312c5e997c8d1a8fb9ff4b9c574b8e5e32253325e4f8dc72774cf4838ae0b18c

Analysis

max time kernel
119s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e08732a0b630c169dc6054b22e44a830N.exe
Size

2.6MB
MD5

e08732a0b630c169dc6054b22e44a830
SHA1

c8d3a7195afadee55e0e73c82bf6d8ea71f1843e
SHA256

312c5e997c8d1a8fb9ff4b9c574b8e5e32253325e4f8dc72774cf4838ae0b18c
SHA512

dafc8f029b4b338bd0f69575ec5a97e5f416b8e27ef93f208b07c2612f26fe58a4d39764509d65e44a6f625ccdb6e67d3c2ed7508d61d5d22fc90874b743f0ca
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bS:sxX7QnxrloE5dpUpDb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	e08732a0b630c169dc6054b22e44a830N.exe

Executes dropped EXE 2 IoCs

pid	Process
472	locadob.exe
2476	xdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe77\\xdobec.exe"	e08732a0b630c169dc6054b22e44a830N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBDK\\bodxsys.exe"	e08732a0b630c169dc6054b22e44a830N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e08732a0b630c169dc6054b22e44a830N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
116	e08732a0b630c169dc6054b22e44a830N.exe
116	e08732a0b630c169dc6054b22e44a830N.exe
116	e08732a0b630c169dc6054b22e44a830N.exe
116	e08732a0b630c169dc6054b22e44a830N.exe
472	locadob.exe
472	locadob.exe
2476	xdobec.exe
2476	xdobec.exe
472	locadob.exe
472	locadob.exe
2476	xdobec.exe
2476	xdobec.exe
472	locadob.exe
472	locadob.exe
2476	xdobec.exe
2476	xdobec.exe
472	locadob.exe
472	locadob.exe
2476	xdobec.exe
2476	xdobec.exe
472	locadob.exe
472	locadob.exe
2476	xdobec.exe
2476	xdobec.exe
472	locadob.exe
472	locadob.exe
2476	xdobec.exe
2476	xdobec.exe
472	locadob.exe
472	locadob.exe
2476	xdobec.exe
2476	xdobec.exe
472	locadob.exe
472	locadob.exe
2476	xdobec.exe
2476	xdobec.exe
472	locadob.exe
472	locadob.exe
2476	xdobec.exe
2476	xdobec.exe
472	locadob.exe
472	locadob.exe
2476	xdobec.exe
2476	xdobec.exe
472	locadob.exe
472	locadob.exe
2476	xdobec.exe
2476	xdobec.exe
472	locadob.exe
472	locadob.exe
2476	xdobec.exe
2476	xdobec.exe
472	locadob.exe
472	locadob.exe
2476	xdobec.exe
2476	xdobec.exe
472	locadob.exe
472	locadob.exe
2476	xdobec.exe
2476	xdobec.exe
472	locadob.exe
472	locadob.exe
2476	xdobec.exe
2476	xdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 472	116	e08732a0b630c169dc6054b22e44a830N.exe	90
PID 116 wrote to memory of 472	116	e08732a0b630c169dc6054b22e44a830N.exe	90
PID 116 wrote to memory of 472	116	e08732a0b630c169dc6054b22e44a830N.exe	90
PID 116 wrote to memory of 2476	116	e08732a0b630c169dc6054b22e44a830N.exe	91
PID 116 wrote to memory of 2476	116	e08732a0b630c169dc6054b22e44a830N.exe	91
PID 116 wrote to memory of 2476	116	e08732a0b630c169dc6054b22e44a830N.exe	91

C:\Users\Admin\AppData\Local\Temp\e08732a0b630c169dc6054b22e44a830N.exe
"C:\Users\Admin\AppData\Local\Temp\e08732a0b630c169dc6054b22e44a830N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:116
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:472
- C:\Adobe77\xdobec.exe
  C:\Adobe77\xdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe77\xdobec.exe

Filesize
6KB

MD5
c8190a91500bb1d9caa61e3b11eaf128

SHA1
ab7eb6ce00d2fb8ec932dee7fe6f72551ada8684

SHA256
6396e1bd18ed0ea864d8f56b7885ef5813fe836854b68c3ebafb7d49b8580b1e

SHA512
bc143ae225ca8cceb9e90f7dc6f36a8608eafed2d7e67396657444f3a004832c0c51921fe8c0487de4ca21430686dbc62c6a304de00cbbfb8c0e8dc538f5492b

Download Submit
C:\Adobe77\xdobec.exe

Filesize
2.6MB

MD5
7bf9e854e78237cd1267bd95912edc91

SHA1
cd3f3b08140bae78e4197d2bfd19a737331e4f7d

SHA256
3f47f9323c9deee863a5bd45ef8c6045bbff9e8811c014948ab165be60269c68

SHA512
e8dd62e7843f0d1ab9118e64014fe5c9c7b79ed6e2b217213cadfcad528bc889b94349c8cc668f608ceb84f1af016ef75a6257d217f2ea1b745bc0370c47c301

Download Submit
C:\KaVBDK\bodxsys.exe

Filesize
29KB

MD5
c2b58e7bd0d9d36929797d78aa1d3e51

SHA1
8fc011635fc3980b8429b2956954a84ef4f62f48

SHA256
d5277dd43fac6b920dc73e189c8ce3c2b5d25215f887f88a07155db345eeb18c

SHA512
78c62f3f40b38eb2f380b786661968a0da8840a04924336873b4f4aceba9dd3bd8652ebb78ce9ba2b6128880c6d2ac12c784def607e382a7ede8e458ed4932e0

Download Submit
C:\KaVBDK\bodxsys.exe

Filesize
2.6MB

MD5
ebc405cf1ea1d6c43e2349c28bb130e3

SHA1
028d442778ab2390963ecf20df90bd0a5a31b27c

SHA256
c9c77694f20e2421a978d3444507818f8d57197f4ad051a169bb7db839b2eabc

SHA512
69330ccddba1edc7dbecbcc2bb4f0e9878deb12c7439c6c10be1637652392817e5f3b2614e132e0a79b4d1c071f9aca8c5f1c3c598b86f9b762e7193a9f37a67

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
199B

MD5
98be117d0e0f93a7c161dbc5fd00c208

SHA1
b686516b0d7624ddf1048aef081deb135f7df8bd

SHA256
c47d0d7ecb403a07db11f634c052200d911700dfa8c267fd5dc09971a5f68c90

SHA512
7e0b5fa63c9bc07b42102db5206d236e676d95e4fbff6f038c8807c7f5c65ff8bacb5a0a586c07b568a5f5a514b114787163eb3119a6b5e5ec376987b1b15c36

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
167B

MD5
94704f90a80853096cc2c95503850bd1

SHA1
7d348878fc9db1b160f57b9896855cd02ae7d03b

SHA256
76a125bc7e993aa17db6d4cff9bfe69c6b411dd2ab3280c4e691c8834be6417e

SHA512
025188463924760599b19c6f8650d1365aa564443f2777cdad6d3ae11e352d1c5469fbd6634d9256b5dcdb25b805c19a216475a3ccf22966184062cae69cc2a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
2.6MB

MD5
2ec97412e9cb1a567dc79ea06f20a712

SHA1
899debd19548139cd89d93b41778ef9d70234ec3

SHA256
1475a5b068df9bb1a685134e0ed79abcf8fb47acca9d8de8d7980ee1d36d1d9f

SHA512
637a581e3a6d9ec6184d4c860e5228de8555fb061e8f1657d4d7e11f5cc6d2dc411e396945d0475e133b6e0a13929a638dc1c7924fa7304dfc456dde1d1b7201

Download Submit