1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe
Size

2.6MB
MD5

b80a0c83e33316345ac05c9fc227e4b7
SHA1

7ed63abadf1a1a22db61c4f50e7c1fcbb8592186
SHA256

1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a
SHA512

f938542aa4bc9fe57b74792107054b4994cb1f7a120ec0db27eb562a286d72d052a5a1a5a3bf5824149a63df5c418469132ec9cce012092ab652e968830f118d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBsB/bS:sxX7QnxrloE5dpUpzb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe

Executes dropped EXE 2 IoCs

pid	Process
2280	locaopti.exe
2564	xdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2440	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe
2440	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotQ6\\xdobec.exe"	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBEB\\dobaloc.exe"	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2440	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe
2440	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe
2280	locaopti.exe
2564	xdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2280	2440	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe	30
PID 2440 wrote to memory of 2280	2440	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe	30
PID 2440 wrote to memory of 2280	2440	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe	30
PID 2440 wrote to memory of 2280	2440	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe	30
PID 2440 wrote to memory of 2564	2440	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe	31
PID 2440 wrote to memory of 2564	2440	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe	31
PID 2440 wrote to memory of 2564	2440	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe	31
PID 2440 wrote to memory of 2564	2440	1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe	31

C:\Users\Admin\AppData\Local\Temp\1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe
"C:\Users\Admin\AppData\Local\Temp\1161755d2bd7817dd280fc4605ed5da2113fa8514f5d138ba588b1bdc4f4d53a.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2280
- C:\UserDotQ6\xdobec.exe
  C:\UserDotQ6\xdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBEB\dobaloc.exe

Filesize
2.6MB

MD5
d0ebd2b03e3c2b2b3ea2430224fb6793

SHA1
517669af7400fc46155097947c0fd0c8321acd6c

SHA256
520e6614d80446ccd9887d41354e015192701b89dd7415501a16a9a882afd34b

SHA512
220bc32937b9343919ecbc419bef12db7fd0ac28019238c2b6e60e02ca65892a7e6f787deb7cc48083d7fe709fc3b095a6c11169ffc29ea5440a862f8fe50201

Download Submit
C:\KaVBEB\dobaloc.exe

Filesize
2.6MB

MD5
ca4150836dbb00bc0961e5a77062acf2

SHA1
4e7ffefe1791f1b8f1080377e37c1786004d9429

SHA256
0472ddf4f65ffc1e5d32eaa22c87824ba8624f85014db8970fef4f15641ac1cf

SHA512
595621e029e0ff74ff581cbc57bb794db3d2b56a04e6b3ee5acaaffa07c3b55ce664fa7c8fc13a78ba0f6d70ee5c8e1c11e51bc6c6ad38c100cd54bf6666bacf

Download Submit
C:\UserDotQ6\xdobec.exe

Filesize
756KB

MD5
1c79327c2be08984cb56dbbaec7f32eb

SHA1
0778f38c46fc3d846828fbe0811ba99c91d6294f

SHA256
62869588dab0e6bb43d9603b759a388faae6f96767f5eef23378183e9fda4c36

SHA512
064e5e86142e2b4fe449bd496664508380adb7a5f83f84704fd5374d04201ffe0d3ca265449aaa7cb58e806a262dc65ffca4e6e89ba7ff4caa730da5e77f4b4e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
ff5f5a6151a728c8d8085d2f69d8cd35

SHA1
f56a3c960fa299fd941bb49afe5b182a10e9d0ff

SHA256
3c31ace48eed1b56228f4ac6861a9e6e53d022046534c46321b2922e0f44a9be

SHA512
912dfd49c24ac5186b32ef852fe948f29cfa1d8a09a3ef77567fb034b615dc34025b6033bfed574e07d11402abdc2a72275a752741dd77ce127faa7804aa7399

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
fd2287e4db6bec0898aca3f974c841de

SHA1
9d905c87f8e1d069a3268f7dd33bdc31e6bc9326

SHA256
632b399c6efdc18fa77ec7cd578838afd31f840038721672a3fdf8a1f9123b2d

SHA512
a1892228efa2c7137a41b75dc688a9d704ff8f53caf8a8835ead74deb384547935948cdf63df9cf3a883b4053974c07ae11bafb1d1a1089a7630dd21bc565c01

Download Submit
\UserDotQ6\xdobec.exe

Filesize
2.6MB

MD5
da3b02995a08171d06d7adf7df449730

SHA1
3813f49bd8f76be79dbe9c322a04cf64c1ac4499

SHA256
803bac2189cbdc3aed0a86dfc9edc9fa444d6bc1783e08bb11373a49905a37a7

SHA512
9b1d859fd10016ecac8fd2e44f17d9daa8cc70567bafbead33ff895714f36cf0372423a0c76c65b70d08c3e815964036687a553cc5a0dfb7e3b56c180626247d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
2.6MB

MD5
5cce1f390339bdcf9de9a069e08396f7

SHA1
aa632556e42ada0c5bf7d357cd6c18b6d2cdd12e

SHA256
3b773e1fc51fd7797f7f5bbb0448a77ace4db7ef4ccd6ea0e3b5291de56909cd

SHA512
80eb0e58980878a55d7415bb86d29fb6a2d519fb62f72d03da617a382413ecf6fedab172aaf6a93739b6d863ebae2daa054dd0527d8c8789f2955d7d7fcfaf2f

Download Submit