60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 22:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe
Size

2.6MB
MD5

4979549ffeb15b3a35518ee078efa6c8
SHA1

92b5093771d0d49794b688aec922a1322ef97259
SHA256

60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d
SHA512

da1637076866f1f1b9d8a30a97cccaf01552c0764f6c87022fa47fc27f709f5a59a75637a9aced327fd8ff22ecf8b6ef6eff7474471057d326dd957efabcb1a3
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bS:sxX7QnxrloE5dpUpZb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe

Executes dropped EXE 2 IoCs

pid	Process
3888	locxopti.exe
856	xdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesJ3\\xdobsys.exe"	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBOU\\boddevloc.exe"	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3504	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe
3504	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe
3504	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe
3504	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe
3888	locxopti.exe
3888	locxopti.exe
856	xdobsys.exe
856	xdobsys.exe
3888	locxopti.exe
3888	locxopti.exe
856	xdobsys.exe
856	xdobsys.exe
3888	locxopti.exe
3888	locxopti.exe
856	xdobsys.exe
856	xdobsys.exe
3888	locxopti.exe
3888	locxopti.exe
856	xdobsys.exe
856	xdobsys.exe
3888	locxopti.exe
3888	locxopti.exe
856	xdobsys.exe
856	xdobsys.exe
3888	locxopti.exe
3888	locxopti.exe
856	xdobsys.exe
856	xdobsys.exe
3888	locxopti.exe
3888	locxopti.exe
856	xdobsys.exe
856	xdobsys.exe
3888	locxopti.exe
3888	locxopti.exe
856	xdobsys.exe
856	xdobsys.exe
3888	locxopti.exe
3888	locxopti.exe
856	xdobsys.exe
856	xdobsys.exe
3888	locxopti.exe
3888	locxopti.exe
856	xdobsys.exe
856	xdobsys.exe
3888	locxopti.exe
3888	locxopti.exe
856	xdobsys.exe
856	xdobsys.exe
3888	locxopti.exe
3888	locxopti.exe
856	xdobsys.exe
856	xdobsys.exe
3888	locxopti.exe
3888	locxopti.exe
856	xdobsys.exe
856	xdobsys.exe
3888	locxopti.exe
3888	locxopti.exe
856	xdobsys.exe
856	xdobsys.exe
3888	locxopti.exe
3888	locxopti.exe
856	xdobsys.exe
856	xdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 3888	3504	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe	85
PID 3504 wrote to memory of 3888	3504	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe	85
PID 3504 wrote to memory of 3888	3504	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe	85
PID 3504 wrote to memory of 856	3504	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe	86
PID 3504 wrote to memory of 856	3504	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe	86
PID 3504 wrote to memory of 856	3504	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe	86

C:\Users\Admin\AppData\Local\Temp\60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe
"C:\Users\Admin\AppData\Local\Temp\60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3888
- C:\FilesJ3\xdobsys.exe
  C:\FilesJ3\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesJ3\xdobsys.exe

Filesize
2.6MB

MD5
a3a48a91cb4d9273502c2d3b4997d170

SHA1
055760463fbde711c6fd23c2f144607198e2b021

SHA256
a37e87028ab06f55bd29c9ba087af2ca57c2c2c08d8763f36c05266854b5cd29

SHA512
d32f31c27e35e7de03fb9093c08754fbcfd77430ca14af6ce770dcb3d8e9accf712ac2473fe899082d64eb405b68a9f2f9b55561e5a0471808cde5bc396f4d6c

Download Submit
C:\KaVBOU\boddevloc.exe

Filesize
2.6MB

MD5
f4d0a5478541b6a281f67512bee6e18c

SHA1
e657ed04af7186e66b65bc5f83a657120d53ab21

SHA256
72dd6c78b8f4f94ba2eba14b996d5b2fa0db1178503bdde6b902a54300159eb6

SHA512
511313f4c5f594e1fbf7487782c3beda87c9df386aede51536d4d21a6d777548c9ea1550b396222532dca580508e72aac2e920da35632fa67c638b34eaf5da36

Download Submit
C:\KaVBOU\boddevloc.exe

Filesize
2.6MB

MD5
fe944b5b2a8c9a78d6693a8c5f77b4fb

SHA1
26c13b804058b34f1cd378410dd91ef5d56bcfc9

SHA256
c063008fd043309dc7595be02c785cc600defa51b094ef837ee7c5897791b044

SHA512
f24591fda4042771657bf9a4ec2159d7836b4ed52b6f520af92d085ad51a6b0d558380462d5eab7af669522f3cee8db77ab560dd53f03c1d3ca0caf7a5516462

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
406f2c8f8118f9dc777f163bc2b1c053

SHA1
eb288b16d9bb4ab288883f4ab1b3e8ceae0fb6b2

SHA256
7148d9966bc880b35d1380be69f39083917323a63abcf9fd108d64c856f959a3

SHA512
eb850495b34c00430f0ab3db404e244680718c844b0ff6dabbf53b681604cf163a14023e828e032a4c13fd1e378bc954b41684659dfc573291af1d37bdbff575

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
096b9ed602bc5cd523d508ba54b27abf

SHA1
29d67e33e2ac18820e815e409c3f9d6515f2a2e9

SHA256
1942ec5012213755cb7fa93f25b649acf1e0b0362ad3bf4b0b22385225945bec

SHA512
1a176b1f88e9bced73e23cf5037cbd68b22a0ad9015e82c4ee4e0ce99730cb854ffeadf4ce857abe4e2d6022a92a769b6ad323b4a876d841f02b171f3dcf86cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
2.6MB

MD5
4b10cc50b1b9ec6204e3072d77fc5f08

SHA1
3d7483aab3ebcab48cfa20149c79cb74d2b6b23a

SHA256
773ae617f24b8c1b0ed811834b8d6b68a390d590270fc5351f625ee7dd0839c2

SHA512
4d036653819cfcff853edf4b2865162f44a63026b2238b7d47c59e37b33768d740f4fb2ad6471f7eb4c0f3be5505bb3f159c6aa987e57e2d8a40eb4cd53af5ce

Download Submit