Overview

overview

7

Static

static

3

5417d98561...30.exe

windows7-x64

7

5417d98561...30.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 21:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe

  • Size

    3.9MB

  • MD5

    cfd73c93a6339b5b973fa7d6180e3230

  • SHA1

    1a3b7f6f9d10901264cb819b749d6ad759518f2c

  • SHA256

    5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30

  • SHA512

    7b63c5113f61d58d09b192f116fbb034b7f4715103ec541e9a2ba1e781db79752ea5f3da44dbf8c9d0e76d19e637d1a883e98da1f39ab8228a31bd8d80f4a464

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8:sxX7QnxrloE5dpUprbVz8

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe
    "C:\Users\Admin\AppData\Local\Temp\5417d985615512187b4f9eebf60d012748112c39ed07106074982bb69dd11d30.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3712
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3976
    • C:\UserDot50\devbodec.exe
      C:\UserDot50\devbodec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2548

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZYA\dobxec.exe
    Filesize

    3.9MB

    MD5

    3ce331efdec91b3019beb8bf30cd2e3d

    SHA1

    48ae1f31ed71bb20ee478673319057dad5ae6ac9

    SHA256

    54253fd5fa544034155a9f24831f731648346255a105002cc0bb8d704998778e

    SHA512

    f57260da15b63a634cb8907b3554ebd7531e474ff907f4788a2d0d3d8a14fbeffd2e0e41855083459ce281492bcdcd843e6119bd157115a4c1ffa4319378c73a

    Download Submit
  • C:\LabZYA\dobxec.exe
    Filesize

    3.9MB

    MD5

    b48b2c532105f8fb96615f703ec50f58

    SHA1

    a542808cd7d8a6d433db72e5c40b988f4d0e6baa

    SHA256

    1bf59a1ccb0ad052b719034cf4c1d7813171614d7bfa80e23d51d79a3b239a01

    SHA512

    23af4404986e61594e6ca5a0ad38cc6b47cdc5afc049ae3ce324076691fe6be7e0eb68b2265f465e9cb667dc0f0e4e914eb910c9ab2a663bd9d112ccb094ee8d

    Download Submit
  • C:\UserDot50\devbodec.exe
    Filesize

    841KB

    MD5

    54c6aeaec6cf82fddcff200ecf7a7d82

    SHA1

    b818c3edd863b25dc45251e175b647e94b452ae8

    SHA256

    3eccdec595528cc49c32b0af1198d1ce678872e362bd143bfabf5f7d047aee62

    SHA512

    1a6348fea89b85adb097bd198e7904730a78053013bfce150c47ffd0500fafb758c8b0ce7e97475daeed255d21453e16beadb18c25b57d1f7ea5d1b2e4331567

    Download Submit
  • C:\UserDot50\devbodec.exe
    Filesize

    3.9MB

    MD5

    9be9f14f947d08854b6c0beab7989209

    SHA1

    1a192bdb5fee22f3d09e234c79211ab9f696ee8c

    SHA256

    272731c38d857c3f708dc3009d368cd98ecdb4851fad5b305419deaaa3aaec76

    SHA512

    54eaf968cc86e6bde72b9d70f75c124ebee1daff30f6de8709365cea86a03b61f4bde748453b08db2ed28e740ef385012e57fe543a14244ece1b2912a30559a5

    Download Submit
  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    203B

    MD5

    51463e48679e644d53fad14dc361891e

    SHA1

    ed237dc5e324034bcdf0201addda7619c572bc90

    SHA256

    2bd6ccdd752c56b12575cf150e6a7cf413fabea7efb3c53da32851318c2ba853

    SHA512

    9fd2e01b74a367f2a8c126296c7006125a68c093418f2bd0799c477f3ba65bee504dbaa4968b7596addcf5ce4a02fb7efa1436d436a150523a965caf038edb57

    Download Submit
  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    171B

    MD5

    860e263a3f4e90e7a4a7ec09ab2972ca

    SHA1

    02997e030185c66058eabd95398bdd7ef8597797

    SHA256

    32fa9d907cf11d7f10d4b8d667d17a4a6d15cc653cf3b0dc58c202294b3ee8bf

    SHA512

    797eca9e9a1d0c43893ef41c8a311a059d57fcc65185df3fd7c041e997a80021973dd856291f83253310463764c2cad41e9935d43a92256a8f3d00818b5068ea

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
    Filesize

    3.9MB

    MD5

    c1ef82db647448bad0a80b6d91a1dce8

    SHA1

    15873f7635f02bfab79b6c6c1124e3ca98a1092f

    SHA256

    234225235a37d03c0bc3841da46f0f934fde81a6f5d434bd0232bf8ce1e4fa82

    SHA512

    82b93b777f59d66c29d71987bf453dd655c9cf7763008914be0dae8d6355b0d9d200e2774bc52eb4397e60ba5f41c6b4b2e0bd0e6f929994fcecd970ef8dc897

    Download Submit