adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe
Size

4.0MB
MD5

83859f706991a080c25d6e18466050ea
SHA1

d2e7df8152b76046c4a689e18a023ec3c3196df3
SHA256

adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93
SHA512

103c0645874ecc5a07cec6525d0efffdabd773a5414c9d43fd681be64f503558e03bf5e8e6492534b5eafe6df8beb4c5e02534ab1179ca77244e62652c5a3df1
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpJbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe

Executes dropped EXE 2 IoCs

pid	Process
1664	locdevdob.exe
2128	devbodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1072	adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe
1072	adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocO7\\devbodloc.exe"	adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintLU\\optidevsys.exe"	adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1072	adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe
1072	adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe
1664	locdevdob.exe
2128	devbodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 1664	1072	adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe	28
PID 1072 wrote to memory of 1664	1072	adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe	28
PID 1072 wrote to memory of 1664	1072	adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe	28
PID 1072 wrote to memory of 1664	1072	adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe	28
PID 1072 wrote to memory of 2128	1072	adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe	29
PID 1072 wrote to memory of 2128	1072	adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe	29
PID 1072 wrote to memory of 2128	1072	adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe	29
PID 1072 wrote to memory of 2128	1072	adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe	29

C:\Users\Admin\AppData\Local\Temp\adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe
"C:\Users\Admin\AppData\Local\Temp\adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1664
- C:\IntelprocO7\devbodloc.exe
  C:\IntelprocO7\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocO7\devbodloc.exe

Filesize
4.0MB

MD5
8ff3256ce71cfd3c74365bd0f225e0fc

SHA1
34662c891c84d712ee4bb16d776d634a3293ce6b

SHA256
f1d04ed71bad41e4a0eb7096979f4404500516e40254e88778f558758db2d1a1

SHA512
03b3189d50411394fbd384e1bd4f6b35873f01cc53404ec1d4a9759d6446ac3feaeea942b1e128902d264696d0eae0995cbae642180cc71f5432da7dcf80a9de

Download Submit
C:\MintLU\optidevsys.exe

Filesize
3.2MB

MD5
50b00bd915014c5eafd0f3df70dfe7c1

SHA1
31d148e43fa2589f5303574456a4cf80b7060d15

SHA256
0bd23c6fc2ab0fcad28e1d6dcee61d8a864d58c4e881d22a182d91d905c82cd3

SHA512
4c89d00242ea51260043a2893c547f290c067da1da3be9aaaa6f65744e1a4e91bff1a0c5e93b63105517a20a233e7ec82f7ea9d04b999d11391328c87c14f296

Download Submit
C:\MintLU\optidevsys.exe

Filesize
4.0MB

MD5
7c396b0ae4c8785c3e495e474c0e50ed

SHA1
016186bfd50d1132f9c822938a17725ff51fd080

SHA256
6f7b2fb69a9906e06a2bb35f2e6368127f6df4995a90171e7554f6a03e177dd2

SHA512
a0e04622b991b3e49a617fe8d21d19669c57ea7e92076b849cddcce175541851be630fbfff7711fba9c486c15acd51c0eef05839971357e29002da7ac59c6f15

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
179B

MD5
4a04df6d1f42879c0d17f71beecefe3b

SHA1
b350f03a76826de4b7f08acdf9c2496af61daf2b

SHA256
b861387b7030fbfc027b0192a87f00ef403ca5f00b1b03fdc2115632bc37a679

SHA512
492b2ff73f032027edd1b29d0ecd2bc2ee6ee43348fa14641baaee9615e190dac56101b6dd7897ee675d67abed43c3ce355be0da12c3ac41acdfd973931ab607

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
211B

MD5
dfb68821f2f453177bb675aabfaa78f8

SHA1
7239e7098160d620885183fdeb9c541cbd9da9d0

SHA256
2813ce5e8831892b98a1c854e78a171a03201039a07ca1c1f9fc66c415aedbb5

SHA512
c49c97c72a1ba156c93b5303231b73385f444d3c6880989d3babbda3ba85d99b69671c3bd6c9f1dd8da21390d4d47f15e338f6a2641e211edb79891ede9a17b0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
4.0MB

MD5
f2982ec878cabe0e32e619d26b05d990

SHA1
595816c91ef2caa306d85163a6c8a4c8021f7128

SHA256
0f483c8fc9c86ae1f09525ffe7a539c7d37ac8fb1150c50d44a34db870cf234c

SHA512
9afc59527daa38346f7ae9ef749559e3ebed0de14d8d6c04ae17c31b9e1e76fce7633aa33171a9eb42b4042951adadfab336241552e53a05ec4624195a6d73e0

Download Submit