d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bd

Analysis

max time kernel
120s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe
Size

2.6MB
MD5

3a137d321bcdc3939aec35a7c4166a40
SHA1

2077412f1ee5fdd1304d1c57b1b06b477acfa3e2
SHA256

d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bd
SHA512

3fde7eb42ffd99de0fefc2453221e4dea1187771a2d199e2f43bb9142fffbc27951a28042cfe41595d20e61af9d7c99dc76c6765c0882e0431e066cc4b162006
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bS:sxX7QnxrloE5dpUpvb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe

Executes dropped EXE 2 IoCs

pid	Process
3372	locxopti.exe
4372	xdobec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvHV\\xdobec.exe"	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid02\\dobaloc.exe"	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4816	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe
4816	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe
4816	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe
4816	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe
3372	locxopti.exe
3372	locxopti.exe
4372	xdobec.exe
4372	xdobec.exe
3372	locxopti.exe
3372	locxopti.exe
4372	xdobec.exe
4372	xdobec.exe
3372	locxopti.exe
3372	locxopti.exe
4372	xdobec.exe
4372	xdobec.exe
3372	locxopti.exe
3372	locxopti.exe
4372	xdobec.exe
4372	xdobec.exe
3372	locxopti.exe
3372	locxopti.exe
4372	xdobec.exe
4372	xdobec.exe
3372	locxopti.exe
3372	locxopti.exe
4372	xdobec.exe
4372	xdobec.exe
3372	locxopti.exe
3372	locxopti.exe
4372	xdobec.exe
4372	xdobec.exe
3372	locxopti.exe
3372	locxopti.exe
4372	xdobec.exe
4372	xdobec.exe
3372	locxopti.exe
3372	locxopti.exe
4372	xdobec.exe
4372	xdobec.exe
3372	locxopti.exe
3372	locxopti.exe
4372	xdobec.exe
4372	xdobec.exe
3372	locxopti.exe
3372	locxopti.exe
4372	xdobec.exe
4372	xdobec.exe
3372	locxopti.exe
3372	locxopti.exe
4372	xdobec.exe
4372	xdobec.exe
3372	locxopti.exe
3372	locxopti.exe
4372	xdobec.exe
4372	xdobec.exe
3372	locxopti.exe
3372	locxopti.exe
4372	xdobec.exe
4372	xdobec.exe
3372	locxopti.exe
3372	locxopti.exe
4372	xdobec.exe
4372	xdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 3372	4816	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe	86
PID 4816 wrote to memory of 3372	4816	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe	86
PID 4816 wrote to memory of 3372	4816	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe	86
PID 4816 wrote to memory of 4372	4816	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe	87
PID 4816 wrote to memory of 4372	4816	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe	87
PID 4816 wrote to memory of 4372	4816	d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe	87

C:\Users\Admin\AppData\Local\Temp\d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe
"C:\Users\Admin\AppData\Local\Temp\d3185272934e033c540f287a13a22acc39f1eac9e872327b1c5f2713f9f403bdN.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3372
- C:\SysDrvHV\xdobec.exe
  C:\SysDrvHV\xdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvHV\xdobec.exe

Filesize
565KB

MD5
6a720266fc41fc4fdd5492221514c88f

SHA1
772504e0504e857b5c30b930dd2234c952cbef19

SHA256
0b4960dbf7ef599ffe9e2aab756e12eb9f3f695226dcf3e7041198f1450ebf84

SHA512
147095a0cc1462293c5b2254ef76e1002d19164430f38f065e4b035307cc1c09030b942e0245b7e96f2a8b31c97abbac5e5a03a3b18f875cb4fa3547d6bdffca

Download Submit
C:\SysDrvHV\xdobec.exe

Filesize
2.6MB

MD5
a6f76c8171d0f63f7a1e0699d7fd25a0

SHA1
a329adf79c5a425e2fbcd75a183bc9fe074a826c

SHA256
3b030668c28e7d2dd67ec4c23431185b3b1202ba550a2f5959a2cce4b5151765

SHA512
e1e62f93e7d5fa386635f870d3905e547959286e602bea67dd16fa675c43577824303ec4d16cd1aa8246e281c86eca0697d29a188bbf50ef43a24ac29a694b5a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
e0f61a1f6a5c938814c54fa44a0188e8

SHA1
1c5dc024f4e6168bf17fc56c38b12cd4c4108338

SHA256
c04d9adb64b2867f10d735cb626f5daf1793caa5cfd85e3127621f834fc07658

SHA512
b82808f9ce7a385433447594c1855fb81d2e9b1510d5e1e55492bd80baf60bf983601bc2694283de9c97e57491e0aaa8ada857acb18741806fe253ccb4195b0a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
4d19800e2889c3f6b279dd521c4c780a

SHA1
59d5fc1223b8d15a6f74dc6a58ab81f8a6a42d63

SHA256
e03fd5c7ec3804c93d17757636930f5f00427ddefbf3a1c57b223e95384f0af1

SHA512
e44ee4f390a336626ece0d2d5e02fbe817a0aab38f6bb84948936d312cbde72a9a72fd488b57c94c65e79009d1550ee321c730815e049a7682bdd31bdd7501c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
2.6MB

MD5
9b7b1720e90be165bcd9c9fbae4580a8

SHA1
0a05e338b03082fb573a2ba0947c047a5ced921a

SHA256
21ae3677f41ca465b4168fa7166bd86f4abb9075c77d9da9a06ba5a3ebf6c395

SHA512
566bdad8ea4fa24a6aed12ee8169e6924a0ae2b4005b97c68d7f50f562ad20805a7b6c81d264a27cb5543d779247c2b535a38d99fe7e6ab76030345309897e09

Download Submit
C:\Vid02\dobaloc.exe

Filesize
2.6MB

MD5
a1175c85cb0edbe6750e440350691b31

SHA1
217255df0b3b283b39c1cdaa106001a9620bfa82

SHA256
acb92922680ad93fc8b524735968bba831f7465e15ad3ed00b0ca9819e52827f

SHA512
d509afe3f7f5095ef11ad091f34064a8895ab8dfa5c44f3a5b663b649b664da903acec91f74a86ce6d8f85f73e6579fc14e0b20996fbdd8d03b179fd549bde85

Download Submit
C:\Vid02\dobaloc.exe

Filesize
1.5MB

MD5
cf5fc4f2771d6bcb8d82e41eb41b9f51

SHA1
b49f618f7ab2eb079a60e14fd9cac48edaec86f2

SHA256
a69b34f9e409d1272e4570be3a749b91452318d654d6f13cfd1bfc5c864a9671

SHA512
53600798fba2120ea778cad26614e078a2c4aa25bc2b4444a9663d420189f6e458bd943233a0b845ec4e5c6a40b8968d226efe1ff0c116142740aa444052c5af

Download Submit