a0eae02e56c3edf9a83b99d9468b460c039a542227f094a4ce40cb0b49e66c81

Analysis

max time kernel
120s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e328a8fa7dd272771f39ad85c8c30410N.exe
Size

2.6MB
MD5

e328a8fa7dd272771f39ad85c8c30410
SHA1

670f6b4d38fc2a434e39ee8f7e8b228cbdd26156
SHA256

a0eae02e56c3edf9a83b99d9468b460c039a542227f094a4ce40cb0b49e66c81
SHA512

f0e04f70248c077b45d5dac32aa1d208a98dd49efe7df96253999ff2b841c8727b5f9e2c65016654f330af754fdf3b22178ea472737538b7286f613924f5f56b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bS:sxX7QnxrloE5dpUp8b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	e328a8fa7dd272771f39ad85c8c30410N.exe

Executes dropped EXE 2 IoCs

pid	Process
2792	locadob.exe
1500	xbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvYO\\xbodec.exe"	e328a8fa7dd272771f39ad85c8c30410N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ60\\dobdevec.exe"	e328a8fa7dd272771f39ad85c8c30410N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e328a8fa7dd272771f39ad85c8c30410N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locadob.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4724	e328a8fa7dd272771f39ad85c8c30410N.exe
4724	e328a8fa7dd272771f39ad85c8c30410N.exe
4724	e328a8fa7dd272771f39ad85c8c30410N.exe
4724	e328a8fa7dd272771f39ad85c8c30410N.exe
2792	locadob.exe
2792	locadob.exe
1500	xbodec.exe
1500	xbodec.exe
2792	locadob.exe
2792	locadob.exe
1500	xbodec.exe
1500	xbodec.exe
2792	locadob.exe
2792	locadob.exe
1500	xbodec.exe
1500	xbodec.exe
2792	locadob.exe
2792	locadob.exe
1500	xbodec.exe
1500	xbodec.exe
2792	locadob.exe
2792	locadob.exe
1500	xbodec.exe
1500	xbodec.exe
2792	locadob.exe
2792	locadob.exe
1500	xbodec.exe
1500	xbodec.exe
2792	locadob.exe
2792	locadob.exe
1500	xbodec.exe
1500	xbodec.exe
2792	locadob.exe
2792	locadob.exe
1500	xbodec.exe
1500	xbodec.exe
2792	locadob.exe
2792	locadob.exe
1500	xbodec.exe
1500	xbodec.exe
2792	locadob.exe
2792	locadob.exe
1500	xbodec.exe
1500	xbodec.exe
2792	locadob.exe
2792	locadob.exe
1500	xbodec.exe
1500	xbodec.exe
2792	locadob.exe
2792	locadob.exe
1500	xbodec.exe
1500	xbodec.exe
2792	locadob.exe
2792	locadob.exe
1500	xbodec.exe
1500	xbodec.exe
2792	locadob.exe
2792	locadob.exe
1500	xbodec.exe
1500	xbodec.exe
2792	locadob.exe
2792	locadob.exe
1500	xbodec.exe
1500	xbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 2792	4724	e328a8fa7dd272771f39ad85c8c30410N.exe	89
PID 4724 wrote to memory of 2792	4724	e328a8fa7dd272771f39ad85c8c30410N.exe	89
PID 4724 wrote to memory of 2792	4724	e328a8fa7dd272771f39ad85c8c30410N.exe	89
PID 4724 wrote to memory of 1500	4724	e328a8fa7dd272771f39ad85c8c30410N.exe	92
PID 4724 wrote to memory of 1500	4724	e328a8fa7dd272771f39ad85c8c30410N.exe	92
PID 4724 wrote to memory of 1500	4724	e328a8fa7dd272771f39ad85c8c30410N.exe	92

C:\Users\Admin\AppData\Local\Temp\e328a8fa7dd272771f39ad85c8c30410N.exe
"C:\Users\Admin\AppData\Local\Temp\e328a8fa7dd272771f39ad85c8c30410N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2792
- C:\SysDrvYO\xbodec.exe
  C:\SysDrvYO\xbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ60\dobdevec.exe

Filesize
280KB

MD5
5cb72bbc8d266c8a2dd7aa35bd5aa1f7

SHA1
7acb1188c382032488e2cf03af5e84482eeed4af

SHA256
4ad8970c66ce217f4d9c453a2872e32ad3d9c60f432face15d83110c9a18c955

SHA512
f3e813f28c18f72a49a65c3b5f7b6d098cb4f975cfa9b17b498d6270ad52fe2afa685b000e7b213643b5f593c579d11f6092aa5d113ffe6679fc5e2feca825b3

Download Submit
C:\LabZ60\dobdevec.exe

Filesize
2.6MB

MD5
a4dddd5fb96962ee657269b209eb7312

SHA1
97e50b018ab312b5ae57ad976201e3357902bdc0

SHA256
78de309aa46d90a41e93efccd4bbdd353263a9af3f30d5ac494d8b5a2edd8eda

SHA512
dd70657f68eab3ed74c9cea6478e173511e23a4e1ea31f21a9a461e6aa56e83d7ef3709e95077c383350109fe33b6bd388826da9164301b13eaaa8f34c8e9537

Download Submit
C:\SysDrvYO\xbodec.exe

Filesize
775KB

MD5
be9cc4903b58572b0c8e1fc132201e61

SHA1
d336a142d4807496954c55ab1ae4be822a21c194

SHA256
1dc4675f13b5a7d3c7438b0f1fca60c91dfc5d033f9105e604515c41116c926d

SHA512
37f9e4c458ba2d985e998f1df2a8d5394a3e47c72186f85681ed6f5d7a88892f50d5219959c95d4f4b98caf407c8d817d3c64782f9112e871c2dbabda2095fd1

Download Submit
C:\SysDrvYO\xbodec.exe

Filesize
2.6MB

MD5
035a099b4d0f08eb0a3420ae9c8c5bfa

SHA1
e84e20d31841ca7c43772f1d36d224fd1972bad7

SHA256
8f4053308329e28463ec088a0004e8d91418cd5e5e477f612b04d739bed1e4bb

SHA512
423af1f0d15a0e3a2056c9b753dfe594b60e25c0a772d21127a8e9fa90c04ae0e2286074679c9bd3f72ed528404f1258bcde13be9d7bad267db3ca511249d006

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
848818d114d686f9d4e572cfb9393a37

SHA1
56583c93612c5e8dc102fb54b297131719324ae7

SHA256
90b5a7d868993f1bb0b879650d2cc57da45b188189fcf569355fe5f813ee4eb5

SHA512
34729bf2cc8f983957943a761f6b8b5c863a1bb737dcb9e536fa6c6f2ef0d196a9edc5dc102c9450b95fd43418453f5b0a4ab4bc90927e8e336922e80ac826d4

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
2bffdceaee9a39e6f325952ff404278a

SHA1
7eda7ea28384b8c34eb041b136863c4092ebb5e7

SHA256
ba93ebf37b66a048d0d555d4a15046f09d7f641889e105257d923d8f6cf439cc

SHA512
5374ac9372ed77fe49731b8b16474779a1f5c11ee3390497738ffe96a8d9d1fc8486815f46c235540d2303a8fd730fc9623c429c386751141cfa4ba77b1041d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
2.6MB

MD5
e1b732a1785c72fde0556f1222dd7327

SHA1
8725cea91764e0058616196f879d04970ef7a849

SHA256
9e5a4308af4353b3c3df782d9f6e1baa728e7a46146aafba96b0ed7305950059

SHA512
aaf265488fd9c82c1ee3cb1f2dbc8d03bc16d7a441435862bcd0fd42e2286309cda80c35ebaa2b776d0899d6bbd304e873cdaf109a3cddeb6187b9c63156dfa6

Download Submit