7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28/03/2024, 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe
Size

3.9MB
MD5

e0d751bcff49d70af84b09611194c46b
SHA1

d4adc77f981af0cb0e0c59f56a39fe8e43124958
SHA256

7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe
SHA512

525c9e15ca081caf1735f80ea6b131940a8e89489600a9dd4396fe258cb5b1b3fa3b4239f7051b5398c9076419e9b7a1936dc89d7eed0a47b38c0e526aca3b63
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bSqz8:sxX7QnxrloE5dpUpebVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe

Executes dropped EXE 2 IoCs

pid	Process
1628	locxdob.exe
1976	devdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2824	7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe
2824	7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7M\\devdobloc.exe"	7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid9U\\boddevsys.exe"	7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2824	7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe
2824	7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe
1628	locxdob.exe
1976	devdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 1628	2824	7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe	28
PID 2824 wrote to memory of 1628	2824	7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe	28
PID 2824 wrote to memory of 1628	2824	7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe	28
PID 2824 wrote to memory of 1628	2824	7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe	28
PID 2824 wrote to memory of 1976	2824	7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe	29
PID 2824 wrote to memory of 1976	2824	7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe	29
PID 2824 wrote to memory of 1976	2824	7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe	29
PID 2824 wrote to memory of 1976	2824	7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe	29

C:\Users\Admin\AppData\Local\Temp\7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe
"C:\Users\Admin\AppData\Local\Temp\7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1628
- C:\Adobe7M\devdobloc.exe
  C:\Adobe7M\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe7M\devdobloc.exe

Filesize
3.9MB

MD5
f8ec0398f5dbd822c6a0827fff09ba6e

SHA1
cba236edb04c22b3d43819259ebca3b1118f4cea

SHA256
c953dbde5660ca6f372b337564dbc25cb3bacfa4e60ed4c5429f28f5ca285b40

SHA512
de7148978babd2d5d133cde163d9f56fbaf6fa98479bcbf534b0451a0e8b654897286b423f86eeb0972950e0470dfed32a898d0344dbb32331fd1e894337de59

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
a7483d3253f7ee2d7dba286b2cfa41cf

SHA1
74f637c1ad42ac6304692db80c9457616c863af5

SHA256
18dc6d7ce2717bde86f694603e2d57888d41e95cae6c0a8d5319cc521338f740

SHA512
9b05f06fdbff7037121eb1f9b0fa61a0e221c4d5aa0a668a849067ad9e8a8d0b84b5af5a1d1013fa2020a2e7c948574fb7d0f6cee19f1809bf43366c33f8ff6c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
10ff3d15b58211473f930d6ba7caa19b

SHA1
4faf3d2e1b0b015149d52ac4ade25871874c780f

SHA256
3c0763177f6d0e15ea88bf814e11e59ffb3d1cf311276f9d6618307fd29cd372

SHA512
194bfc207198c464d576fb8c01d7b426c5ca4d0df9bac0cd03cd5e25d4b1694919ff16e37463e72e92d324c0aa2fb1f4060f08af6f9602e574dc47163f56621e

Download Submit
C:\Vid9U\boddevsys.exe

Filesize
3.9MB

MD5
3c651265f27b5c7cae8cd9cc93fd9d45

SHA1
8146f9e3e3de8137ccc5b677c1dc7974791c3571

SHA256
8d706bbc5713771e65e7be012b7c82a6c86bee752cdbf7c918caec29043513f1

SHA512
91c29345600113e5fed38bc917beecc67b906d54afbc32d59f120473510d54031b044675902de9973fe4ff8c6da354f2a5fb1ee1336c26cbce5c8341d5cc1ed7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
3.9MB

MD5
12e43e59837c66ccf7dc6bdd20dcd1b2

SHA1
2f7c554c5cdf05bf8a091d590247bfe3496dc8bd

SHA256
7c3273863d8cd33701eabca9ccddccc7a44cb8dbe47b2b1b2fa953d7cb4241e9

SHA512
8cf162253941359c507f52d146b0487bdfca2a4b3da8e39614f9f8b7d36996e3bc5eaf2f6660eb363f339df1861fcac3b080955f7af3455d5f0dd598d8902c3c

Download Submit