cb66b9b3f82a698e437c3c335efcc3ff1c32fbbd916116ed54d8d0aee9ace50a

Analysis

max time kernel
148s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb66b9b3f82a698e437c3c335efcc3ff1c32fbbd916116ed54d8d0aee9ace50a.exe
Size

2.6MB
MD5

3b27015e3aac8b706f3f9a946f3a8d2b
SHA1

3b3398cfa745f4fe1ba8b9db3528fe4c5a7b9f06
SHA256

cb66b9b3f82a698e437c3c335efcc3ff1c32fbbd916116ed54d8d0aee9ace50a
SHA512

2e88ac4556cff6be016e6aa82feeb0b52a65722463c1af6f6f30cc6e058ec100a4e0157c38b7a6c248965741b2fefcc511ff62db995a3117d94dda9e88a83d1a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpmb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	cb66b9b3f82a698e437c3c335efcc3ff1c32fbbd916116ed54d8d0aee9ace50a.exe

Executes dropped EXE 2 IoCs

pid	Process
2816	locxbod.exe
2116	adobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2676	cb66b9b3f82a698e437c3c335efcc3ff1c32fbbd916116ed54d8d0aee9ace50a.exe
2676	cb66b9b3f82a698e437c3c335efcc3ff1c32fbbd916116ed54d8d0aee9ace50a.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocKX\\adobsys.exe"	cb66b9b3f82a698e437c3c335efcc3ff1c32fbbd916116ed54d8d0aee9ace50a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintAZ\\optixec.exe"	cb66b9b3f82a698e437c3c335efcc3ff1c32fbbd916116ed54d8d0aee9ace50a.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb66b9b3f82a698e437c3c335efcc3ff1c32fbbd916116ed54d8d0aee9ace50a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2676	cb66b9b3f82a698e437c3c335efcc3ff1c32fbbd916116ed54d8d0aee9ace50a.exe
2676	cb66b9b3f82a698e437c3c335efcc3ff1c32fbbd916116ed54d8d0aee9ace50a.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe
2816	locxbod.exe
2116	adobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2816	2676	cb66b9b3f82a698e437c3c335efcc3ff1c32fbbd916116ed54d8d0aee9ace50a.exe	30
PID 2676 wrote to memory of 2816	2676	cb66b9b3f82a698e437c3c335efcc3ff1c32fbbd916116ed54d8d0aee9ace50a.exe	30
PID 2676 wrote to memory of 2816	2676	cb66b9b3f82a698e437c3c335efcc3ff1c32fbbd916116ed54d8d0aee9ace50a.exe	30
PID 2676 wrote to memory of 2816	2676	cb66b9b3f82a698e437c3c335efcc3ff1c32fbbd916116ed54d8d0aee9ace50a.exe	30
PID 2676 wrote to memory of 2116	2676	cb66b9b3f82a698e437c3c335efcc3ff1c32fbbd916116ed54d8d0aee9ace50a.exe	31
PID 2676 wrote to memory of 2116	2676	cb66b9b3f82a698e437c3c335efcc3ff1c32fbbd916116ed54d8d0aee9ace50a.exe	31
PID 2676 wrote to memory of 2116	2676	cb66b9b3f82a698e437c3c335efcc3ff1c32fbbd916116ed54d8d0aee9ace50a.exe	31
PID 2676 wrote to memory of 2116	2676	cb66b9b3f82a698e437c3c335efcc3ff1c32fbbd916116ed54d8d0aee9ace50a.exe	31

C:\Users\Admin\AppData\Local\Temp\cb66b9b3f82a698e437c3c335efcc3ff1c32fbbd916116ed54d8d0aee9ace50a.exe
"C:\Users\Admin\AppData\Local\Temp\cb66b9b3f82a698e437c3c335efcc3ff1c32fbbd916116ed54d8d0aee9ace50a.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2816
- C:\IntelprocKX\adobsys.exe
  C:\IntelprocKX\adobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocKX\adobsys.exe

Filesize
2.6MB

MD5
59b7ccb18195b9eb34e321a32cd2de37

SHA1
d025faa512d3231593d911469fb60843b5cecc22

SHA256
9f9184787810dd7746a44d81cd8c16fe12b01cf059a8c00af11bfc59d8f2a382

SHA512
afbbcca8b8e368ae1ffc0106176949db3af6123452fda30261f8a46510617360be61a3969db9f3e4280fcd99a7b71ffa8bd639add41abbad2f8f5944446024e5

Download Submit
C:\MintAZ\optixec.exe

Filesize
2.6MB

MD5
8bc83277d13780490bfb0968719540eb

SHA1
f2bac62631b36dad73ba0a25f39789e34991c9c0

SHA256
ba422b0de1b26941f3259036b6ef57d66cb316d82e260caeac65e7d51eaed2ea

SHA512
dac3b430b187908dacd389026466951dfb42e45e9f28c3f062cd92dc827ded2fce7e029d31d2f3b4282355455a49ee84fa83d7f7f1f6c57ff77b11e357243c6f

Download Submit
C:\MintAZ\optixec.exe

Filesize
2.6MB

MD5
dfd656c3dda85d6713573ec99f69e824

SHA1
b2eb1d67aecd5fbba73bdec75f5993dc0226cd46

SHA256
eca7c977248f55c08c29b9692e5acaf153dd45c79577688d7a1a7111a0681259

SHA512
832041629261e598e619837e83ec9dd4987dea91ea3c07bc977ead7ee3866c3fd4164d7dc1d636bcbfcf7d28705bb8d7d5ae5b20371fdee40cf5037e6fa49709

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
797b6059ec71bf3887b69d92074d6d13

SHA1
881e72cf469fcac1ab98e925e979635df42e8e0f

SHA256
434b947452963d1192a1636e953e934233a35b0bd4489da76a71ce4045568deb

SHA512
234dbcce786dfd3f73e65f9e91c765957711e38e54f0b4ffe4f758828d3d653a2fd1062d0b66dc7aae896cb09095dbcd01e835ee0d5a3eeede429490397970e5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
fa0be362950ec6fee56b18881b829036

SHA1
64183fb8f868ef52138f3386d72f307020e57d77

SHA256
e61e35d8dcaa34fc589641e9ce775018be7229257ae809db0a229d06cf12fc27

SHA512
c582d7684aa3b51dea01c12d05c096c9f7d9072c5866243ab9802dad911f186b8d13ea59d6628d542459d88d59851254f63d0402634d314d6511b6db8957374b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.6MB

MD5
075dac215144e97b80002c11c55aed87

SHA1
d31d3ba6378372e249886969b8728a4444b5f0d6

SHA256
331df09e083185e441691a2af4374d27773d2a9502b12828c94fb278a608e99d

SHA512
df891e18070174c7a4c1a96e23883d874618e765ee287f3e969fdc8046293e5b91b7ef01b95273a32cfe802ef8960825dc79b9cb0700e81b4af10aca4a7ebcc6

Download Submit