2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589

Analysis

max time kernel
119s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2024, 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe
Size

2.6MB
MD5

b66ffb4704a0d857d711cfce898cbcb0
SHA1

5a596c5156f922bbc8d72de5241af0ab8f30f3e8
SHA256

2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589
SHA512

b3e678552fa0797cee4373d2b776e1946d7b5695dcd943285717b16e28202cf9c7ab05f452653b8bdc61c7b99143b6825eedd2ed8f93fd2292a764f50571c7ad
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bS:sxX7QnxrloE5dpUp8b

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe

Executes dropped EXE 2 IoCs

pid	Process
4872	locabod.exe
1220	xdobsys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocEL\\xdobsys.exe"	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZUN\\dobaec.exe"	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1932	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe
1932	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe
1932	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe
1932	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe
4872	locabod.exe
4872	locabod.exe
1220	xdobsys.exe
1220	xdobsys.exe
4872	locabod.exe
4872	locabod.exe
1220	xdobsys.exe
1220	xdobsys.exe
4872	locabod.exe
4872	locabod.exe
1220	xdobsys.exe
1220	xdobsys.exe
4872	locabod.exe
4872	locabod.exe
1220	xdobsys.exe
1220	xdobsys.exe
4872	locabod.exe
4872	locabod.exe
1220	xdobsys.exe
1220	xdobsys.exe
4872	locabod.exe
4872	locabod.exe
1220	xdobsys.exe
1220	xdobsys.exe
4872	locabod.exe
4872	locabod.exe
1220	xdobsys.exe
1220	xdobsys.exe
4872	locabod.exe
4872	locabod.exe
1220	xdobsys.exe
1220	xdobsys.exe
4872	locabod.exe
4872	locabod.exe
1220	xdobsys.exe
1220	xdobsys.exe
4872	locabod.exe
4872	locabod.exe
1220	xdobsys.exe
1220	xdobsys.exe
4872	locabod.exe
4872	locabod.exe
1220	xdobsys.exe
1220	xdobsys.exe
4872	locabod.exe
4872	locabod.exe
1220	xdobsys.exe
1220	xdobsys.exe
4872	locabod.exe
4872	locabod.exe
1220	xdobsys.exe
1220	xdobsys.exe
4872	locabod.exe
4872	locabod.exe
1220	xdobsys.exe
1220	xdobsys.exe
4872	locabod.exe
4872	locabod.exe
1220	xdobsys.exe
1220	xdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 4872	1932	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe	82
PID 1932 wrote to memory of 4872	1932	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe	82
PID 1932 wrote to memory of 4872	1932	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe	82
PID 1932 wrote to memory of 1220	1932	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe	83
PID 1932 wrote to memory of 1220	1932	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe	83
PID 1932 wrote to memory of 1220	1932	2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe	83

C:\Users\Admin\AppData\Local\Temp\2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe
"C:\Users\Admin\AppData\Local\Temp\2ae3c4d377f5f5e984b9d207d3a605a28f2750c3ee0acf60d4eea0fa91b65589N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4872
- C:\IntelprocEL\xdobsys.exe
  C:\IntelprocEL\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocEL\xdobsys.exe

Filesize
2.6MB

MD5
ddb1ef1bd578a2bf9ce25869d60e03be

SHA1
5b137958003e18ab80842163aa437acf1ef14599

SHA256
9711e224dd167854a95c89bc6ebc8dd6203d0acae8da8a580e143f3172034c42

SHA512
79733981dd62e4cf34ac820685dc611a25c747fb5ce4f5fd0bb195758829321789c52faaa789894a8eadc68cd76f70933ae0436c000bbdc90818fe72f336c29e

Download Submit
C:\LabZUN\dobaec.exe

Filesize
1.1MB

MD5
61a11a08a0bd18838b64a911d7cfea8b

SHA1
da32f2bf5b8feab18a8013e664d37237277d92c4

SHA256
78497ec8e31107a61a85a9f41a574d06171a31108148e4f6b54a407e7941096e

SHA512
684fcd4fb33eca991ebf838a310378caeb4bc05b8a4abb575bd3d55606abbada2e6573ac27b5cd2ad0eac8c06ee5d75b15200d267b63b338dc3bee6cb1d3e20c

Download Submit
C:\LabZUN\dobaec.exe

Filesize
7KB

MD5
84c3a9ef71c6c32cc10faa7a3122fe8d

SHA1
44094cadec949c065d4321a4cb7bb4c11cd999f9

SHA256
de832fdf2de3a5ef6ef5856b88230214e4a82f75e7bd75a06e26b26295f3f07b

SHA512
f1a129f7aed7cc664d5863e93709d5db2f4f45caf6e6372303a8d02f820d81b54c422a04eb54ae98bd4ba94cd7035a4f0faa9a15bf71b5210f2274fb4f64ac3a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
657e962463b354647a4b93953f7b30fd

SHA1
41781dda31af4760059a334093acdf4be988beb6

SHA256
a836bb4a9f5f113e18e930f845b606266c2545c10b6e9d78e6e10ef7f9bf9443

SHA512
1a816d2998c62823d6da7e83b59f6a131f717b880336684d5122060d6ec0225191e5c0713d9a4d239a9c3ebcabb0a2db985905a8aac708bb0da2513498dcc346

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
861716f62529104e56dbe8817809cd4a

SHA1
18a9086ae5d88b439baef4c67482c81a3f331861

SHA256
08a4efb2e786a03ffbeea667555eb367ed15c9f0d70a6ef37334e405e16c0e13

SHA512
6a817848543e1e5c7354bc442e8cfe9c61acd6ac4a8dc141f8933f2cecad94bc595dc23ebeae4738a5e44b481b2ade89e5a3e493f0345c6ffa3a3f48783ebe0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
2.6MB

MD5
42ddddc731f843a7224d819c9e5272e5

SHA1
56b2da1ee7380113561e84d00246653c287174a0

SHA256
9649109d167953de8c273347a782a72ea772584f45133b00dea11afb86edafd0

SHA512
ec05d052b6fedbd04cd38e1f4f05f44ae3c74dcb3924f2029dd681df81aa07a5aa78c500f811e1c8a2f8f8fa89af6661b1c6be1235ef129fced6663294fe3b97

Download Submit