87e7677a17f6eca6debc245d9428c4493bc94a4ae178099c30515eb08d272656

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 01:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

87e7677a17f6eca6debc245d9428c4493bc94a4ae178099c30515eb08d272656.exe
Size

4.1MB
MD5

008cea9f3ae4227db5a308ebc438941e
SHA1

e53d4c954b1ba659147f3885997376fa0ff7f9b4
SHA256

87e7677a17f6eca6debc245d9428c4493bc94a4ae178099c30515eb08d272656
SHA512

62c5adf184f3d0afbb80b9e37d8fe25519adf9963ad57e30bd3fdd4d95e2bf1fad18bf86bf8f4f67b0493d42964fb02eaca4ab8acbdfd750a250f9d788a68aa3
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpfbVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	87e7677a17f6eca6debc245d9428c4493bc94a4ae178099c30515eb08d272656.exe

Executes dropped EXE 2 IoCs

pid	Process
3544	locabod.exe
3232	xdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvA9\\xdobec.exe"	87e7677a17f6eca6debc245d9428c4493bc94a4ae178099c30515eb08d272656.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZR3\\optidevec.exe"	87e7677a17f6eca6debc245d9428c4493bc94a4ae178099c30515eb08d272656.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87e7677a17f6eca6debc245d9428c4493bc94a4ae178099c30515eb08d272656.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3212	87e7677a17f6eca6debc245d9428c4493bc94a4ae178099c30515eb08d272656.exe
3212	87e7677a17f6eca6debc245d9428c4493bc94a4ae178099c30515eb08d272656.exe
3212	87e7677a17f6eca6debc245d9428c4493bc94a4ae178099c30515eb08d272656.exe
3212	87e7677a17f6eca6debc245d9428c4493bc94a4ae178099c30515eb08d272656.exe
3544	locabod.exe
3544	locabod.exe
3232	xdobec.exe
3232	xdobec.exe
3544	locabod.exe
3544	locabod.exe
3232	xdobec.exe
3232	xdobec.exe
3544	locabod.exe
3544	locabod.exe
3232	xdobec.exe
3232	xdobec.exe
3544	locabod.exe
3544	locabod.exe
3232	xdobec.exe
3232	xdobec.exe
3544	locabod.exe
3544	locabod.exe
3232	xdobec.exe
3232	xdobec.exe
3544	locabod.exe
3544	locabod.exe
3232	xdobec.exe
3232	xdobec.exe
3544	locabod.exe
3544	locabod.exe
3232	xdobec.exe
3232	xdobec.exe
3544	locabod.exe
3544	locabod.exe
3232	xdobec.exe
3232	xdobec.exe
3544	locabod.exe
3544	locabod.exe
3232	xdobec.exe
3232	xdobec.exe
3544	locabod.exe
3544	locabod.exe
3232	xdobec.exe
3232	xdobec.exe
3544	locabod.exe
3544	locabod.exe
3232	xdobec.exe
3232	xdobec.exe
3544	locabod.exe
3544	locabod.exe
3232	xdobec.exe
3232	xdobec.exe
3544	locabod.exe
3544	locabod.exe
3232	xdobec.exe
3232	xdobec.exe
3544	locabod.exe
3544	locabod.exe
3232	xdobec.exe
3232	xdobec.exe
3544	locabod.exe
3544	locabod.exe
3232	xdobec.exe
3232	xdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 3544	3212	87e7677a17f6eca6debc245d9428c4493bc94a4ae178099c30515eb08d272656.exe	87
PID 3212 wrote to memory of 3544	3212	87e7677a17f6eca6debc245d9428c4493bc94a4ae178099c30515eb08d272656.exe	87
PID 3212 wrote to memory of 3544	3212	87e7677a17f6eca6debc245d9428c4493bc94a4ae178099c30515eb08d272656.exe	87
PID 3212 wrote to memory of 3232	3212	87e7677a17f6eca6debc245d9428c4493bc94a4ae178099c30515eb08d272656.exe	88
PID 3212 wrote to memory of 3232	3212	87e7677a17f6eca6debc245d9428c4493bc94a4ae178099c30515eb08d272656.exe	88
PID 3212 wrote to memory of 3232	3212	87e7677a17f6eca6debc245d9428c4493bc94a4ae178099c30515eb08d272656.exe	88

C:\Users\Admin\AppData\Local\Temp\87e7677a17f6eca6debc245d9428c4493bc94a4ae178099c30515eb08d272656.exe
"C:\Users\Admin\AppData\Local\Temp\87e7677a17f6eca6debc245d9428c4493bc94a4ae178099c30515eb08d272656.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3544
- C:\SysDrvA9\xdobec.exe
  C:\SysDrvA9\xdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZR3\optidevec.exe

Filesize
112KB

MD5
3bdbcccbb8535670ce407d2cce9e560b

SHA1
b614f77a380a651c2e92690c297a6392c73d1679

SHA256
e8c2004b2c0cc275ce5481860f748bc51c82b3475f708c72876da5e04b12dd99

SHA512
7f0bed1afe54b80d78b59fb5b0ce63d916a6319ed6b653265db03c1c6419f5f50171b5aca83d93fa50935be41a2ce844140117317739bcd9735ad602ff252a93

Download Submit
C:\LabZR3\optidevec.exe

Filesize
4.1MB

MD5
c55c46b4b8789433b06265ecf349cbf3

SHA1
69995d1f99476109aa9326648d1853ab68053764

SHA256
233a536d13b335c1503fd185d58148abda65faedb531750c7b4b6a4a7ddac1ca

SHA512
e97732e0ce84c523f6bdee617702eae5a7b234459135cbe66473562d9f8747bda72071f4f1b8ee7e2144de15edf0debcec07b89029254100e45b8645bb9c3dcc

Download Submit
C:\SysDrvA9\xdobec.exe

Filesize
4.1MB

MD5
dcedc72538f615f24bc425f1a0cdc304

SHA1
a255eda5a7579e4e139e94644134c88314dd162a

SHA256
55d10fc02522b73b662eb9d8e89ee4990faed223de5e3aba0339e53f548f116a

SHA512
9b8042e94597d279ffdeae33b510e996ffa3f4a5edad0fb2e7728d8129af6a469701b88bf0d0dc3b7793e17975c67918c4323dfc2e50a4b6f333ce11e3daf005

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
feff858ac994951e57db8bfc076b9317

SHA1
2e38d0132310ecd950bdf5d4c94b1524a33e2d33

SHA256
17b1b2ee007a55b6ddc8ed78fab53adc27b1726e62ca9f1f7b96371246dcac0f

SHA512
9ba1361846e677648ac8c8642d5f2b2e4bab44573c27701265f518a6ae79d39fec09b1f478b687d9d0e0e4686e39b9288f410eca50bcd086391031a9a5eb0763

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
d74bde256496a170f07f91a7b9cff14e

SHA1
5b1cec94c768181181c92fef81f77b46bfe1d1c4

SHA256
ec5d3423f1355501f4ea7f110330948c9aa0e045217a6141e9c811b33f7cef45

SHA512
4b0b0864e5c04f9469cb210674c05943a72deac016f68f5e67c89e891e52721d12bd3e257e886022cc2e6933689199313ad374d9ee127896b3a27b059fdc779b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
4.1MB

MD5
a4c6955d0a2ff6305d2ce6ee7ead318b

SHA1
2f65490d57f6e8460b2e8cd99c5b65f035415d2f

SHA256
789330d459ef95bbb43c21ce8d53d3ef3b71539953a80aa149c65dff363fbde4

SHA512
b8af4f87cc4fd615d0bc834cc65475dfa25d064115d2222646d60e0d4b7be50174e18d802c9cfe5c8c8e5ec69c9b9b8dbd4e547d8a5df771de7143308d8a4530

Download Submit