5e3dce80e6dc5248d2a57188423d6793e2f3bc992e61a39bc1ae5b912de15276

Analysis

max time kernel
119s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9abac6f2975aa2d880c5ca4533c5a020N.exe
Size

2.6MB
MD5

9abac6f2975aa2d880c5ca4533c5a020
SHA1

99d28e199deeb09d6d55e8bedcd3f48255cd80d4
SHA256

5e3dce80e6dc5248d2a57188423d6793e2f3bc992e61a39bc1ae5b912de15276
SHA512

67ee16a97b7ef15745ef8084fb2b6060b07cef9b2b08667e836d43ed1ec176a954f98cbdf635acda262b462b742bcc05a1944bc5f98be177db25155c98108424
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bS:sxX7QnxrloE5dpUpwb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	9abac6f2975aa2d880c5ca4533c5a020N.exe

Executes dropped EXE 2 IoCs

pid	Process
4508	locxbod.exe
4804	adobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeCA\\adobec.exe"	9abac6f2975aa2d880c5ca4533c5a020N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBJI\\optixsys.exe"	9abac6f2975aa2d880c5ca4533c5a020N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9abac6f2975aa2d880c5ca4533c5a020N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4112	9abac6f2975aa2d880c5ca4533c5a020N.exe
4112	9abac6f2975aa2d880c5ca4533c5a020N.exe
4112	9abac6f2975aa2d880c5ca4533c5a020N.exe
4112	9abac6f2975aa2d880c5ca4533c5a020N.exe
4508	locxbod.exe
4508	locxbod.exe
4804	adobec.exe
4804	adobec.exe
4508	locxbod.exe
4508	locxbod.exe
4804	adobec.exe
4804	adobec.exe
4508	locxbod.exe
4508	locxbod.exe
4804	adobec.exe
4804	adobec.exe
4508	locxbod.exe
4508	locxbod.exe
4804	adobec.exe
4804	adobec.exe
4508	locxbod.exe
4508	locxbod.exe
4804	adobec.exe
4804	adobec.exe
4508	locxbod.exe
4508	locxbod.exe
4804	adobec.exe
4804	adobec.exe
4508	locxbod.exe
4508	locxbod.exe
4804	adobec.exe
4804	adobec.exe
4508	locxbod.exe
4508	locxbod.exe
4804	adobec.exe
4804	adobec.exe
4508	locxbod.exe
4508	locxbod.exe
4804	adobec.exe
4804	adobec.exe
4508	locxbod.exe
4508	locxbod.exe
4804	adobec.exe
4804	adobec.exe
4508	locxbod.exe
4508	locxbod.exe
4804	adobec.exe
4804	adobec.exe
4508	locxbod.exe
4508	locxbod.exe
4804	adobec.exe
4804	adobec.exe
4508	locxbod.exe
4508	locxbod.exe
4804	adobec.exe
4804	adobec.exe
4508	locxbod.exe
4508	locxbod.exe
4804	adobec.exe
4804	adobec.exe
4508	locxbod.exe
4508	locxbod.exe
4804	adobec.exe
4804	adobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 4508	4112	9abac6f2975aa2d880c5ca4533c5a020N.exe	89
PID 4112 wrote to memory of 4508	4112	9abac6f2975aa2d880c5ca4533c5a020N.exe	89
PID 4112 wrote to memory of 4508	4112	9abac6f2975aa2d880c5ca4533c5a020N.exe	89
PID 4112 wrote to memory of 4804	4112	9abac6f2975aa2d880c5ca4533c5a020N.exe	92
PID 4112 wrote to memory of 4804	4112	9abac6f2975aa2d880c5ca4533c5a020N.exe	92
PID 4112 wrote to memory of 4804	4112	9abac6f2975aa2d880c5ca4533c5a020N.exe	92

C:\Users\Admin\AppData\Local\Temp\9abac6f2975aa2d880c5ca4533c5a020N.exe
"C:\Users\Admin\AppData\Local\Temp\9abac6f2975aa2d880c5ca4533c5a020N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4508
- C:\AdobeCA\adobec.exe
  C:\AdobeCA\adobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeCA\adobec.exe

Filesize
2.6MB

MD5
f98ebe70f72d26a01a855be86ac928e1

SHA1
b40ab8d716b0d0bcef035df2c5849673b8499381

SHA256
372be5a5120b985403a04bdfd6e8824f8a6e46aa295ea9e4b0c631f381020442

SHA512
693d7c7fa38193cfb922e51bf9dd2051a730f65822270fc0588d90eff4792d3138c95ee4bd471a39cbcece7c2ad6e1c0b4ee2b813d2871a89462084dc1bc2b72

Download Submit
C:\KaVBJI\optixsys.exe

Filesize
2.6MB

MD5
d965c0d797cc5748b9b3c479635fc671

SHA1
753123bc25bf42b9d863574897207c92c83b186a

SHA256
5aff7aa649af96ed9c277f45e2d608a6df53224608c0fe800c169d999757684e

SHA512
f5e45e1171188a79c327930154cb0290d3927b0196f9e3b8e3ce2ca5e59882a67938c59937cda0a5f7f9ac1c058b6f3fec1fb83d836d6e1acc63fa5dbf6a2a49

Download Submit
C:\KaVBJI\optixsys.exe

Filesize
4KB

MD5
b61f1c7ad73efe910c92dd7a7c9a7a0e

SHA1
da9ddf3e1877afc7efd9c8d203fc7f7be3458ddd

SHA256
b362504c75e4817110ee35bd9d522710e988aa3feb5cfb08054cbe0cfa6e45f0

SHA512
224073e4b1011e45541352166fffbcb47dc06282baa16dc5279ee78e858f642e1495bf79dc1ee547b1db3adc2c1a1fbb08ea75a50ef49d2a238000e931ebc155

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
25761067a78aba0ed31d2a0f09b27271

SHA1
9f1493e99a7b289186171c4a1fdcd2a7126a775b

SHA256
ba9e0158da61c896d6f8117dac7de5979db3866278b6e72282d7d23de91e3420

SHA512
17c877200c8098a938bafbdabd68dbfa5dea6b85511b27014c82199e5c440eb1da16cd1a4d088ff01efbbc2f3865c88ce868bbacd14a2419f0d5437933a8a2d9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
a873d15012c90d1eedeae7044e1abddc

SHA1
52e104b06fd746fd88bd70e6161e082095e60371

SHA256
46b0f4ba0946db2a5d7668ffb694b58e0b5c0a310f25703ed1454f21d6f374c7

SHA512
c32d7ffcffc5dbfb9205e79f90fa1640a0be61baf1acc38d152e2eadfcdfe357a617470d572977bf3a5af69e35880855a91c9d2f8daac71b3ed0a75fde3d7bcf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.6MB

MD5
22ba035545cd2082de8033bf572df6e4

SHA1
83a7757b8a895915c93fa9f7739fbafd146b6851

SHA256
5d0c5c5665f09ad4d4089ac1eb58e093ada331874307e2579bd225401740ed79

SHA512
167d686937dfc619db8d0a1cb4103e5aaebf115aeb0367d3d0ced26a36021c88deac2d7da1dd516fa9683066489a0cd2183e165b1b973516fe998d8093555c54

Download Submit