c47b60a11aeac8f3832251b4c5a55187c114b765bc9b7db9e96eed348408f94b

Analysis

max time kernel
120s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c82bacff36017adb9699dd657dae8320N.exe
Size

2.6MB
MD5

c82bacff36017adb9699dd657dae8320
SHA1

16da691415f1df32c1f92a3fe7088bc6b50781e5
SHA256

c47b60a11aeac8f3832251b4c5a55187c114b765bc9b7db9e96eed348408f94b
SHA512

84aec331a4d4e3200689e783da9a51c6a5d974236434d8c6e4dc74e96bf7560379fe7a06b8e34fea83ab1daaff1662ec423df923519b4802d1193c85bd4d4841
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bS:sxX7QnxrloE5dpUpsb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	c82bacff36017adb9699dd657dae8320N.exe

Executes dropped EXE 2 IoCs

pid	Process
2300	locadob.exe
4900	xbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvA4\\xbodsys.exe"	c82bacff36017adb9699dd657dae8320N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidFT\\dobasys.exe"	c82bacff36017adb9699dd657dae8320N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c82bacff36017adb9699dd657dae8320N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1072	c82bacff36017adb9699dd657dae8320N.exe
1072	c82bacff36017adb9699dd657dae8320N.exe
1072	c82bacff36017adb9699dd657dae8320N.exe
1072	c82bacff36017adb9699dd657dae8320N.exe
2300	locadob.exe
2300	locadob.exe
4900	xbodsys.exe
4900	xbodsys.exe
2300	locadob.exe
2300	locadob.exe
4900	xbodsys.exe
4900	xbodsys.exe
2300	locadob.exe
2300	locadob.exe
4900	xbodsys.exe
4900	xbodsys.exe
2300	locadob.exe
2300	locadob.exe
4900	xbodsys.exe
4900	xbodsys.exe
2300	locadob.exe
2300	locadob.exe
4900	xbodsys.exe
4900	xbodsys.exe
2300	locadob.exe
2300	locadob.exe
4900	xbodsys.exe
4900	xbodsys.exe
2300	locadob.exe
2300	locadob.exe
4900	xbodsys.exe
4900	xbodsys.exe
2300	locadob.exe
2300	locadob.exe
4900	xbodsys.exe
4900	xbodsys.exe
2300	locadob.exe
2300	locadob.exe
4900	xbodsys.exe
4900	xbodsys.exe
2300	locadob.exe
2300	locadob.exe
4900	xbodsys.exe
4900	xbodsys.exe
2300	locadob.exe
2300	locadob.exe
4900	xbodsys.exe
4900	xbodsys.exe
2300	locadob.exe
2300	locadob.exe
4900	xbodsys.exe
4900	xbodsys.exe
2300	locadob.exe
2300	locadob.exe
4900	xbodsys.exe
4900	xbodsys.exe
2300	locadob.exe
2300	locadob.exe
4900	xbodsys.exe
4900	xbodsys.exe
2300	locadob.exe
2300	locadob.exe
4900	xbodsys.exe
4900	xbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 2300	1072	c82bacff36017adb9699dd657dae8320N.exe	86
PID 1072 wrote to memory of 2300	1072	c82bacff36017adb9699dd657dae8320N.exe	86
PID 1072 wrote to memory of 2300	1072	c82bacff36017adb9699dd657dae8320N.exe	86
PID 1072 wrote to memory of 4900	1072	c82bacff36017adb9699dd657dae8320N.exe	87
PID 1072 wrote to memory of 4900	1072	c82bacff36017adb9699dd657dae8320N.exe	87
PID 1072 wrote to memory of 4900	1072	c82bacff36017adb9699dd657dae8320N.exe	87

C:\Users\Admin\AppData\Local\Temp\c82bacff36017adb9699dd657dae8320N.exe
"C:\Users\Admin\AppData\Local\Temp\c82bacff36017adb9699dd657dae8320N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2300
- C:\SysDrvA4\xbodsys.exe
  C:\SysDrvA4\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvA4\xbodsys.exe

Filesize
6KB

MD5
eca5ea25f6a32a95c09d2d11f140c43b

SHA1
fc7c4ffc46b345747cc079073a62c80c129f2442

SHA256
7d956fbd2f73b9d56dbb1fa91bb438857ce1495cd868cdc6d6daea38edfcff17

SHA512
27d28a94c6c9d88714e07d1c5d856b348aaffe7164a680aa4aa760c4a738cf9fed9f373ea895b3dfa3e80ea1b8702679ff32bafeb7e84ada4fe30ff30b1add61

Download Submit
C:\SysDrvA4\xbodsys.exe

Filesize
2.6MB

MD5
fa47a009464adb33e8644556772062d7

SHA1
3aa4b3862a1d2fa68c357de4cab972ec260f040a

SHA256
473c8833f45223d486e12ac9ef4f23e610e1256c9acf27e5a5c45ad2505af38a

SHA512
de5d0a4a186a0a2ae5301f94dedbcd091e1cf613f488e307578c36fa9d9d6072bc079160c455b862f6fb98de98b6ca2191f16bb384d1f1b92083da950e9a501a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
556d10c557a1746ebb14ddf26118fb0e

SHA1
a668889eb833fbdc9a2993c8f45d05607843dcab

SHA256
2a4936eaa181fda3e5f318130bc91c56b2ef43797a9e1466d5134b208deb8021

SHA512
36a56e4d9ba0a4a2c1d07a51eab66ebf93caa523c3231c7cb714e5e79d6545898789433f382fde4058392005aa6ca1ca1db324e19221f60c12c99a8045118da8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
323159d3cf12131f9eba71e654defe14

SHA1
0aad2fe5f57e0a861e12423e313199d7d2995e05

SHA256
e62ebff37efd613d454a729429c25fb395ca7678b65d8f3fe939e71df851487b

SHA512
edfe5a41766f0290290c155ff1a46c679970210df23e12450e7a4f708d1beec1f8ec6bdc808c357db74617ded7520b43c6e41535c872e964df50e15415dd5573

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
2.6MB

MD5
08a155c42c71d9a3fd1b159207875b9f

SHA1
e67c106188823d34a18f502a729feb31cffbff97

SHA256
2276de0676f3f6f41d4d7050736243ac7cb8625455aca70859b502b709ea7752

SHA512
de5a96b66977cabebd7eaaf542becadc1b3987f112dcc4bc2a26fac273fe120598b3023876760f75f33bf64c7046a095b2d438a407689222240d613153ae2f44

Download Submit
C:\VidFT\dobasys.exe

Filesize
1.4MB

MD5
e76dd6485cbd77e338b5bd02a3df233a

SHA1
019093bba4efdc62d0b28d686e8855ee7699b95f

SHA256
4c665ac6be11995319e84003d3f3428f52ff751013642907bdfe75e51a9feb70

SHA512
50ea89885784270105cb28f9a7d11867320dbfba6c42e66faccc68cd094e53690a7bfca0cd43ef555c1a5fb7a12be1c7ead53187f6ba1e81a35f95fc66d6273b

Download Submit
C:\VidFT\dobasys.exe

Filesize
2.6MB

MD5
1c87f2d5874fe163c7ab45a73cf1020b

SHA1
d2c863cd47b627e315f54302c4fab33bd70aba22

SHA256
f85a259a0c882f22d3963efe7d0dc5ab7c745c918431e6d6a4604eaaef93c07a

SHA512
f20b08ac77ce1b6c748302078af956f9d4f244184781fa97b96d2b2b881029671cb57857204be43dc4abe8aee4f004744503d5086198ef460516842cc32ad145

Download Submit