def81fe8733d3ac71d755eb6f79f9f970f9e05dc33bf51fe0327bca85608ad55

Analysis

max time kernel
119s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

def81fe8733d3ac71d755eb6f79f9f970f9e05dc33bf51fe0327bca85608ad55N.exe
Size

2.6MB
MD5

7a54c81f211110391a73357140d27280
SHA1

cd9132129dc2fa865df9ed0a1275f1bb3e9684ce
SHA256

def81fe8733d3ac71d755eb6f79f9f970f9e05dc33bf51fe0327bca85608ad55
SHA512

91c0c6e6991e15617c9f611ee26ce6aac1a080aff3c692689017bf2bf12b79002e893ab07ebba1ec8062c79ea105c57a93d8df9267dfcfbbec04f86a92d0b7e2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpSb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	def81fe8733d3ac71d755eb6f79f9f970f9e05dc33bf51fe0327bca85608ad55N.exe

Executes dropped EXE 2 IoCs

pid	Process
2236	locxopti.exe
3824	adobloc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeR5\\adobloc.exe"	def81fe8733d3ac71d755eb6f79f9f970f9e05dc33bf51fe0327bca85608ad55N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintU8\\bodaloc.exe"	def81fe8733d3ac71d755eb6f79f9f970f9e05dc33bf51fe0327bca85608ad55N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	def81fe8733d3ac71d755eb6f79f9f970f9e05dc33bf51fe0327bca85608ad55N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1132	def81fe8733d3ac71d755eb6f79f9f970f9e05dc33bf51fe0327bca85608ad55N.exe
1132	def81fe8733d3ac71d755eb6f79f9f970f9e05dc33bf51fe0327bca85608ad55N.exe
1132	def81fe8733d3ac71d755eb6f79f9f970f9e05dc33bf51fe0327bca85608ad55N.exe
1132	def81fe8733d3ac71d755eb6f79f9f970f9e05dc33bf51fe0327bca85608ad55N.exe
2236	locxopti.exe
2236	locxopti.exe
3824	adobloc.exe
3824	adobloc.exe
2236	locxopti.exe
2236	locxopti.exe
3824	adobloc.exe
3824	adobloc.exe
2236	locxopti.exe
2236	locxopti.exe
3824	adobloc.exe
3824	adobloc.exe
2236	locxopti.exe
2236	locxopti.exe
3824	adobloc.exe
3824	adobloc.exe
2236	locxopti.exe
2236	locxopti.exe
3824	adobloc.exe
3824	adobloc.exe
2236	locxopti.exe
2236	locxopti.exe
3824	adobloc.exe
3824	adobloc.exe
2236	locxopti.exe
2236	locxopti.exe
3824	adobloc.exe
3824	adobloc.exe
2236	locxopti.exe
2236	locxopti.exe
3824	adobloc.exe
3824	adobloc.exe
2236	locxopti.exe
2236	locxopti.exe
3824	adobloc.exe
3824	adobloc.exe
2236	locxopti.exe
2236	locxopti.exe
3824	adobloc.exe
3824	adobloc.exe
2236	locxopti.exe
2236	locxopti.exe
3824	adobloc.exe
3824	adobloc.exe
2236	locxopti.exe
2236	locxopti.exe
3824	adobloc.exe
3824	adobloc.exe
2236	locxopti.exe
2236	locxopti.exe
3824	adobloc.exe
3824	adobloc.exe
2236	locxopti.exe
2236	locxopti.exe
3824	adobloc.exe
3824	adobloc.exe
2236	locxopti.exe
2236	locxopti.exe
3824	adobloc.exe
3824	adobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 2236	1132	def81fe8733d3ac71d755eb6f79f9f970f9e05dc33bf51fe0327bca85608ad55N.exe	85
PID 1132 wrote to memory of 2236	1132	def81fe8733d3ac71d755eb6f79f9f970f9e05dc33bf51fe0327bca85608ad55N.exe	85
PID 1132 wrote to memory of 2236	1132	def81fe8733d3ac71d755eb6f79f9f970f9e05dc33bf51fe0327bca85608ad55N.exe	85
PID 1132 wrote to memory of 3824	1132	def81fe8733d3ac71d755eb6f79f9f970f9e05dc33bf51fe0327bca85608ad55N.exe	86
PID 1132 wrote to memory of 3824	1132	def81fe8733d3ac71d755eb6f79f9f970f9e05dc33bf51fe0327bca85608ad55N.exe	86
PID 1132 wrote to memory of 3824	1132	def81fe8733d3ac71d755eb6f79f9f970f9e05dc33bf51fe0327bca85608ad55N.exe	86

C:\Users\Admin\AppData\Local\Temp\def81fe8733d3ac71d755eb6f79f9f970f9e05dc33bf51fe0327bca85608ad55N.exe
"C:\Users\Admin\AppData\Local\Temp\def81fe8733d3ac71d755eb6f79f9f970f9e05dc33bf51fe0327bca85608ad55N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2236
- C:\AdobeR5\adobloc.exe
  C:\AdobeR5\adobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeR5\adobloc.exe

Filesize
63KB

MD5
6c7677e144e81cd66e702670a7ae7436

SHA1
147b64f135340098784432288210b130f43c60cb

SHA256
c2967cce631212ddbaa20c7935725ac7c7d9339b826d7b439c1c3f29e7078f5e

SHA512
29ab17aca2501171aca9d4cab6d7a1d5595d4edc9727d5f98ecfc03af210ed460d14df121041b6bb1a3bbebd256d47b9f54ecd6cd00f59f95d430885308d8c6e

Download Submit
C:\AdobeR5\adobloc.exe

Filesize
2.6MB

MD5
bbb0023c7fdff64a78fd4140e83ffa10

SHA1
ecbcf634eebbe83a9c3086f17c4780c22be3ce9a

SHA256
d11d4dc49acbdd435e63c06649ed74c6b2be040ac81d2d2da3bcdf678add7f56

SHA512
f33b97953292756fca3b4b93ee1a6de7657eab1ba16c19f8134d01d1e432d78bca60228c7cf030fd4c9084c57eedb943a404ea2e867f77316be3ba88e39c7c9c

Download Submit
C:\MintU8\bodaloc.exe

Filesize
50KB

MD5
5a5665c7137dbb99c240364297a4a512

SHA1
382969d394b80571fb04064003528f6f7cb81c89

SHA256
43da80304f219af92d96cf484c45a88d31282f654bab20c3b544a38bc2b1bf0c

SHA512
33b15087e7796b5765f6e892f3aed8ca9515db91a47d84744d014014ed36b1a91df2e1fe0609dd04eb0f54498f460a4cf2af8d67cc9f898e606ba34323841b95

Download Submit
C:\MintU8\bodaloc.exe

Filesize
750KB

MD5
43199eaccc5ccac89f9b44b63a09d82e

SHA1
5444c29812762e7fbeff498304d5f8c96677b387

SHA256
60823bba78a71b9a2f73f07f50cb5f79e17cca4b5afc5fbf6f807b1671e4bcb2

SHA512
4cb5e4217c2b2d87404c3b6915df430a5a007be157a8510317c671de226f99bcadeae542a0a9059f6dff56fd37396cde4dc0b7d6bf04b41619ffbd69d08d3aea

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
74d67054ad509b454fb835fb98e47561

SHA1
2618ad4b81507111c1a5cd5897e5330446b6ae21

SHA256
9c252cfec9f1f23d32d99172ba5de077551d85a21248452afaae78716c776b6e

SHA512
13f1716fce610c316c8533ce6efe719137a765ddf110a121e2f4264e5ce7d9d3028a6639f495fddbe3cf929dd4742e287c0f8fc76edf2070b917645e259dced5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
b215b2712ba38d0743d8a54c96f73fc2

SHA1
bbafe2c64433c45ee060bdc2fd74ba5555953480

SHA256
acd5b1d1bbfadcfc1bf48b18282de30ba71e70601eaed00adfb64128a7d83d15

SHA512
9c2db0440080d141514fc9fb25d3c18541aa316de87dab3b49e6e331c03a4eb35e71301212db5782d470e7d1283f1a1c35f60acd45fb52b8b70297573d32a4b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
2.6MB

MD5
9c9ff5b5beaeee30c0f54f85eac7fd76

SHA1
fa84a03e629580826f9b84cf8d60438f4c89266c

SHA256
3dd7c8eb228b16fbca4e2f41accc586566cc6eec8cd6476163aa880ec81dd8eb

SHA512
87810cbee38a76ca19ec2574c83a3c2a9293c9af10ef035c0adf4f71a3235b41f7e8cff579d6f2df2bb8dfb407b124c68eb539966313fece3bba49471fa47edc

Download Submit