548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe
Size

2.6MB
MD5

becef067a84724f23bd4d4697203c4d0
SHA1

ceae1f1da1519238f2939c87d757ae4bec2973eb
SHA256

548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36
SHA512

b15e65f7561759f74169e4d59058e22453db2094e7d63f8a0318f146eb378ab5f5c10626c52db5bf66f0fbba0f0ec2f0804b6fc131eea3b00d290ae3620100c9
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bS:sxX7QnxrloE5dpUpkb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe

Executes dropped EXE 2 IoCs

pid	Process
3808	locadob.exe
3768	xdobloc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeSJ\\xdobloc.exe"	548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid3D\\optixec.exe"	548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2188	548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe
2188	548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe
2188	548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe
2188	548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe
3808	locadob.exe
3808	locadob.exe
3768	xdobloc.exe
3768	xdobloc.exe
3808	locadob.exe
3808	locadob.exe
3768	xdobloc.exe
3768	xdobloc.exe
3808	locadob.exe
3808	locadob.exe
3768	xdobloc.exe
3768	xdobloc.exe
3808	locadob.exe
3808	locadob.exe
3768	xdobloc.exe
3768	xdobloc.exe
3808	locadob.exe
3808	locadob.exe
3768	xdobloc.exe
3768	xdobloc.exe
3808	locadob.exe
3808	locadob.exe
3768	xdobloc.exe
3768	xdobloc.exe
3808	locadob.exe
3808	locadob.exe
3768	xdobloc.exe
3768	xdobloc.exe
3808	locadob.exe
3808	locadob.exe
3768	xdobloc.exe
3768	xdobloc.exe
3808	locadob.exe
3808	locadob.exe
3768	xdobloc.exe
3768	xdobloc.exe
3808	locadob.exe
3808	locadob.exe
3768	xdobloc.exe
3768	xdobloc.exe
3808	locadob.exe
3808	locadob.exe
3768	xdobloc.exe
3768	xdobloc.exe
3808	locadob.exe
3808	locadob.exe
3768	xdobloc.exe
3768	xdobloc.exe
3808	locadob.exe
3808	locadob.exe
3768	xdobloc.exe
3768	xdobloc.exe
3808	locadob.exe
3808	locadob.exe
3768	xdobloc.exe
3768	xdobloc.exe
3808	locadob.exe
3808	locadob.exe
3768	xdobloc.exe
3768	xdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 3808	2188	548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe	82
PID 2188 wrote to memory of 3808	2188	548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe	82
PID 2188 wrote to memory of 3808	2188	548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe	82
PID 2188 wrote to memory of 3768	2188	548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe	83
PID 2188 wrote to memory of 3768	2188	548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe	83
PID 2188 wrote to memory of 3768	2188	548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe	83

C:\Users\Admin\AppData\Local\Temp\548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe
"C:\Users\Admin\AppData\Local\Temp\548be8b074415e8bb93f69a3b0f0c269ef82b7fb98f148d6cf6179809e10bc36N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3808
- C:\AdobeSJ\xdobloc.exe
  C:\AdobeSJ\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeSJ\xdobloc.exe

Filesize
2.2MB

MD5
89fd63f3e83fb83a86ed3ce9e432e0e7

SHA1
718fc2265f70f12f71eb9162f7d696f91702c19a

SHA256
102db907790418332acec78e660fcec8ec0d3e00ee12e549c5a267b9d5676586

SHA512
07bf432c9ac8825c2bc0867c2010a78488309acffb06e1d18edf2254729a63aed56aba86714ea0da82fb66949eb3bcea53070d2c3da676b549cd5ffeb0727c23

Download Submit
C:\AdobeSJ\xdobloc.exe

Filesize
2.6MB

MD5
c61e1a8acf36fc639be5303c0e88ede0

SHA1
615bfd1e886a8fb7cad7ed7887625a1827f293c8

SHA256
64921d4f4ac23ea66f1b9d2fe585cfa5ace222956dd4f79e2d9cc137e9fd4c17

SHA512
8b4e596bf45a62525fe7cb1714a5e17b75a60628203382978cec9351df3dabdbfe6efd24633e6d36e08b9d5f1d99be089b4d8d4104367e4de09aba09797b45c5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
199B

MD5
65960cdebf79fab570aad713dd7951bc

SHA1
f4dd8bdff6a80fe31b2c753ba5049ff2cca76438

SHA256
311c7aaf8d9c7b4346f4c6c633cc08a3fd3497fe9d367847d9368d0079951793

SHA512
4a460a05c22b79691a99cdbe51e510f1c5d8993c7dbf0b7a6dd698a88641e0d577bffe5e8a95c95e001da26eec09d55a9e1cb23889037997b14e45f3cdc8c7ec

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
167B

MD5
bd80b9e53dc3d8343e9a31eefd264de4

SHA1
c92db944b0cf221cbc12206fd6e6895c57aeca29

SHA256
0720819a0cd3f72e64de35993c8dc2b00d417fd35b20d21307dc288f1bf96b7a

SHA512
4b2f5da458dc4ab77b04488b4cdfcfef2dcd9b1d1ec20a9395f61be6398564b67f0e2e57b16b8f71432368b64a301ca992922dbd07bacb46d68baf5a2c8f3864

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
2.6MB

MD5
04e00e4e21fed7d22f545cbba639d1b7

SHA1
92993faa3fa1ba1470a9b0741f547b0fa7dcb935

SHA256
41fc6da69c65f110fbe4887149a1467bc0fbe4e203f749b92a2780e1e6ef7bbf

SHA512
c3f115a935bd3b0a936d3430b33cfca8299a3da3c2c2e0e65700ed5c6f40e1b01aa9f210cbc571b8601593b583ad0f408767ac63a6e2a29a7af1563c3bc257a0

Download Submit
C:\Vid3D\optixec.exe

Filesize
7KB

MD5
ec404dc607a7bce365c371372c732d22

SHA1
4d3414b75d79d8d911c3947e95add02806762e93

SHA256
8f1145e98e4e5b5619503e16422f9cc17157101ff54ed5b081106ce4959f22e2

SHA512
25f87b1070bb1946e262d5ff4eaf91a6ff170c9987f970ecc4f02a7e9f7ef3b5355d6f693edce66f6085e5bd6279f612d457449cbae352b4654ace8c35e2c55a

Download Submit
C:\Vid3D\optixec.exe

Filesize
18KB

MD5
f3611b180f53e7b766446f16c0eb47e8

SHA1
b0a5575b4fca6d2ca1ebf68f998124b33189a5e8

SHA256
da3c4283fe87c6da829e4d3b09eadb3c7290c393ca69be154a4623b54548802f

SHA512
80c0937e80f63fa08bcb017f6504125ff30072a3ed9a2185ea5271bf5c0c20edbe958b500cc16a99d3c0072a1a1468864aa5250c977a0ad30c63af750b7b5ca1

Download Submit