dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/04/2024, 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe
Size

3.2MB
MD5

8213a9258de910ac54e809856cf29c3e
SHA1

49b0e82b0c44929666852484033c2d3f08db4095
SHA256

dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa
SHA512

3d2a8a344fb56ad9f66f4918723ba54f402085410c4dfa553ccf353010d4e166c582084fdec74cd3321c21874825925b5c80320361bde3f3362888a8cd0f2e35
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBsB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp7bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe	dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe

Executes dropped EXE 2 IoCs

pid	Process
1964	sysxopti.exe
3036	devdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
1948	dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe
1948	dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintMA\\dobxec.exe"	dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files4B\\devdobec.exe"	dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1948	dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe
1948	dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe
1964	sysxopti.exe
3036	devdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1964	1948	dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe	28
PID 1948 wrote to memory of 1964	1948	dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe	28
PID 1948 wrote to memory of 1964	1948	dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe	28
PID 1948 wrote to memory of 1964	1948	dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe	28
PID 1948 wrote to memory of 3036	1948	dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe	29
PID 1948 wrote to memory of 3036	1948	dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe	29
PID 1948 wrote to memory of 3036	1948	dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe	29
PID 1948 wrote to memory of 3036	1948	dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe	29

C:\Users\Admin\AppData\Local\Temp\dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe
"C:\Users\Admin\AppData\Local\Temp\dfdd49dad59ceb9aaef548e2e5837e3cb6e053f789c12b76010714e8e16beeaa.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1964
- C:\Files4B\devdobec.exe
  C:\Files4B\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files4B\devdobec.exe

Filesize
3.2MB

MD5
20a38f37395a264d94db38ec7d75004c

SHA1
9fded607f3d631266654ae2e135b1adfe4fdd23c

SHA256
a8cedba5d23b65975adffe8e47a8aa1dd6d2b33def44b0dfa67fb762f8f1008e

SHA512
01c60601231a7f32e2d0bf050ee3741a80ddea81a5108635944b7985d03636377cc934fdcc6a230e11be0d23bddfc6ecdded0412e0a0c78259fc775957edc529

Download Submit
C:\MintMA\dobxec.exe

Filesize
10KB

MD5
a86336805b3d53c18600c251ef3cfa32

SHA1
69594cfc6347aa438b9319dfca41704cf4607aa6

SHA256
8f668b87e4832b3682e49e6eea02d09a2d52047043f9b41e1307714539fe88e5

SHA512
2289aa68a1720b6b54b1913d01bb230aec97ab071f17ff538689c6b271251aa3ed7892701d4e16f229faf7c3ae3b844cdb8bcd576a87134fff3c03d46ec4bc93

Download Submit
C:\MintMA\dobxec.exe

Filesize
3.2MB

MD5
2e45a55737d80f2ad0fba4b77724c33c

SHA1
0c54c6da179ef42b30d4724865caf4310a33b354

SHA256
3fbeb7f2275dae5da98d1e0d0d762d70adfa709815436fb7d76e3455f34df16a

SHA512
6df9bbb9ac7b2de1d0f965f710e8d5fb0a45189e0cd63dc850721dbc8ed4fba008412a55391a7ad90674800067f122644d53ff17e71db2e24987f48766f18606

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
0b77437a6b7877292c4cd40195cfbf6a

SHA1
5a0fb5c02fa27a641ee83f4f679768df518637ff

SHA256
3363db0740be2c8014ae641bc50d5d8957f9a36dfbe9bffb258809199f82b04c

SHA512
c8b91ded2dd63dd185b5a85a963496ea212c9a2a01d46b6ddf9d836f1abcd065923b69a239cbbbac6fd006801eb8d582f6e0615e48d0d76a0c0862d0f1c5a1c8

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
1de30c350206b21e31a67fdfea77ecce

SHA1
ade8707fd2a60682707723f1c6e68778f43ca99c

SHA256
60883bf8cbd45de30c416d54e756f881f57d371bd1b1295687ebe527da26ea11

SHA512
d70f568342c25e5ba3b1d1442f9423d7a9cf5dd33c03d4bcbb4e14391b0d4f8e9e79180d4023d1caa42a55a3cd19e7be3bedab2373b5828c33f9ffb09c21a16c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

Filesize
3.2MB

MD5
ed90e50d2fd6e3384e36f2a159439cfe

SHA1
92aa638f4ead9f08f257560304fe626fe154a563

SHA256
8517c1b7165698c1eccceaaf4f2351ed7a7819141fdc02b73193d1d10abcc083

SHA512
87aedbd6d5118d821f2ceb04ae0389ad84026fd5893ffbd820de49c991bd310a48244057dd9a8fc7562a591e427a1e8eb7e988db619fb60ac7101cb2439ae2ee

Download Submit