861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/11/2024, 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe
Size

2.6MB
MD5

ab7eb0d2903807239b7117525cfb7b40
SHA1

8a865d4513e85f49f6cd6d76ac413b40e8c2d638
SHA256

861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37
SHA512

055ca8d1088cb92c0fcea0d12dac839bf13151a4695f9d062d388dea4286824ea1f1fec93df4d358539dd4cfddd441477d4fc21a3248a2cd2c71a97fb55eb4c8
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bSq:sxX7QnxrloE5dpUpcbV

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe

Executes dropped EXE 2 IoCs

pid	Process
2280	locabod.exe
2564	xdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2512	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe
2512	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeAL\\xdobec.exe"	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidCA\\dobdevsys.exe"	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2512	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe
2512	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe
2280	locabod.exe
2564	xdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2280	2512	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe	30
PID 2512 wrote to memory of 2280	2512	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe	30
PID 2512 wrote to memory of 2280	2512	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe	30
PID 2512 wrote to memory of 2280	2512	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe	30
PID 2512 wrote to memory of 2564	2512	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe	31
PID 2512 wrote to memory of 2564	2512	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe	31
PID 2512 wrote to memory of 2564	2512	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe	31
PID 2512 wrote to memory of 2564	2512	861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe	31

C:\Users\Admin\AppData\Local\Temp\861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe
"C:\Users\Admin\AppData\Local\Temp\861f334e47a60dfb4b4fbd47e1943bf84b22790d901980bf3ba5d7f504f51d37N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2280
- C:\AdobeAL\xdobec.exe
  C:\AdobeAL\xdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeAL\xdobec.exe

Filesize
2.6MB

MD5
5ccb4765b6b4d75c0a7b1dec319c0c7e

SHA1
fcb0464e86fe90369aa9ab79e93087328f1aa81b

SHA256
a3b2b706e36b6efcf2959239864e39f8db30e0b5fd89f58f3344aa4dfee5c98a

SHA512
9c9dc7613ff012a8e49c7902c5f43ee899cbafa77d919dfd637efa5c72d0cb47a53ec59915cabf069f64fe1f4f9c811e55a0cd95a69497505bab46cee9d23be5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
001f2fdcb33c3b36f249decfe708e6ae

SHA1
61f1dc4674a600628cb5680a866c68ccda58824d

SHA256
6c037f66ec8687263bab42bb211e32570585c03a83ea7221de1a2bf7ed47f274

SHA512
609497c66e0e18baa73c9b33504777366168b97449de3c603d728f4d14209e2c0fc3d7aa68ee841d9ac5032dda7228f8f8fb2270c076fc3c3583b5122da7a2e3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
478aa919f81de7d378b919c2d71129f0

SHA1
0a3d43f941cd77384a136bc1e1c7b15c68a56c2a

SHA256
663115e45d9bfa70c06cca8617aea58d2a2a2a9fe81aa988ed06791d2cd317c5

SHA512
c720e809f98af8548a26c6c792a6a8e2525e27e2b28fae704573e030b1f45a974888cb48c983373496a570b75370c2d9afa5770698a02ab85d4c07abe7661bfc

Download Submit
C:\VidCA\dobdevsys.exe

Filesize
2.6MB

MD5
7ddac29edac80139dc6067c997247267

SHA1
7a94472d4933abdac2464f39773c66a3b493dcee

SHA256
8a733f0b001164ff133a6e6f6bcca35ef809de777945758ff7d54e6204087d59

SHA512
db1e4edc48e8bc3870b15c00526a818d64c1d896b6367ddece5e1f95449383140ebf6cae7bd69928f5aecdad1ca9b3cbbb26ea88cc3bc53a7210bac2dc04a2fc

Download Submit
C:\VidCA\dobdevsys.exe

Filesize
2.6MB

MD5
c71095a90d8fa728e77fb0ec566aefa3

SHA1
0be9f0f6c45bf39656cb9983fcd03035733125ef

SHA256
480df3cbce5eecbd452d1cc9359d8739e9856e79929118f27a439adf7a8b775f

SHA512
7363c35b7823984d52738aa8d90217eed988d3862fec446ef683485a19dd08a8e7665da850de41b6920dde7c4ab3bb1c9baa9da97ea1cff7140dfacd8e9672ad

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
2.6MB

MD5
0b69723de2abba7f1968cfd0cc51f017

SHA1
293e525831d4d78eb6d6fd1e175c494ddb143155

SHA256
39ab6e7197d04b16a4c1b69eba9723edff31438f0d826885f1f8155bfdb80c8c

SHA512
6da5c447df7ee4c24ad46f507ed5b54d0d5390928664a95e56162e78d0ac39aa0ce18a3185a98dc372ab86dedb723ec8dfb29d5554d1c32067ff749e9acc5cbd

Download Submit