5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe
Size

2.6MB
MD5

1a168713d89de2e5c655f6a3d34439f8
SHA1

cf75c1a5e6a52687cf224c1f2940d1fc11502557
SHA256

5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a
SHA512

fcc0d7707728de34d8235aa569632f14e757aa270d7cb00218e74e790914160affdf66af5aba31763832a1f312757211b21c730e3d139b0e3fc1185ba4514a2b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bS:sxX7QnxrloE5dpUp4b

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe

Executes dropped EXE 2 IoCs

pid	Process
2244	sysxdob.exe
2948	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2268	5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe
2268	5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotQL\\devoptiec.exe"	5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid98\\dobasys.exe"	5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2268	5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe
2268	5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe
2244	sysxdob.exe
2948	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2244	2268	5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe	28
PID 2268 wrote to memory of 2244	2268	5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe	28
PID 2268 wrote to memory of 2244	2268	5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe	28
PID 2268 wrote to memory of 2244	2268	5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe	28
PID 2268 wrote to memory of 2948	2268	5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe	29
PID 2268 wrote to memory of 2948	2268	5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe	29
PID 2268 wrote to memory of 2948	2268	5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe	29
PID 2268 wrote to memory of 2948	2268	5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe	29

C:\Users\Admin\AppData\Local\Temp\5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe
"C:\Users\Admin\AppData\Local\Temp\5b47c9c22d8aa22cc94c1c5db9498fdc5235c88ba3699aeb618e84c33e0d7a9a.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2244
- C:\UserDotQL\devoptiec.exe
  C:\UserDotQL\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotQL\devoptiec.exe

Filesize
2.0MB

MD5
5aac7f7e75a5d5b537a9e6a4a794ac88

SHA1
ccf067d88ef462f1da0581b69f1b4e9d37c550a8

SHA256
98662c04271f2d3262194b4060345e5975b213d695214c64c60ca08c852ce529

SHA512
853edf0b000ec3ad58ffd794bf974b7bcf39b21cd0de7b927a38b4daab9c5e21fdaf1eb9cbe081aa1767a784f874a4fc5c0c8e628d99b413b89611304c8a0f0d

Download Submit
C:\UserDotQL\devoptiec.exe

Filesize
1.9MB

MD5
48c8baf277b667c96238b3d7b3308acf

SHA1
86de9f40ca84d7943eafb89848c9a9ffb0a332f6

SHA256
f9c76171197650985e7972c1793cb76e00f2a706d20c1456bd5361df2aaa802f

SHA512
97492e19127e1aa917d856dd015571adb3db06affbc9ec4556cf7ef9c69573fa7d7540c5eec914566b8879510f6b9dba1a195fa045f51ec778dcf5954e114cc8

Download Submit
C:\UserDotQL\devoptiec.exe

Filesize
2.5MB

MD5
9c31afc41e2e44c30914889a3d823d1f

SHA1
8952bb7a16153de2418b9a5baa3ee92e5c1ce276

SHA256
7a84b42289a2eab6675ce7ab78edfa98bec08e758805e1c7526736fceb307894

SHA512
16977fcade30df25eb4d6b7a3d20f3f064751d6596ec646ee3ab9e84855e878cf9420e275a6d65d123f7e47620bac21bc600e0e6230456aebb390cf34e9d5d45

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
e716ad17cc22af977982323a669abddc

SHA1
256897f978906517b3e2338ced7b4c736d671e50

SHA256
ea063aa9afee1b9eccadf75f42f8783ec6403de22ca96a2230958f046b1d2da5

SHA512
0fbb5bf464135441eac037516a104b035555fbc72f2cc3b2a9406084b918d108bdae89a5f262357603d046eec1e0f7fa73fea3a534f604108b67e3dc6855ae4b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
ec55348d8dc610d39aa796665e0cf882

SHA1
cdd61661bbbfe10044e369a03eda465d39944fbf

SHA256
8f66f164a04aae6d3e8617498abc3798b38d17f237cec28eb94313f4a6b6b83e

SHA512
44a1791e534cf9f76669ad4b1d7dd164a138a98546aa4b9f3935aedf6302782839f3f4aa58cdc748651a6904cce82df21f794aaeb7d6c4fb477443f4c6a82a57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
2.5MB

MD5
9ea2c1470abc04b9c8e485eccb28944a

SHA1
b96e4300980a0e13c9f9fcafcdb2524f73f158ac

SHA256
2c2def951805bf8dfe658a85cec49767e5d3d71cbb2a5d611a2ef815d6bb55a3

SHA512
59cfc821e72feb8224b6f70d9287097899894738cfe238797c197375631f7f3435d9458ec4d30d55c99ed7667dc2b90fc4967f82d060dc3171a67c48c17e283e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
2.5MB

MD5
52828c76861c2a12512a98756f844210

SHA1
c5cbe4de828c9f7b12dcc5ca69c1712fdb43b397

SHA256
a0c0f2dfd83ed0ebb936f5e19c07a139ba37d3b50bfae4505c8f8e6e0cbe13a5

SHA512
23a13391a71f44bdbbe0449dbaa0707a802dd845f64dfe621e052af20e6f634ea3af9748ac7a9ed3fcfca4812e59dcfe6ce6679d41fb421858d96bbd38a5afad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
2.1MB

MD5
6f07077665ad3752880c1fdcfe21c419

SHA1
2850e1647e18f69c3ef1632ca30c54d6c2fe8934

SHA256
b97d7a93ed6b874e328d71bfaa7398364009292598b9223d2c5f7901753c0fd0

SHA512
b13fefc12fd2817d3bdcc4a819536a0bfa06c1aa45345563fd0d4d5f48be1ee4bc26d6df930f92d64eaa1df6a515fe16b65559be3a87d705fee574817737e5e0

Download Submit
C:\Vid98\dobasys.exe

Filesize
2.6MB

MD5
fba1009af5fae3e90d6ad3f9e7429a05

SHA1
1b6fa058228e97bfe9eed00e2da7a5aac601b142

SHA256
e9bc9dc9094157366b6932003f062f3f03ef8d644b55b2bed898503e5ac75935

SHA512
5f28a3cb2c901c834294f26ec9726359ee180db1ca58eae6b0fbe87db9f98a0bfb64b22d9515c4876ce05fb84dad4b500f71c1a1df1e13216e240cb40a5dfedb

Download Submit
\UserDotQL\devoptiec.exe

Filesize
2.3MB

MD5
9dc8f22eb081dddd493c327099c6fda2

SHA1
10b996d576654c779b842a802a3fda866832659e

SHA256
ffe0944784032550783d8199f344e00ee24e986982a70b155441a27bc9159e77

SHA512
788a0c57effac48cd5df75315744ffe688bdb33a397d927dea474996a35ba89bd107b20cb32c591b8f2c939e1b09d46fb5a2962888aaa3c4cee2753ad392836a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
2.4MB

MD5
0ee6bb186dc1af070dd8c5f643ddd3ea

SHA1
791a1277668ef30f87a86fef77333003a6ea3ebe

SHA256
fccdf1065681b21f28c6942c15ca5c4f590aa46a8062bdbd9f1005faae321bab

SHA512
233d3eb078386fa862232136a0fc4e71fe811e8c8ea3eb544c67202d937d5fff9022f6479ee31266726842e7edb667687addbef661e48e0242cecd599f5b71e9

Download Submit