a21415e1a4da814f2b3535a7b025b1fcf25625bd9fc24374f948c9e607fd1ab7

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-08-2024 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e418aa4c597b2d7c888e41aed337f20N.exe
Size

3.6MB
MD5

5e418aa4c597b2d7c888e41aed337f20
SHA1

e7f69c63cb41dfd0c334c59a1ad4a787cee06dd7
SHA256

a21415e1a4da814f2b3535a7b025b1fcf25625bd9fc24374f948c9e607fd1ab7
SHA512

e2d3c3481237df31e2971e5fd2f49ce6a5b6d3e724fb600adf46f9f52659eb18e80b9cfedbc69d8dc00f2d44b191a05640747bc452f6330c00737133de7486d0
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpGbVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	5e418aa4c597b2d7c888e41aed337f20N.exe

Executes dropped EXE 2 IoCs

pid	Process
2740	locxbod.exe
2624	abodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2696	5e418aa4c597b2d7c888e41aed337f20N.exe
2696	5e418aa4c597b2d7c888e41aed337f20N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot0R\\abodec.exe"	5e418aa4c597b2d7c888e41aed337f20N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint1D\\dobxsys.exe"	5e418aa4c597b2d7c888e41aed337f20N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e418aa4c597b2d7c888e41aed337f20N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2696	5e418aa4c597b2d7c888e41aed337f20N.exe
2696	5e418aa4c597b2d7c888e41aed337f20N.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe
2740	locxbod.exe
2624	abodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2740	2696	5e418aa4c597b2d7c888e41aed337f20N.exe	30
PID 2696 wrote to memory of 2740	2696	5e418aa4c597b2d7c888e41aed337f20N.exe	30
PID 2696 wrote to memory of 2740	2696	5e418aa4c597b2d7c888e41aed337f20N.exe	30
PID 2696 wrote to memory of 2740	2696	5e418aa4c597b2d7c888e41aed337f20N.exe	30
PID 2696 wrote to memory of 2624	2696	5e418aa4c597b2d7c888e41aed337f20N.exe	31
PID 2696 wrote to memory of 2624	2696	5e418aa4c597b2d7c888e41aed337f20N.exe	31
PID 2696 wrote to memory of 2624	2696	5e418aa4c597b2d7c888e41aed337f20N.exe	31
PID 2696 wrote to memory of 2624	2696	5e418aa4c597b2d7c888e41aed337f20N.exe	31

C:\Users\Admin\AppData\Local\Temp\5e418aa4c597b2d7c888e41aed337f20N.exe
"C:\Users\Admin\AppData\Local\Temp\5e418aa4c597b2d7c888e41aed337f20N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2740
- C:\UserDot0R\abodec.exe
  C:\UserDot0R\abodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint1D\dobxsys.exe

Filesize
3.6MB

MD5
90430dd5e6a2f850880c2606685989c3

SHA1
999f29a8970d2f2b374a3de2d87d6db67954fed9

SHA256
cf5d5e800485ec2bd64ef2948d52b86cf2cf2ceab6dd165cd9a929c5af1662f1

SHA512
cecd45dab7f9a628fddac6f5031dc9dd312f1b5cfeaa6197a212fe3d72914185c9f81f4891b546f477dad4bbf3a240fc6882e472f414baa682856697bd596bd6

Download Submit
C:\Mint1D\dobxsys.exe

Filesize
28KB

MD5
2cc5d02d9df0ea3a10ce63312ea6a73a

SHA1
9808072d6d524e6d6ba19eefb8a7f449affee942

SHA256
c25be800557e343728fffc10a866f45450dbe2682c25cf1fed52ef203c65ed44

SHA512
f9ba3792bb34a4ae16878079cf1f0f12ee3abf33e089feda21ac493d24d0fc3b7125cca22cb7403dffac17728f2d398d56a8c34454a682203da8daa4d1300bd3

Download Submit
C:\UserDot0R\abodec.exe

Filesize
3.6MB

MD5
08cef8ca786d61d39fa9b1baa3153433

SHA1
fc2c503c61f138de8e575729cb6f66365ac83a47

SHA256
29d7da77b99617b0bb6ddb61fc1bf2009c9678229785051de2a7427adfe31727

SHA512
de2bbdbe91fab63e76706a6622372614632a31b0c7cf947b8348d056acdcaf788b038dda6e6a052c5031616f28ace46c3771213f748415d800456e481e87a45a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
4ad129cdcf9ddab128ec9b355cd6f034

SHA1
8e02c752b6079e5ca7708d97e3a13c255abbdf54

SHA256
b90a994fc1ac84c1506e84e958e77c696d2191dae5afe124ec5c8decab272c72

SHA512
40833ae3d92f2e1c31b47435e733d4c516ad299e38aa5bfbb6bd3f026f5a7b5f222820f30efddbb83e69767680645d05868ac55f0fb832e3daf99f838c5d27a1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
a1c535dcc11a004126bd434aaf0057ff

SHA1
5a1ed29e794af85b68ef3460918cd8265f35a62d

SHA256
0f3cc25cacdc0ecdefcc734e46d7d2276410ccff9fb0ef156474ac16ad72c1d8

SHA512
5e1ebd5405585db1f723d86fb8566eb349a019c94c8f66b2b995e7639f949cfea77bfd18e1f9a114db24010430a2e58bb34b3252d92725e78e50fecbe64a721d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
3.6MB

MD5
2dff5178d222fcb7e2ac07b639927fb0

SHA1
daaaabd1d3b17f801f9948b1d6135272357789e7

SHA256
c98d718ebe9b2a7b26b38f026e4e99bf1c5e2ab7b992a0eec59a3953679aa80a

SHA512
bc2720dca58d31a9defd251e06d2fa956578b3f699fa283c15693d794b75e5f0414ecedf8eece187934e4741861c1055c1fa8bd6bd676ef732b53e16bd0c9bc1

Download Submit