3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692N.exe
Size

2.6MB
MD5

f933d125440191af4707a83ee6ccb4b0
SHA1

8c4cf664801f31da6669cc9f6c4956272dc6f6de
SHA256

3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692
SHA512

bc7eba982c70e7c1f9e3cb735f8f2e3e289353155c1d3b20a7a57cfb27b2a9fcd6c14e8c1196fbf74f284ba370ba0ea63e3f3e909276b6ad4c277075ba2c2812
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUp2b

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692N.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692N.exe

Executes dropped EXE 2 IoCs

Processes:

locadob.exexbodloc.exe

pid	Process
2532	locadob.exe
2544	xbodloc.exe

Loads dropped DLL 2 IoCs

Processes:

3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692N.exe

pid	Process
2252	3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692N.exe
2252	3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692N.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeWK\\xbodloc.exe"	3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintFW\\optialoc.exe"	3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

xbodloc.exe3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692N.exelocadob.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locadob.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692N.exelocadob.exexbodloc.exe

pid	Process
2252	3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692N.exe
2252	3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692N.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe
2532	locadob.exe
2544	xbodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692N.exe

description	pid	Process	procid_target
PID 2252 wrote to memory of 2532	2252	3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692N.exe	30
PID 2252 wrote to memory of 2532	2252	3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692N.exe	30
PID 2252 wrote to memory of 2532	2252	3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692N.exe	30
PID 2252 wrote to memory of 2532	2252	3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692N.exe	30
PID 2252 wrote to memory of 2544	2252	3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692N.exe	31
PID 2252 wrote to memory of 2544	2252	3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692N.exe	31
PID 2252 wrote to memory of 2544	2252	3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692N.exe	31
PID 2252 wrote to memory of 2544	2252	3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692N.exe	31

C:\Users\Admin\AppData\Local\Temp\3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692N.exe
"C:\Users\Admin\AppData\Local\Temp\3e3e5bb4d57f73637517a045c1e380052b70874974a46131f18f5821423bd692N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2532
- C:\AdobeWK\xbodloc.exe
  C:\AdobeWK\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeWK\xbodloc.exe

Filesize
2.6MB

MD5
6ea8a178806ff42436688dae3e3d3afe

SHA1
a9cd8a30b24a2121118034f2ee90f2c4a4a4f954

SHA256
c0d68082161944c1256039d0950c55e480ee938cc895125af9e8598711d7bfe3

SHA512
4c669d38e2ff99921e1ef77e5cbd87a32ed365b6644b487f3d9d1747c2a0baa258080ed83cceed10dfcd4c7977639778d8d742f33febf60f449b3e7be42b21bd

Download Submit
C:\MintFW\optialoc.exe

Filesize
1.6MB

MD5
a23f73456cf57f6942ff1fe1441b4cae

SHA1
2dc6db7f1898ce8fe16042906a0cca3004bcc464

SHA256
46a4a60f35788c824b4899fe1e178c160bc9f309a484bca43fa7273c2806a411

SHA512
862f33ca57f221b0f66a5fe456eff7a2deab22c377d53af64984166a25ef631f136997e8e3f4ab64cd0c55a335e2ea69edcce5dbf987c795617883b972d8bbb4

Download Submit
C:\MintFW\optialoc.exe

Filesize
2.6MB

MD5
d450057bb0b2d89dd7e2b7b659820634

SHA1
fc1fa3ea2ceee9ee7003514ea27beb386904c5c5

SHA256
c10d24c0b2c0b3f806f81911660a1a48b246e1e134d529efd977e7603697ed85

SHA512
3a98c79321230a0c2045ca3ac864ca76fb1afa389551be75a7669b890ea8fcc04cc05a3dcd59aac00900239bb7dcd894f59f484ac304cfb1fb88f58fd886c224

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
3ca91c2e8cb7578f9c2d01459e5c7ecf

SHA1
4631c993f2c7ddb5bcc5f1b0fc3a2123f4003d51

SHA256
471ade97bc61059c7caeeef0e5baf71e01def601371c13e9c0e15e74f47bca73

SHA512
9b6241d4a35968d8351c9efbf4d12a77f7b468a48b56d76e0997d86f1e4cc5a678aa966096276e30264aac3e7410fd99c2e6846fee450b10c64a2686cac7c574

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
7b607d41d95cb59474d35298c5dd29be

SHA1
84a5f367f4194d8b0b47f85ca53628b9eab271d9

SHA256
358e9cbe4cd10239a58562d2017f247b0323bc4df6232e5b628444833a8c462d

SHA512
38ef11dad6c73058df60496c1481ac67ec59eeaf62050c56537b19484db7898388cb3a82842d18d7e5666548090e5989ebb85e22e297361e3ca9e225ce964592

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
2.6MB

MD5
0c1b760c040fadadcb1fdbf170edf383

SHA1
a9bb4b9279aeee50f20ceffae8da943ffd001160

SHA256
925f7e7e89984a6587adf432247bb1f3ef9a236db2ca9a20fbbff6d115a05c37

SHA512
a38dc8281811faf69f080a365273386456abdbb33cfde4160222916269c299b8820baf03239613b7d73247fbae96bff78824c6a1ee8f927be8b647845f547cca

Download Submit