9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
22/04/2024, 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe
Size

2.6MB
MD5

154103da74afa24dc7e5f11cb36ad409
SHA1

650301da740464fec9cd7904c1e4d9c54be5b472
SHA256

9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c
SHA512

945fe0877cfa90ad9a745911d195c35eb86269ee556af5dccfdf30bdfdc41f53f435761d0c013f8c47ae5935dc66cd309870a33cb313124c9379c79aad98b570
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bS:sxX7QnxrloE5dpUp5b

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe

Executes dropped EXE 2 IoCs

pid	Process
2940	locdevdob.exe
2596	adobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2000	9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe
2000	9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvK5\\adobec.exe"	9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZOA\\boddevsys.exe"	9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2000	9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe
2000	9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe
2940	locdevdob.exe
2596	adobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2940	2000	9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe	28
PID 2000 wrote to memory of 2940	2000	9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe	28
PID 2000 wrote to memory of 2940	2000	9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe	28
PID 2000 wrote to memory of 2940	2000	9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe	28
PID 2000 wrote to memory of 2596	2000	9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe	29
PID 2000 wrote to memory of 2596	2000	9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe	29
PID 2000 wrote to memory of 2596	2000	9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe	29
PID 2000 wrote to memory of 2596	2000	9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe	29

C:\Users\Admin\AppData\Local\Temp\9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe
"C:\Users\Admin\AppData\Local\Temp\9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2940
- C:\SysDrvK5\adobec.exe
  C:\SysDrvK5\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZOA\boddevsys.exe

Filesize
2.6MB

MD5
146146477139845d745788838537f95a

SHA1
6eb4929fcb97d7205a12b5a432aa1fa49e9682e4

SHA256
9531bfa536c0747442a2a66d523a66e74e1eb86938c5fbd2547a074c0f37357d

SHA512
1aec5ee3361b623ce6b110bb221484059441eaecc35fc3e59b52ae5e9c32bbebac169741f38c507e7ebff3d5cc3fa93c3bb6852cc518687f17619722b67003a1

Download Submit
C:\SysDrvK5\adobec.exe

Filesize
2.6MB

MD5
b8cf1449f7eba6c6564b3c697a2e9dd6

SHA1
edcbb592c898dcf39fb16ac19fbe994009a904e4

SHA256
d5c2516db0587f67637490f44fe43a1934e67db160357309fabe850c2587d0c6

SHA512
539e19018fae95276e6e78220ca8b6f0b3af1c862880d6777a73465a98cfb041a6f59e5ca0a85deff9649e87809df04f816648b72a9cf98095ca39ea696bd4ba

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
59280e1a2a24e8115c1826f51a291608

SHA1
638b68e36d31cd3e13c10a7133ba2cf7c8fff88d

SHA256
6638efccf7619a19aaaaca4427451c84ae1fb445c4ca9019610f8301a85633b6

SHA512
d060531bec20ab7dc8734b60a29077049430b73610963a504f159a8e292f7c130b30c7b711c13bbd86c8df0706cab7e62a9cea313a01700f077bcc529bffb85b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
56ba1012bea7f697226851f0e5d1e957

SHA1
5a70e746b56f33018ab7f607e830125a3e53e685

SHA256
6e42670eaadf2d0b0453c9a12405afed9626178be686d752fd9115af3d11ab72

SHA512
ef7478bd738447d6f37ad1ebfda69f01892b7cb8d5e106f8d795b3e97f58efd8fbcaf4e32e6ba74d35b3c316d5c39d70661804484209c546bbd111167b1584ed

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
2.6MB

MD5
cb6898ad57d33ee7cc9c5d1dff3ee645

SHA1
d8524096d242408f13aeff80f16854f60084754e

SHA256
c39fc5827176d8f63600ddebbfb4e5fc7110143a27ff9efe2a284d270ffe72fd

SHA512
e7dce711841ae6e177314e46c9bd2d9e573268aba94baaff5526eb0625c1d99275cba0914fdfec944287a9edf3ddffdb9f564c0129fdde8a9c4500653577027d

Download Submit