d3466137e0217a6a722469f241f8b75540c9239665bf31404cc3c41fb4f989ca

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af6cf529b58b24e3ffb4fea5dccc8c50N.exe
Size

3.0MB
MD5

af6cf529b58b24e3ffb4fea5dccc8c50
SHA1

df69c48d5927c343d2f16117057f14431a34a01c
SHA256

d3466137e0217a6a722469f241f8b75540c9239665bf31404cc3c41fb4f989ca
SHA512

14db2ea9f7cab422b9eef482d260e5f3e90ad093c45c148131acc73a8100a154554b6114b74140c751fcda11edd3c1ccaf34d7629bd2704c42924c548cd37025
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bSqz8b6LNX:sxX7QnxrloE5dpUp1bVz8eLF

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	af6cf529b58b24e3ffb4fea5dccc8c50N.exe

Executes dropped EXE 2 IoCs

pid	Process
2324	locadob.exe
2364	xbodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2500	af6cf529b58b24e3ffb4fea5dccc8c50N.exe
2500	af6cf529b58b24e3ffb4fea5dccc8c50N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint7A\\dobxloc.exe"	af6cf529b58b24e3ffb4fea5dccc8c50N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotP0\\xbodloc.exe"	af6cf529b58b24e3ffb4fea5dccc8c50N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af6cf529b58b24e3ffb4fea5dccc8c50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2500	af6cf529b58b24e3ffb4fea5dccc8c50N.exe
2500	af6cf529b58b24e3ffb4fea5dccc8c50N.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe
2324	locadob.exe
2364	xbodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2324	2500	af6cf529b58b24e3ffb4fea5dccc8c50N.exe	31
PID 2500 wrote to memory of 2324	2500	af6cf529b58b24e3ffb4fea5dccc8c50N.exe	31
PID 2500 wrote to memory of 2324	2500	af6cf529b58b24e3ffb4fea5dccc8c50N.exe	31
PID 2500 wrote to memory of 2324	2500	af6cf529b58b24e3ffb4fea5dccc8c50N.exe	31
PID 2500 wrote to memory of 2364	2500	af6cf529b58b24e3ffb4fea5dccc8c50N.exe	32
PID 2500 wrote to memory of 2364	2500	af6cf529b58b24e3ffb4fea5dccc8c50N.exe	32
PID 2500 wrote to memory of 2364	2500	af6cf529b58b24e3ffb4fea5dccc8c50N.exe	32
PID 2500 wrote to memory of 2364	2500	af6cf529b58b24e3ffb4fea5dccc8c50N.exe	32

C:\Users\Admin\AppData\Local\Temp\af6cf529b58b24e3ffb4fea5dccc8c50N.exe
"C:\Users\Admin\AppData\Local\Temp\af6cf529b58b24e3ffb4fea5dccc8c50N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2324
- C:\UserDotP0\xbodloc.exe
  C:\UserDotP0\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint7A\dobxloc.exe

Filesize
3.0MB

MD5
47e0452f4da9ac951a24754c5cd8a5cc

SHA1
0319afccd9a11489de58b238486e00253a19ffc4

SHA256
34e4986bf3ce85e80cd15fd0a55dce4d69a05cbb786cbdfbaa47518e374810c5

SHA512
196329a2ef271757a75dcdfa71d95f2168c50e439ad465b0659c5b5692d91ac720a87d73334eafb7604fd8c13ee92e2a3643a9ee42676b271f00cc7fe0a92376

Download Submit
C:\Mint7A\dobxloc.exe

Filesize
3.0MB

MD5
77471b18ab7d87c4f74ddc77e5e25bfb

SHA1
7711ca70e20c46aaa2545226b6ec5e751fd1e057

SHA256
d8938e6d6b5b5958ebd3bf9a0bb092ee46a4d2bd35d8dd907a642e8feaa84571

SHA512
4065169759aa06b7aef7863a75f2e1e63733313b2b8270e497948b1c5e71e459e6979a78b84cb11461e6331fe2f5d9119121d320cc4b9e2b05ca053780e2a8b2

Download Submit
C:\UserDotP0\xbodloc.exe

Filesize
3.0MB

MD5
9d39f92d1a541232c8c9d4ff72fdc3cd

SHA1
f602dcf16d66af967c70fb334c1832755708ef92

SHA256
438d0f5ca59c9b67d4ac0b62398dcc4a0287cfef655cd0d49d3cc76f9a5f08c4

SHA512
2c9803d4f73508c1e9ea305e77c873edf004ab6db71c8bf1cc996103289683e448374cbd4f3a4f99c7134b7bb0302a082baff27db3bcbb5a30765f8f2b31e55c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
e43e5b50d75495f8e5e54434f109ec91

SHA1
998b92b0539e3ef765f3dc693c0e53b4c3fb886a

SHA256
109261c823c5d609c3a90b576b7bbe1e0c4587db5dd05d4462dc0658bf49984f

SHA512
f806867e57b1c60eaa6eb09adfe0f0e9e772672d9b1a536384b739f31a23b91d79f2b30a18145893c3d4884c874ed0cdae0d6dd33f5ead1e2668c40b8880d5c5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
7c58c48f4fefff24ed23e6e76d57edfb

SHA1
a3bddd073b8b456e247cb1fc8d317d3e7e79597b

SHA256
735f4f8a324066a6f1c731a019ed984ccfa8d5ff6ece333922fd36f22f050823

SHA512
c731264bba3defafd20046df0505789900493f677e69c3477d7a13c46ae704120005839161b178497dfd98c041e939d5cc71fab4cc76c949b17af31dae8b6b11

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
3.0MB

MD5
a7a619e8170a379b10ebaaafcdf0e8f4

SHA1
eb944137db2145bbd06d99fb75621500bb28edd8

SHA256
7968fdf9aec439c2e3a2303912b626da5e9ff4e99873fa3cb5699603316baead

SHA512
ae7d190a91f07771b6f4108aac67032a3d7ab0f1a60092142b342d8adac329d9631a6535ff79e526cb66ed842dd9908b94ae084757b48a18ee37aab4803b4b6e

Download Submit