899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504

Analysis

max time kernel
120s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe
Size

2.6MB
MD5

85214b013a30a30ea2fd9d86276a0830
SHA1

370891830afd0cc8a3f1869d077dc668cf5d8a30
SHA256

899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504
SHA512

925b0be12f62233e17a1928defe4ebc35a4ff62c66c93c9c9e0f39ab902674f9c8216b39f0b67c0801d826f1367a493e0521badce45730a621c88d4cd5fa1bf2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bS:sxX7QnxrloE5dpUp9b

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe

Executes dropped EXE 2 IoCs

pid	Process
4972	locxdob.exe
2068	xdobec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc7A\\xdobec.exe"	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintTG\\boddevloc.exe"	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
964	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe
964	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe
964	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe
964	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe
4972	locxdob.exe
4972	locxdob.exe
2068	xdobec.exe
2068	xdobec.exe
4972	locxdob.exe
4972	locxdob.exe
2068	xdobec.exe
2068	xdobec.exe
4972	locxdob.exe
4972	locxdob.exe
2068	xdobec.exe
2068	xdobec.exe
4972	locxdob.exe
4972	locxdob.exe
2068	xdobec.exe
2068	xdobec.exe
4972	locxdob.exe
4972	locxdob.exe
2068	xdobec.exe
2068	xdobec.exe
4972	locxdob.exe
4972	locxdob.exe
2068	xdobec.exe
2068	xdobec.exe
4972	locxdob.exe
4972	locxdob.exe
2068	xdobec.exe
2068	xdobec.exe
4972	locxdob.exe
4972	locxdob.exe
2068	xdobec.exe
2068	xdobec.exe
4972	locxdob.exe
4972	locxdob.exe
2068	xdobec.exe
2068	xdobec.exe
4972	locxdob.exe
4972	locxdob.exe
2068	xdobec.exe
2068	xdobec.exe
4972	locxdob.exe
4972	locxdob.exe
2068	xdobec.exe
2068	xdobec.exe
4972	locxdob.exe
4972	locxdob.exe
2068	xdobec.exe
2068	xdobec.exe
4972	locxdob.exe
4972	locxdob.exe
2068	xdobec.exe
2068	xdobec.exe
4972	locxdob.exe
4972	locxdob.exe
2068	xdobec.exe
2068	xdobec.exe
4972	locxdob.exe
4972	locxdob.exe
2068	xdobec.exe
2068	xdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 4972	964	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe	89
PID 964 wrote to memory of 4972	964	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe	89
PID 964 wrote to memory of 4972	964	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe	89
PID 964 wrote to memory of 2068	964	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe	91
PID 964 wrote to memory of 2068	964	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe	91
PID 964 wrote to memory of 2068	964	899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe	91

C:\Users\Admin\AppData\Local\Temp\899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe
"C:\Users\Admin\AppData\Local\Temp\899adac1eff0b61dd48b816c80e41ef7d5e2c932b2e96d3dc1e7fd25c786a504N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:964
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4972
- C:\Intelproc7A\xdobec.exe
  C:\Intelproc7A\xdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc7A\xdobec.exe

Filesize
1.2MB

MD5
30610d82a3718e99ab3c529a3e60675c

SHA1
d46840cf2993d48b0d666d582865208b28144e24

SHA256
80edff82a458c4071110925fb69a83af3e0990452ad7419b1eb8152a377cfbc2

SHA512
67d345d8fcf98a15aaf94e58efd3424fea360f0450ecd3b6a018bbe048f99a1ab96be957e42fbbfcb91db792c5e887642840c5bedecb1da998d40ee6a4cf13eb

Download Submit
C:\Intelproc7A\xdobec.exe

Filesize
2.6MB

MD5
2cfd6a4d9bc3fa79601ebcfe4b266744

SHA1
546cc36ae2aaf4b53a3af246364cc16c98e458e9

SHA256
3e6f75b014aa62454a4cb1cb6c17e7be49098a36d7cdcaa87497b2f0e1f3d823

SHA512
8b22f961a73acc2bb86d0c371a3f6d5be47a4e0a0618279b3bccb6d97ba3ef387ff50a5a562a289fa33e7f17eacae3410946b9f09cef0cfaed66ea4b080d11bd

Download Submit
C:\MintTG\boddevloc.exe

Filesize
2.6MB

MD5
5590e48f98af3150c2a842b46cb215e8

SHA1
8946e39e197f1a24a2b0c9f754dc8e29cc78c417

SHA256
cc3500ef48509aad4085151a7b69105c53e7b113c8c758d503d57d389d2ad935

SHA512
1cdfd28d6a841f6292be9682c2e6f8db23565c8b3d7a5ce8a8dfbfef66e5b0bcc7ffd7e200cbf49141de939d0b8dac1c7cc7dc63ce50eee8b876f2515290ef57

Download Submit
C:\MintTG\boddevloc.exe

Filesize
2.6MB

MD5
e8eb181b61e69e019cd7b06eb29d69e4

SHA1
e4876b3a937c0eebe347480d78b00459f8588ca0

SHA256
aecfb7314c2c8e77f83faa622b365dc26c369e135c86754447d3df77a26740b7

SHA512
1aaa42fe379fc938f9fae2cc97dd22cb49fac72042c25a3d6dae850d42deb3c6b35596e44af3a2e10f7835cd32ea30cb54621efa836c200fb1a11add94ca0164

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
4fc5fb0fdeeb591569c3c64a4da544dc

SHA1
bf1f7fe98506622d64a736344bae3722593a906f

SHA256
c59d40acc093619f707973155471aa54b5a36bc3b274cbe8d939c349aaad158b

SHA512
4c866b5c1868d5145fbebadf81ae6948c31a702204c49a970e493955f22bac66ac290c00f6471d808009745729682d5270c2c0d5ae4180a929ac021463d3fe4c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
6a3f34f3115d119d946ee7081a02b74f

SHA1
98725e78141308d594a7713fe4e219cc1fe1b679

SHA256
50476e46cf7d5de48b35c79b28e8264d7617309e384dddeb409ad5974bfa83f4

SHA512
27897df097dbdf73c9ac6d851b2ee1fd9b5d08b4871965c435de972bbd5054067c805a570a03ded27ae1c31bf7dbe21d5a6aa7a09dae8c3fdb84b967aa301f3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
2.6MB

MD5
3a03eef891ad01d6b5416093e35a7ceb

SHA1
955fe7cbdb7f0f965e10aafd18afa7bab26cc752

SHA256
8107274e597cde736baf137620370ba5cddcfe05736030cb03ffd0f1c6702bee

SHA512
d123ab07ae2f8de2f87a9f6faa0f1ad556c5953bb3ce2a7bb711ffc142de5cb28f78749fdec85865b09201592ecfc46b5cdefc7e536a43dbe65910746bf4ffd5

Download Submit