d0051eec84e965bcc80b3d5cbcabfff3a92ad475d6a7b45d8fd2fd37cbe6bed5

Analysis

max time kernel
150s
max time network
21s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
20-02-2024 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusSign.2024.02.08/03ba9978296204d2048fb184e546932b.exe
Size

4.0MB
MD5

03ba9978296204d2048fb184e546932b
SHA1

63fc0f70834a1868681c1ac8bf9dca778221816c
SHA256

0af366e7b4fa57f57a14aec07cd5c2991809e96b3d240c9440c1c6e59576a16e
SHA512

4f6c5cb0048ae1d3a8b39c7dcd2fb3901402dac55309efe453b69b7ded5efa8085f27144e766eeddb1c9d38a857dfa7b2bf1cbd6fc52d65348dd76bb3cab3ed4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpabVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	03ba9978296204d2048fb184e546932b.exe

Executes dropped EXE 2 IoCs

pid	Process
3028	locdevdob.exe
2096	xbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2204	03ba9978296204d2048fb184e546932b.exe
2204	03ba9978296204d2048fb184e546932b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc1I\\xbodec.exe"	03ba9978296204d2048fb184e546932b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZO3\\optidevloc.exe"	03ba9978296204d2048fb184e546932b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2204	03ba9978296204d2048fb184e546932b.exe
2204	03ba9978296204d2048fb184e546932b.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe
3028	locdevdob.exe
2096	xbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 3028	2204	03ba9978296204d2048fb184e546932b.exe	28
PID 2204 wrote to memory of 3028	2204	03ba9978296204d2048fb184e546932b.exe	28
PID 2204 wrote to memory of 3028	2204	03ba9978296204d2048fb184e546932b.exe	28
PID 2204 wrote to memory of 3028	2204	03ba9978296204d2048fb184e546932b.exe	28
PID 2204 wrote to memory of 2096	2204	03ba9978296204d2048fb184e546932b.exe	29
PID 2204 wrote to memory of 2096	2204	03ba9978296204d2048fb184e546932b.exe	29
PID 2204 wrote to memory of 2096	2204	03ba9978296204d2048fb184e546932b.exe	29
PID 2204 wrote to memory of 2096	2204	03ba9978296204d2048fb184e546932b.exe	29

C:\Users\Admin\AppData\Local\Temp\VirusSign.2024.02.08\03ba9978296204d2048fb184e546932b.exe
"C:\Users\Admin\AppData\Local\Temp\VirusSign.2024.02.08\03ba9978296204d2048fb184e546932b.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3028
- C:\Intelproc1I\xbodec.exe
  C:\Intelproc1I\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc1I\xbodec.exe

Filesize
4.0MB

MD5
7d2417ee9949ae388b46ebf4b93c09d7

SHA1
0405d026e1471ed4aa4ce1f75806be62049e1416

SHA256
53dfde1f935374a9d725f73ee06fbe1aedb985ab28b4578c8d90a42b90482412

SHA512
a9cece2c8f40a234313e081bdd88b7fec68e68f744ec906b97bf426b955af21e5337821304a5005fcf867e1accb36b85feac4b3b0b3f5f7bfa79ffc10ef8c1ef

Download Submit
C:\LabZO3\optidevloc.exe

Filesize
4.0MB

MD5
06626406dd524ec36782617321197a13

SHA1
4fa8201102c35f79aeb7cd17cbae29fb14b536d4

SHA256
ff0eda7512ffa442994a9b77598691531ffefa859a87f18eab21ae13dfa32e0f

SHA512
7472d95ea7e697787e13d96f42f0e8478d2baf4ecdaec6f7a652051a3838089d38e404e056cfcfc1e3f8dca3913b2214694d24ca30449fef8b1a43fb3167a3d4

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
176B

MD5
d8fc55f2b25ff1bdba323aa4d24bad4f

SHA1
cec6ce67b68b33b389189e2f04ab95efb4b7a31a

SHA256
c190cdac2bfe4a670eea29a447cdd131beacc9c0b3eb8fa1749c2f34d8ab4d46

SHA512
3c013eafd135bc69230523041cc983a35d7b875f55103c3d1949fb20783d5b8afa0aac45e70bb3e16bfa2d474c854209876a9a961a8855968fa36ad5c58f7639

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
667b72ef787f46f8d1eaa99394c010b0

SHA1
8c32fe8de2d66af8c07fb1f51f71a5445c6683ea

SHA256
38f8b1cf789577022283069cae8ddf6088f7fc92e57e2af9ae670f8b8b80c8be

SHA512
16af98b8f36c2663cba74e513e9a735120b1ac46e02010e7e4c645d7f935033ef97d4ac00fbf743461167f77453ba73a3539b03e1c66e6069a6a0c34a2fc39c1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
4.0MB

MD5
398b476e32a2658fe697e48a59467ab1

SHA1
6e7aabb366a864688aafd9cb389e976c9e1ad3a5

SHA256
3913e4f96d1381339bbd19fcf0f3c7dde5a8e29e1a0aa2898bfee41ceb308866

SHA512
5dba52c56b34b18474abe8d85d328801fb3e2638418bfdeaabffc42760f147f5b58ec50b6a9ca9124826398d8d74e58e94515f9387daa2a87739da2fb04249fa

Download Submit