fae54b45b62f77e1412b240aeb8edb30cb7c08c7757ace335c01b9566151401b

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fae54b45b62f77e1412b240aeb8edb30cb7c08c7757ace335c01b9566151401bN.exe
Size

2.6MB
MD5

8ff82f080243c84c0cf1efebe1b75710
SHA1

b900d5eb412d65f158d00503ecac78e5cbe5ed68
SHA256

fae54b45b62f77e1412b240aeb8edb30cb7c08c7757ace335c01b9566151401b
SHA512

a64c9ae619153cf1231e47986bc9448dc82d095554052ef5ba45e30229af5294d2c3e1f9f65b5150a3afceab9e206984598f64372b3baaae917bad8b66cb36b2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bS:sxX7QnxrloE5dpUp1b

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	fae54b45b62f77e1412b240aeb8edb30cb7c08c7757ace335c01b9566151401bN.exe

Executes dropped EXE 2 IoCs

pid	Process
3068	locxdob.exe
4808	adobec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesKI\\adobec.exe"	fae54b45b62f77e1412b240aeb8edb30cb7c08c7757ace335c01b9566151401bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ4K\\boddevsys.exe"	fae54b45b62f77e1412b240aeb8edb30cb7c08c7757ace335c01b9566151401bN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fae54b45b62f77e1412b240aeb8edb30cb7c08c7757ace335c01b9566151401bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2780	fae54b45b62f77e1412b240aeb8edb30cb7c08c7757ace335c01b9566151401bN.exe
2780	fae54b45b62f77e1412b240aeb8edb30cb7c08c7757ace335c01b9566151401bN.exe
2780	fae54b45b62f77e1412b240aeb8edb30cb7c08c7757ace335c01b9566151401bN.exe
2780	fae54b45b62f77e1412b240aeb8edb30cb7c08c7757ace335c01b9566151401bN.exe
3068	locxdob.exe
3068	locxdob.exe
4808	adobec.exe
4808	adobec.exe
3068	locxdob.exe
3068	locxdob.exe
4808	adobec.exe
4808	adobec.exe
3068	locxdob.exe
3068	locxdob.exe
4808	adobec.exe
4808	adobec.exe
3068	locxdob.exe
3068	locxdob.exe
4808	adobec.exe
4808	adobec.exe
3068	locxdob.exe
3068	locxdob.exe
4808	adobec.exe
4808	adobec.exe
3068	locxdob.exe
3068	locxdob.exe
4808	adobec.exe
4808	adobec.exe
3068	locxdob.exe
3068	locxdob.exe
4808	adobec.exe
4808	adobec.exe
3068	locxdob.exe
3068	locxdob.exe
4808	adobec.exe
4808	adobec.exe
3068	locxdob.exe
3068	locxdob.exe
4808	adobec.exe
4808	adobec.exe
3068	locxdob.exe
3068	locxdob.exe
4808	adobec.exe
4808	adobec.exe
3068	locxdob.exe
3068	locxdob.exe
4808	adobec.exe
4808	adobec.exe
3068	locxdob.exe
3068	locxdob.exe
4808	adobec.exe
4808	adobec.exe
3068	locxdob.exe
3068	locxdob.exe
4808	adobec.exe
4808	adobec.exe
3068	locxdob.exe
3068	locxdob.exe
4808	adobec.exe
4808	adobec.exe
3068	locxdob.exe
3068	locxdob.exe
4808	adobec.exe
4808	adobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 3068	2780	fae54b45b62f77e1412b240aeb8edb30cb7c08c7757ace335c01b9566151401bN.exe	82
PID 2780 wrote to memory of 3068	2780	fae54b45b62f77e1412b240aeb8edb30cb7c08c7757ace335c01b9566151401bN.exe	82
PID 2780 wrote to memory of 3068	2780	fae54b45b62f77e1412b240aeb8edb30cb7c08c7757ace335c01b9566151401bN.exe	82
PID 2780 wrote to memory of 4808	2780	fae54b45b62f77e1412b240aeb8edb30cb7c08c7757ace335c01b9566151401bN.exe	83
PID 2780 wrote to memory of 4808	2780	fae54b45b62f77e1412b240aeb8edb30cb7c08c7757ace335c01b9566151401bN.exe	83
PID 2780 wrote to memory of 4808	2780	fae54b45b62f77e1412b240aeb8edb30cb7c08c7757ace335c01b9566151401bN.exe	83

C:\Users\Admin\AppData\Local\Temp\fae54b45b62f77e1412b240aeb8edb30cb7c08c7757ace335c01b9566151401bN.exe
"C:\Users\Admin\AppData\Local\Temp\fae54b45b62f77e1412b240aeb8edb30cb7c08c7757ace335c01b9566151401bN.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3068
- C:\FilesKI\adobec.exe
  C:\FilesKI\adobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesKI\adobec.exe

Filesize
2.6MB

MD5
1ef7de6f3ed75269333f0ae965edb1de

SHA1
090a5dd40454c4d8f13ee853a1dccba61f30b852

SHA256
95fdbf3fede5d32365562929c99b094b52bf7e8c891e4423fbeb0f7007725a08

SHA512
cc33991f0f6b4c7ae53c9fb47eec129820ffe4af31baaa599a31b1c04a02716811b2ebeaf031d3421741f0f4812874b664d1124e250186ce626bf3af8324e1f8

Download Submit
C:\LabZ4K\boddevsys.exe

Filesize
2.6MB

MD5
29a56a512120946103f6f243acd2350e

SHA1
e2a10d588b3e5583b187954811594655e71f15be

SHA256
dfe93dad56a7bd7822958802a968eb0c3e4fbc24667db2a6f87f966e9d9611db

SHA512
9c15a88be56024d7cf76fe8bea346f324d17167680662fd23eb9b9e72e5e54cebc2bab20025aa45286651e638a2546e1bc90487763903088b82a093e865357f8

Download Submit
C:\LabZ4K\boddevsys.exe

Filesize
61KB

MD5
8b4dffe989c8a9ea47524294e5fcc708

SHA1
4acbc8b21c8f26b1f642b972d17ab0f0b53c9ba6

SHA256
8e6b14ad58167ed607d65cb133e333bd7b111eac4cb1eebcb5c4333670d91059

SHA512
6d1e1b6a23cf0c68f712774bbe9acfe52d4cd5d51da71a9316b97f45003865c80efeff6adc48f8ffe23be04fad17173f2229c13dcfe6bf6cbaead558220edd85

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
cddec3af057110bb1b94e86d15ea4d25

SHA1
ae1f16960f26405f3f911ad99a63211fb445f6a7

SHA256
4b7eaa7db4e212fedf174d766a573f98edbbdd830c71a0a6e688aff86f917eb6

SHA512
542cee9b153eb1e448c92f6315c7cdbd6b44165df38463ffdfca745acb7b88c730734e780247d619a0250f4bf33c10127f1e28d11dc2cfba17bd05c57fa9594b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
9427836077f409ce83db7a48628ebced

SHA1
648458fa57b614b621439d774cc145574385df29

SHA256
7bd5fceb90c93ce0293a9c897b4ae3e50306a0f6d80fc89d0ac00d7730978d3d

SHA512
f5cc4e6d2d9a972dcbf9552daa9a023699005c2b31ad07f42cb3b1e91c1a372ba4decc1dc5c76fd1df0028e85c2ca5d7368dd7fae4c33963d6823bd6852b6a4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
2.6MB

MD5
7b0942eeec32d4896ad1d7a87b3ef9fc

SHA1
aebe1608a8ef91b66562f1481b274ece69bb31dd

SHA256
cd9f19f321d21c33e62799a926ef03a4222b25c5e81e21c1e7cae2ed57b6c964

SHA512
2f177db792e2ba42ee4328ba692179854c9b7fd78934742eb55f199e007ad9c93f051dd1e69fc3f7450c1b8d080d2f7042667bbb1f273d54c367fe863ff116d1

Download Submit