b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1

Analysis

max time kernel
1597s
max time network
1616s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
13-12-2024 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

The-MALWARE-Repo-master/Virus/Xpaj/xpajB.exe
Size

520KB
MD5

bd76fc01deed43cd6e368a1f860d44ed
SHA1

a2e241e9af346714e93c0600f160d05c95839768
SHA256

e04c85cd4bffa1f5465ff62c9baf0b29b7b2faddf7362789013fbac8c90268bf
SHA512

d0ebe108f5baf156ecd9e1bf41e23a76b043fcaac78ff5761fdca2740b71241bd827e861ada957891fbc426b3d7baa87d10724765c45e25f25aa7bd6d31ab4ec
SSDEEP

12288:Kbx6vZrcRsEQNMnnGpL0zTnPzCFjBL0C2k8apE:Kbx6vam9innGWzUB

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
3640	Process not Found
3640	Process not Found
3640	Process not Found
3640	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 20 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\j:	xpajB.exe
File opened (read-only)	\??\k:	xpajB.exe
File opened (read-only)	\??\m:	xpajB.exe
File opened (read-only)	\??\q:	xpajB.exe
File opened (read-only)	\??\s:	xpajB.exe
File opened (read-only)	\??\t:	xpajB.exe
File opened (read-only)	\??\v:	xpajB.exe
File opened (read-only)	\??\h:	xpajB.exe
File opened (read-only)	\??\l:	xpajB.exe
File opened (read-only)	\??\g:	xpajB.exe
File opened (read-only)	\??\o:	xpajB.exe
File opened (read-only)	\??\r:	xpajB.exe
File opened (read-only)	\??\u:	xpajB.exe
File opened (read-only)	\??\w:	xpajB.exe
File opened (read-only)	\??\y:	xpajB.exe
File opened (read-only)	\??\e:	xpajB.exe
File opened (read-only)	\??\n:	xpajB.exe
File opened (read-only)	\??\p:	xpajB.exe
File opened (read-only)	\??\x:	xpajB.exe
File opened (read-only)	\??\i:	xpajB.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-private-l1-1-0.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Permissions.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebProxy.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-private-l1-1-0.dll	xpajB.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	xpajB.exe
File opened for modification	\??\c:\Program Files\Windows Defender Advanced Threat Protection\Classification\Dprt\SevenZipExtractor.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\InkObj.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\video_output\libvdummy_plugin.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClientSideProviders.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\VCRUNTIME140_APP.DLL	xpajB.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_mt.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Windows Defender Advanced Threat Protection\SenseMirror.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\access\libaccess_concat_plugin.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationTypes.resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationCore.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Primitives.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\lua\liblua_plugin.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.TypeExtensions.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwgst.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Common Files\System\Ole DB\oledb32.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\video_filter\libcanvas_plugin.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-math-l1-1-0.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-string-l1-1-0.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.AccessControl.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\demux\libmod_plugin.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.AeroLite.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Windows Defender Advanced Threat Protection\Classification\Dprt\Microsoft.Ceres.DocParsing.Runtime.Core.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\dotnet.exe	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\msitss55.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.ArchiverProviders.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Utilities.v3.5.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdate.exe	xpajB.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_ko.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Console.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Net.Resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_th.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_ecc.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-math-l1-1-0.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\VVIEWDWG.DLL	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-math-l1-1-0.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\spu\libremoteosd_plugin.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_dummy_plugin.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msjro.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_km.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemData.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClient.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicudt58_64.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\hostpolicy.dll	xpajB.exe
File opened for modification	\??\c:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\adal.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DcfMsoWrapper.x86.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\demux\libdiracsys_plugin.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\ReachFramework.resources.dll	xpajB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\msvcr120.dll	xpajB.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\JP2KLib.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Common.dll	xpajB.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpajB.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5108	xpajB.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5108	xpajB.exe

C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Virus\Xpaj\xpajB.exe
"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Virus\Xpaj\xpajB.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

Filesize
279KB

MD5
7efcf0111eb7a22aec8410d6a427b328

SHA1
d6828e7c4fb2789da55899e69c6197eaf4017b88

SHA256
7a83319f41c626818556e406b5b664aa4c102cb851269e9becbe3041bde4368a

SHA512
c1526e7bfe3c9f5d9ea9ab0f18d555e01f107ec56123ab83b8677ac24da57e206fb02a0148d2ae08ceba6ec4c10f42a46b0093e2324c0d723f09ec1fd4f43d97

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
1.7MB

MD5
c606bd7c9c733dd27f74157c34e51742

SHA1
aab92689723449fbc3e123fb614dd536a74b74d4

SHA256
606390649012b31b5d83630f1186562e4b1ce4023d8870d8c29eb62e7e0769e0

SHA512
5f8fabe3d9753413d1aedcc76b9568c50dd25a5a6aeacd1ce88aecc28c0ba96dac80177679d380708213a0997946e49383bdaca7114c8c9526a24ed999194e38

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcp140.dll

Filesize
613KB

MD5
c1b066f9e3e2f3a6785161a8c7e0346a

SHA1
8b3b943e79c40bc81fdac1e038a276d034bbe812

SHA256
99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

SHA512
36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vcruntime140.dll

Filesize
83KB

MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
memory/5108-20-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-23-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-5-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-7-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-8-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-9-0x0000000000454000-0x000000000047C000-memory.dmp

Filesize
160KB

Download
memory/5108-12-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-14-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-15-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-16-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-17-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-18-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-19-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-21-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-22-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-6-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-24-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-25-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-26-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-27-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-28-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-29-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-30-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-31-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-32-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-33-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-35-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-36-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5108-37-0x0000000000610000-0x0000000000634000-memory.dmp

Filesize
144KB

Download
memory/5108-4-0x0000000000610000-0x0000000000634000-memory.dmp

Filesize
144KB

Download
memory/5108-3-0x0000000000660000-0x0000000000665000-memory.dmp

Filesize
20KB

Download
memory/5108-1-0x0000000000454000-0x000000000047C000-memory.dmp

Filesize
160KB

Download
memory/5108-2-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download