93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73

Analysis

max time kernel
119s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2024, 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe
Size

2.6MB
MD5

366e73c620dc7a1118af7849d6636090
SHA1

c90bef0688b879c8fc08469634d52ecaac31acfa
SHA256

93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73
SHA512

d45cfbcff376b65e6fc452d22c50152a075c94b15ff827baaa82b818fde1e6f02e8f3006d31119a68269f9db46f4b6bc914336d29af0398be75db3a319ff8e10
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpWb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe

Executes dropped EXE 2 IoCs

pid	Process
3328	locaopti.exe
3144	xdobsys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeK3\\xdobsys.exe"	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintKD\\bodaec.exe"	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4692	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe
4692	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe
4692	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe
4692	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe
3328	locaopti.exe
3328	locaopti.exe
3144	xdobsys.exe
3144	xdobsys.exe
3328	locaopti.exe
3328	locaopti.exe
3144	xdobsys.exe
3144	xdobsys.exe
3328	locaopti.exe
3328	locaopti.exe
3144	xdobsys.exe
3144	xdobsys.exe
3328	locaopti.exe
3328	locaopti.exe
3144	xdobsys.exe
3144	xdobsys.exe
3328	locaopti.exe
3328	locaopti.exe
3144	xdobsys.exe
3144	xdobsys.exe
3328	locaopti.exe
3328	locaopti.exe
3144	xdobsys.exe
3144	xdobsys.exe
3328	locaopti.exe
3328	locaopti.exe
3144	xdobsys.exe
3144	xdobsys.exe
3328	locaopti.exe
3328	locaopti.exe
3144	xdobsys.exe
3144	xdobsys.exe
3328	locaopti.exe
3328	locaopti.exe
3144	xdobsys.exe
3144	xdobsys.exe
3328	locaopti.exe
3328	locaopti.exe
3144	xdobsys.exe
3144	xdobsys.exe
3328	locaopti.exe
3328	locaopti.exe
3144	xdobsys.exe
3144	xdobsys.exe
3328	locaopti.exe
3328	locaopti.exe
3144	xdobsys.exe
3144	xdobsys.exe
3328	locaopti.exe
3328	locaopti.exe
3144	xdobsys.exe
3144	xdobsys.exe
3328	locaopti.exe
3328	locaopti.exe
3144	xdobsys.exe
3144	xdobsys.exe
3328	locaopti.exe
3328	locaopti.exe
3144	xdobsys.exe
3144	xdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 3328	4692	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe	89
PID 4692 wrote to memory of 3328	4692	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe	89
PID 4692 wrote to memory of 3328	4692	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe	89
PID 4692 wrote to memory of 3144	4692	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe	91
PID 4692 wrote to memory of 3144	4692	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe	91
PID 4692 wrote to memory of 3144	4692	93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe	91

C:\Users\Admin\AppData\Local\Temp\93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe
"C:\Users\Admin\AppData\Local\Temp\93dc8850981e55c033468b890ac1920b080a3d466f90d6c74064624316f78f73N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3328
- C:\AdobeK3\xdobsys.exe
  C:\AdobeK3\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeK3\xdobsys.exe

Filesize
1.8MB

MD5
5953dfc3bd6c0c69997579f56531550c

SHA1
fea36a80458066894f0c8e20c8022627e42443bb

SHA256
56da7d1b5e1ab895aa9b11cba00300ffd26499d3be32d786bd0c5ccdb80b6998

SHA512
ef63bb7e6608b63d5400822447ea12279173a919201e7954538663fc82cff76189760e094bc87aabdf47ebaa7939304b54378c4a2defdb3824d08a0ccda41b00

Download Submit
C:\AdobeK3\xdobsys.exe

Filesize
2.6MB

MD5
5885d7cf69b4b347dfbd61683159b2b2

SHA1
27dbebef3823e9fee612b006be479232b2c430c0

SHA256
9feefc1f82b6dab95f3d8a7f532e2420bf7bb8fbb22deca81422abcdec8daa25

SHA512
2d0d046ab8ff7b5fa54d8fa24b64b26b8211cd49b71c170214434885e0eea68b8be9df4dbe1fc894598339fe61d4cbae739a636ff62dca1219ca28900fc70522

Download Submit
C:\MintKD\bodaec.exe

Filesize
90KB

MD5
ef45277964a0fe192828a55110623d96

SHA1
71e796afb0e2617a91eeb80490b6b15dabe8244e

SHA256
d8a074c5716c36218218d75ee7eaf05a6556dfef0c9ee19807b4a948c9c81f39

SHA512
9ff5a85201d31be2371f92d8f140d6d5bc54a3284559a7529824c004a8939c42eb3186e4ecc600ff0be818b752538ef37140e32067a0338b899a5d57f3953f8a

Download Submit
C:\MintKD\bodaec.exe

Filesize
2.6MB

MD5
a4663cb704876450423e1c01ba2ce084

SHA1
bf49328ef507bfaed2557736ba4a9050757d0abe

SHA256
46f31f35d6a8a299466b28e425768eacebe61c18f8589da314917b29658357fe

SHA512
0a94ed3b54a5be3c5869f9df51d495178cef23e55f63d8ede1d7dcb6ec37d589e0d1b5a3ed3dbfc2331512a580a03eaa7e7ed680a2a7aca03544ba584f17db94

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
2535a0bec017ad4237dc5f2dc9489e97

SHA1
732a885f0cee6ad5599b266b426ed0c9500f6358

SHA256
f9a742f444f3ed0ef2a8eceded1ac316bcf205f5b1073931e96b3d6e53d4f2bc

SHA512
e66ea42166cf23229e4e539c62937bbce0795c8c062142eda5353d89285c268ae01afc1fed53b13b392562d907fd2027e61f8fe2d5236b1f5d157580f75fd00d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
b55e00602da9415cdcad0782ef3c63d0

SHA1
c390deebf41863d12216534efadf95a98db6a178

SHA256
2722d5a1c36c93b4aa11e33b5350a2fc20396dbb91bf5a24b40bbae0dc64ce92

SHA512
babf3a0ddcffbdd9a194aa789b3a380108f4a0899e3e0ea41703b21c4945cd5c433523fc5e936d55af54c8935291a6f960d2c9de0304c25e285cb9eb77fc4bea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
2.6MB

MD5
e6bdf6d34cd99a98069c16251c51acd7

SHA1
79a6d9ca883769e3b2b1b1cef29e35679070c9b0

SHA256
0f6c6e0acea741c8f4a7d88793dddc77a0ce65a85641cbbee5cb255685858ae5

SHA512
bc791ba92a44c7ac80d886fa136fcda43f9fc9331a5b61b519bcffc2a9d7033e9378120ed24204e58ed47d2487eb348998310cf13821b62ffff74f85e7a0f637

Download Submit