a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f

Analysis

max time kernel
150s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe
Size

2.6MB
MD5

5837741bd00efb728cd93cfcf6ac01a1
SHA1

a3dc0e5bc0c7228a15a3094703d7da6516f75305
SHA256

a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f
SHA512

4d4639a14be10aabe68218d6164cfc7854413043edec805ce00860ec775540989f24dfdeb8789e8f426c5ab9fba588ac5a28639d2103201789b10e20862d2380
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bS:sxX7QnxrloE5dpUpYb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe

Executes dropped EXE 2 IoCs

pid	Process
4252	locxdob.exe
3856	xbodec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeZG\\xbodec.exe"	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidXE\\bodxec.exe"	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
460	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe
460	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe
460	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe
460	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe
4252	locxdob.exe
4252	locxdob.exe
3856	xbodec.exe
3856	xbodec.exe
4252	locxdob.exe
4252	locxdob.exe
3856	xbodec.exe
3856	xbodec.exe
4252	locxdob.exe
4252	locxdob.exe
3856	xbodec.exe
3856	xbodec.exe
4252	locxdob.exe
4252	locxdob.exe
3856	xbodec.exe
3856	xbodec.exe
4252	locxdob.exe
4252	locxdob.exe
3856	xbodec.exe
3856	xbodec.exe
4252	locxdob.exe
4252	locxdob.exe
3856	xbodec.exe
3856	xbodec.exe
4252	locxdob.exe
4252	locxdob.exe
3856	xbodec.exe
3856	xbodec.exe
4252	locxdob.exe
4252	locxdob.exe
3856	xbodec.exe
3856	xbodec.exe
4252	locxdob.exe
4252	locxdob.exe
3856	xbodec.exe
3856	xbodec.exe
4252	locxdob.exe
4252	locxdob.exe
3856	xbodec.exe
3856	xbodec.exe
4252	locxdob.exe
4252	locxdob.exe
3856	xbodec.exe
3856	xbodec.exe
4252	locxdob.exe
4252	locxdob.exe
3856	xbodec.exe
3856	xbodec.exe
4252	locxdob.exe
4252	locxdob.exe
3856	xbodec.exe
3856	xbodec.exe
4252	locxdob.exe
4252	locxdob.exe
3856	xbodec.exe
3856	xbodec.exe
4252	locxdob.exe
4252	locxdob.exe
3856	xbodec.exe
3856	xbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 460 wrote to memory of 4252	460	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe	86
PID 460 wrote to memory of 4252	460	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe	86
PID 460 wrote to memory of 4252	460	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe	86
PID 460 wrote to memory of 3856	460	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe	87
PID 460 wrote to memory of 3856	460	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe	87
PID 460 wrote to memory of 3856	460	a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe	87

C:\Users\Admin\AppData\Local\Temp\a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe
"C:\Users\Admin\AppData\Local\Temp\a701bdb1ba79117b1313008bbc4e700464c920f41c91dbb8e408a54b2d74461f.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:460
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4252
- C:\AdobeZG\xbodec.exe
  C:\AdobeZG\xbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeZG\xbodec.exe

Filesize
753KB

MD5
aaf6c531f167c31d7797047fc06e6e4f

SHA1
e849f475464c6612ba683f51633c32bddb3ff7fa

SHA256
08bd8b1df7074d5ee4b62e332c05e617c6d0a6338c27ea3d6c704eb305fc7954

SHA512
35542b8b2e3040dedf6bedd0909e273fcbecd64c28fddad7fde095a7727a7fb2357a825f74de27176044e401fc5ff4902663cdb4b6f7a569cb55fd81bca1bf61

Download Submit
C:\AdobeZG\xbodec.exe

Filesize
2.6MB

MD5
2a3b9fe38bb251cbc3f293413661892d

SHA1
9a8581409264054a580150d9774b28d274583181

SHA256
d74f36212dad38b4da6367b5a89252ced383eaa73980e83ea143c16318602fe4

SHA512
f985995faf84187032a2855baec5a7ce88503ace0527a600bf78112fbc809954ee120af3da12a5313d9ca61efa43ad6fb2745cc614df52b5b7f94c27a7bdf550

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
197B

MD5
d6163ff69e80faac81fd63ba25397ea0

SHA1
c1fd355aa843822c9b59043018316aea62901b69

SHA256
77e9b6490e08187bdc5f5627f2efc48b806a295185aca98c4519524b25f1e18d

SHA512
2edfe3ff45865eeab0288929b5288e41be63e4c2badc1c8012d40ccf1bba0bdc6ab183761c16f6d8d49ccf288cab6f5b202656c01b20304815f33be3a7e9a910

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
165B

MD5
e2d5ee6e68bb19240181e7cd4d5f6991

SHA1
a6d90e8ab1b34e5e6d7b2e4f5d660ac0c071d834

SHA256
14e3546a5909e3d1e22105297ff0502ae8d34a7238c3ff0d5977f66e28ad5b58

SHA512
85e88eb5a5130a2a88d472754399a0c768b4e968d8ff4af74b314770af90ae0a2b81814a78791fb9d461bd5cd444ad668ee62d85c1c5f871f349b5ba9b383db7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
2.6MB

MD5
076e44a82c72a2761538e0cc407e6687

SHA1
3a17de64a4390471bf23e803e44817a184e85954

SHA256
011abbbabf66e2eb1c6a6a32d1f64b84452d7f174128171c5edf732f6175283d

SHA512
acf6154f630064b3584bb137ce95058a195a6e6ba4a343a0191538cddea10521245ba86cdc55bccc1349c2b3051e9fb4bc60765cb5a937e7791d5458aed3ff8c

Download Submit
C:\VidXE\bodxec.exe

Filesize
2.6MB

MD5
d7ae57dd973aaa574f1dfb2122250ed2

SHA1
e4b6d14b53f46036069ca0427716c9224e91a788

SHA256
aa1e54c4cc628eef5a36020ecd1ae4198573962262a7f6b6c85ffaf68878a20e

SHA512
0dc58da72f28dd1a17d236d5888906e7452e1baa9f85056cdca3b2b30f37e124d70d6aeb3105a47faa06a6e805b62f1acdf8c22af72145fcb909b35da1dff8ce

Download Submit
C:\VidXE\bodxec.exe

Filesize
2.6MB

MD5
04b34935601efc4dfe856bf013d91f54

SHA1
31ac09cec80ec9e2332a5dec482e934613375225

SHA256
76d37127a144ebdefb86e4757dfbf820b21a425f85667db90a7e182dfe84ecd1

SHA512
697ddce44477909c5c27d0881b87d2928c1600b0fa5bbef4b77161165a32ee868b0e9f34655e315d1ae1f4eadecaa6ab06799de5c48b62e8786cf760e9f8580c

Download Submit