06ddae84f99c51f0d4600b780c347a3883c657335913e5879b409f

Download Submit
C:\VidDN\optidevloc.exe

Filesize
2.6MB

MD5
01d58e754a80b34a247d30973e8b0ef1

SHA1
33ad3de54b6dc011cdc9ff2e2ca6df84a2f5a06e

SHA256
3e096587fd79160676666702fcfdd896e79c7aa4fedcc7f58bbff1af76a11deb

SHA512
69940040607b2437f63d3d5a22ad5f24660e60a4d4d182798658e9c9b727ff7df8b0a219dbdd17b081c83945be28adb1efba9cb121340f0f16a01c78bd35fece

Download Submit
C:\VidDN\optidevloc.exe

Filesize
2.6MB

MD5
ce326f4d8aa92b84b10a6450f626e2f4

SHA1
4978cdef954fbe4b298be5455399bfc323a1f3d4

SHA256
e087c9087b513b6d902734c02f2d439248b77db946dc83b0e09003b1e6ab33bd

SHA512
adfd314b4e21a78d34d55fb77623fb3692ce25482e0585dfd6a20c4fd30a81e64ef3f20fa9f7c8e3376d29f78489fa301978d4c65c7953336e55784a665b2bba

Download Submit