a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 00:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe
Size

3.1MB
MD5

7721667d876a9fe1a5f9bd5ee6342df1
SHA1

c84f9363a8269d588a0da33557b5cb144b4eb5e7
SHA256

a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe
SHA512

c21cef79d5afe19a88b27b72f25ce5a0046295d70071c69018145d1bd29fd77ee9192fd1d7a4d594ab691418838f6e75124ae22c5e378b5396179a17cc28b62b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpQbVz8eLFc

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe

Executes dropped EXE 2 IoCs

pid	Process
1716	locxdob.exe
2264	adobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
236	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe
236	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocG2\\adobsys.exe"	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZNF\\bodxec.exe"	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
236	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe
236	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe
1716	locxdob.exe
2264	adobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 236 wrote to memory of 1716	236	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe	30
PID 236 wrote to memory of 1716	236	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe	30
PID 236 wrote to memory of 1716	236	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe	30
PID 236 wrote to memory of 1716	236	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe	30
PID 236 wrote to memory of 2264	236	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe	31
PID 236 wrote to memory of 2264	236	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe	31
PID 236 wrote to memory of 2264	236	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe	31
PID 236 wrote to memory of 2264	236	a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe	31

C:\Users\Admin\AppData\Local\Temp\a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe
"C:\Users\Admin\AppData\Local\Temp\a24148eda3bf4345cb5120375ce54afda973884143eecc7dfd186713b9f708fe.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:236
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1716
- C:\IntelprocG2\adobsys.exe
  C:\IntelprocG2\adobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocG2\adobsys.exe

Filesize
3.1MB

MD5
3bfd5746cc1c20ec10c3bc12a6d02ead

SHA1
38c062f00ba5038c5d218a5db6ad631284ff2041

SHA256
3dab2e85ddb2dedb8d8143c5c09c7650d0a8221d4962794e088a12a68c7592ae

SHA512
d95d718089d0adb19b51150705d5b7d3bc9cd1a24c9577acd2cbfff792edde415d4bf02129e32fcef05fe853128f0e7540587f373d69b5b9f855155b4a2d1e30

Download Submit
C:\LabZNF\bodxec.exe

Filesize
1.7MB

MD5
cdd97b53b5ff1c4c91ddadde33a72d19

SHA1
e874795b48a2225d7a2708576fd4d0606378c736

SHA256
438c7c7dea5c73e6703f67772e6ae3226277177616fe6469e4a85d7a37eb1fde

SHA512
e74bbb0f1a6c70a85e4a19f9210eb0a23ba0e66948a6e4ed7d84876eb2015b382eddbad1ef6992eb2581bd54de559a61e47b322cd032e848d367ac45a3f59cc0

Download Submit
C:\LabZNF\bodxec.exe

Filesize
8KB

MD5
4f22d799849ad951d457b82eff37db75

SHA1
4e1063fe8d636bd72f9cd680c689c23c67188ea6

SHA256
6d731a85e1aa5373ae56b774f79879aaae0bf7acee2d491ffbe549dc72920948

SHA512
9906f7f210918aad8326adf8876fb1a50517812f1d6dc706f0ad6c14c9363ea1c2bdf15f1589563e9483925b76a4a315f4db9d27af6ab0674f200275d3b25f9a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
ecb4c5a14c072930cd2f90a21cf7e4c7

SHA1
5e7c6b0f05ea46a43c348296a005fe56ec802b48

SHA256
c9efe70bdd8ffcca3a7072ffdcaeead73c16a9791aba00cf6a758915e1c97430

SHA512
28f8ad8c7469a59f9a4ca663fdeb4838f4a17d6f8983fb9f6e3a7b5df9da9665cd12269b1205a8f27928dee2f322384f24073a3342cbda406f131e78209cbd8f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
d91f0e755948db9175994ce68120036f

SHA1
a02c74b0cdfde634cf87b9a0a52df1c1a2e50fad

SHA256
72507fa0598e00ad8d61e81bcca0eb32a5b803bde99e40ecf0755349f9129252

SHA512
3108bd790c6d018ca68294eeb68cc74566362fa69072719a425790d02d48994187dd2f583728a4bdbcbbece7e7e747feccf343f87f6245eeb780ee66088dc591

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
3.1MB

MD5
09706a47a68132c46bd478cdc850c1f2

SHA1
9c5f038e18a910676a9dbe5c52b560d337a7b66f

SHA256
b824fe95a74558b8b0c9e4a8a1a5d8c2c6c9f6aec54dce5dd2564966133c95cb

SHA512
dd22e7ab8c1433b8788737afd768cd4be2289cb62bfaceb763a296066f48b3c6c9adf1c31f54c5b6ab4ca1145d9b691d74f590f4e45548205ee3e64c44d6e2bf

Download Submit