ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bb

Analysis

max time kernel
120s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe
Size

2.6MB
MD5

f37d7c6251df1089e5b218e13a7c1240
SHA1

7ecc11246dbc4cb83d4619490ba0489ff04aae65
SHA256

ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bb
SHA512

d2eef1b3a8be07518cb6ddf3836e6da5373e49d996d6611a7738606ebeb1ffce80c4941e8fc7cfcdec1500300c53d061475ddd88108ba6ecb9665167db5f6b4d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bS:sxX7QnxrloE5dpUpab

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe

Executes dropped EXE 2 IoCs

pid	Process
868	locxopti.exe
4072	xdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvHV\\xdobec.exe"	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid02\\dobaloc.exe"	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3248	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe
3248	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe
3248	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe
3248	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe
868	locxopti.exe
868	locxopti.exe
4072	xdobec.exe
4072	xdobec.exe
868	locxopti.exe
868	locxopti.exe
4072	xdobec.exe
4072	xdobec.exe
868	locxopti.exe
868	locxopti.exe
4072	xdobec.exe
4072	xdobec.exe
868	locxopti.exe
868	locxopti.exe
4072	xdobec.exe
4072	xdobec.exe
868	locxopti.exe
868	locxopti.exe
4072	xdobec.exe
4072	xdobec.exe
868	locxopti.exe
868	locxopti.exe
4072	xdobec.exe
4072	xdobec.exe
868	locxopti.exe
868	locxopti.exe
4072	xdobec.exe
4072	xdobec.exe
868	locxopti.exe
868	locxopti.exe
4072	xdobec.exe
4072	xdobec.exe
868	locxopti.exe
868	locxopti.exe
4072	xdobec.exe
4072	xdobec.exe
868	locxopti.exe
868	locxopti.exe
4072	xdobec.exe
4072	xdobec.exe
868	locxopti.exe
868	locxopti.exe
4072	xdobec.exe
4072	xdobec.exe
868	locxopti.exe
868	locxopti.exe
4072	xdobec.exe
4072	xdobec.exe
868	locxopti.exe
868	locxopti.exe
4072	xdobec.exe
4072	xdobec.exe
868	locxopti.exe
868	locxopti.exe
4072	xdobec.exe
4072	xdobec.exe
868	locxopti.exe
868	locxopti.exe
4072	xdobec.exe
4072	xdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3248 wrote to memory of 868	3248	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe	82
PID 3248 wrote to memory of 868	3248	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe	82
PID 3248 wrote to memory of 868	3248	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe	82
PID 3248 wrote to memory of 4072	3248	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe	83
PID 3248 wrote to memory of 4072	3248	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe	83
PID 3248 wrote to memory of 4072	3248	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe	83

C:\Users\Admin\AppData\Local\Temp\ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe
"C:\Users\Admin\AppData\Local\Temp\ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:868
- C:\SysDrvHV\xdobec.exe
  C:\SysDrvHV\xdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvHV\xdobec.exe

Filesize
2.6MB

MD5
288783e97951af7eb6dd9c2d6b4c6f5e

SHA1
1e08fc5cb725fc94d59b7bf3bd7d55ea6eabfefc

SHA256
a4ba129b21ef55dc875b0f63bd1d36bc1c9b98b7ea91f643e3aa0f81d7840af6

SHA512
962159574c7600c97a5f82744b13e3689dfbd829b8b4fc27660f445c731c0f07f6e3df444fc425f7673745b3873b7d389d6433bcd89fc308791828169379c18a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
e0f61a1f6a5c938814c54fa44a0188e8

SHA1
1c5dc024f4e6168bf17fc56c38b12cd4c4108338

SHA256
c04d9adb64b2867f10d735cb626f5daf1793caa5cfd85e3127621f834fc07658

SHA512
b82808f9ce7a385433447594c1855fb81d2e9b1510d5e1e55492bd80baf60bf983601bc2694283de9c97e57491e0aaa8ada857acb18741806fe253ccb4195b0a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
4d19800e2889c3f6b279dd521c4c780a

SHA1
59d5fc1223b8d15a6f74dc6a58ab81f8a6a42d63

SHA256
e03fd5c7ec3804c93d17757636930f5f00427ddefbf3a1c57b223e95384f0af1

SHA512
e44ee4f390a336626ece0d2d5e02fbe817a0aab38f6bb84948936d312cbde72a9a72fd488b57c94c65e79009d1550ee321c730815e049a7682bdd31bdd7501c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
2.6MB

MD5
367511276c0ed32e4f467e483c486f00

SHA1
70b31dcadd9427b8c0d1f1c66bafecbd8e1e9541

SHA256
be1512220598a03fb3d5be2b3b37d2898d5e8a0591153543b71acb1d20b2b329

SHA512
7b60800538ecc181f90cbeddf555a56a670c60e876358c27e69c79fc50b283973e97574d574219af8adc5291b47bba775f6e015333d1b8cba1d53e34260e9b07

Download Submit
C:\Vid02\dobaloc.exe

Filesize
2.6MB

MD5
aa4a05b3685a704ca78567913bce9127

SHA1
f4350ef5ac81f90157711b0671e31a002e1064ec

SHA256
3a2416ead6cda8a4846c957cddedaccf564d22855b75572ba44609f4303e96a4

SHA512
817d15f3ed7ea65923370594291984e64d65a6cea074245e8e1515cc901b7765898c5018af7ecea3bd0c19e618e63acc7d700ac8f9fcbc461394e6b626c8633f

Download Submit
C:\Vid02\dobaloc.exe

Filesize
2.6MB

MD5
320207512a198e44ad79d2ff41a5d841

SHA1
8bb507faaceac094e8d0e9be5999f844aeea87de

SHA256
1e2a0ee5bec027e93aaf08e8e2946b09d17efa4d3c41368768878cb16bf3344d

SHA512
d7007686fc0a46a4beaba2b9252e15269ab0731c24cb995ddd77577632d0a864eb3bdcc755f29c921f1588ca440c5768717b0a803d5b7de90a18f9310be4f8c9

Download Submit