035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49

Analysis

max time kernel
149s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe
Size

3.0MB
MD5

393a6da9775739cb73d93a30b26bc19e
SHA1

5f239870438730bf52b59cffc5122bbfc7df4ef5
SHA256

035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49
SHA512

4d8698de3473af07b27b70de8431378867ee738a1de77a5227f94e8bf7215c450493bc3adc47660796ee049490a00b6f3a7c01f6862a23c5baaec6b1b3730096
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bSqz8b6LNX:sxX7QnxrloE5dpUphbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe

Executes dropped EXE 2 IoCs

pid	Process
2732	locxdob.exe
2524	devdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2256	035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe
2256	035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeCE\\devdobloc.exe"	035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBRJ\\dobdevsys.exe"	035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2256	035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe
2256	035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe
2732	locxdob.exe
2524	devdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2732	2256	035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe	28
PID 2256 wrote to memory of 2732	2256	035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe	28
PID 2256 wrote to memory of 2732	2256	035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe	28
PID 2256 wrote to memory of 2732	2256	035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe	28
PID 2256 wrote to memory of 2524	2256	035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe	29
PID 2256 wrote to memory of 2524	2256	035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe	29
PID 2256 wrote to memory of 2524	2256	035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe	29
PID 2256 wrote to memory of 2524	2256	035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe	29

C:\Users\Admin\AppData\Local\Temp\035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe
"C:\Users\Admin\AppData\Local\Temp\035d009a220b0371d8ebffc19280e5f185ea48c76e6abbac446bfbffbfb8ad49.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2732
- C:\AdobeCE\devdobloc.exe
  C:\AdobeCE\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeCE\devdobloc.exe

Filesize
3.0MB

MD5
d0dd243a86bb4a626f8059c054a34172

SHA1
b52471157bf6bdb6526d42fec76d95850b75a508

SHA256
23eb4049d1bc60d79690ff043675fd9c17a6cc10ab30cd05188e5185e6377749

SHA512
194847c3da28efdfe5983ed8e898d0e80df8bd42803f460f58db5d919b259f41e4cd24bc38a42d8ce177aff78941a3f01c9887921baeaead497236bd79da48ed

Download Submit
C:\KaVBRJ\dobdevsys.exe

Filesize
3.0MB

MD5
081ef71059aa66046c63a0e6de4b8d4a

SHA1
4ada32b1548c857c2939c8dd7e7bdf4034279353

SHA256
73ad18d3e2519ba06baca7350fc21ec6afa28a1594ba4b73d592da71e84f4e6e

SHA512
ac09b8f3d33d6bd737d0fe3adc1a306be27f3c4e0e7eca0c8becfd9d626f0d5b252a48da4d10f2a14a4b3cce5d64a75031ca434049cdeb44119e9a499bb6b1b0

Download Submit
C:\KaVBRJ\dobdevsys.exe

Filesize
6KB

MD5
c8190a91500bb1d9caa61e3b11eaf128

SHA1
ab7eb6ce00d2fb8ec932dee7fe6f72551ada8684

SHA256
6396e1bd18ed0ea864d8f56b7885ef5813fe836854b68c3ebafb7d49b8580b1e

SHA512
bc143ae225ca8cceb9e90f7dc6f36a8608eafed2d7e67396657444f3a004832c0c51921fe8c0487de4ca21430686dbc62c6a304de00cbbfb8c0e8dc538f5492b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
1d4abe34e0359d9744fad657a9d94f8b

SHA1
b1fd5d444ca50be6d64ecf99f3a34763ee6818c8

SHA256
d555947e70983333a29b473a4d8759f361874cbe579c8487168c926d8f4b00e5

SHA512
55c32e274739b913126841ef1f2d0c6a6bf5cb1e3908be3b5a0c5d70a169b09291185188b5fc022c9de79e68fa6cb2475a03ca0971a0107b047b30d59ac0deaf

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
803e65fa0875825e93bdec45ed103f75

SHA1
1ff57a3dacfee70269d571286afaab2f81004472

SHA256
6d028eb9abff8784643d905eb362b069cb8189a65ece9f86de12443659469282

SHA512
1390f9af409d910c3f7c4188e600f80a4c742774ba7e5c07c24fd74a97c178351baac187414fba8593a4ed56b813cb67aaafc520935e8c4a4c2db5578a9be4dd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
3.0MB

MD5
0d2301b35e7ec1ddc598df2bea7c118a

SHA1
506e7f74c9da73142cba2117abb313e93ce7bf10

SHA256
0bf4aa78801ca80629123eba7d1b6fd79d4f0134150baeb24028a0e260cbb1eb

SHA512
b69d7e8064c622bf06cee3bc1d826d2123aceec7838408a8bb280112959b8a07629a8a92cd83e712d67d7a123b920b3a3a0cf7f7d815a013993f13c534fd05c1

Download Submit