d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05

General

Target

d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe
Size

2.6MB
MD5

0db808db5acf774f3e0253190abaec15
SHA1

1c6ff4855bae0e09031680a0ed9f5fe13aa92de1
SHA256

d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05
SHA512

5f0256ee1ce75d1a33f9dd13b038d24450f37e31c365b1d392b866106658faa1fa2f9e39f04a6b0659a7a84ad428ffecd81e1436dae149c19d79abbe10993c08
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bS:sxX7QnxrloE5dpUp5b

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe

Executes dropped EXE 2 IoCs

Processes:

locdevdob.exexbodec.exe

pid process

1044 locdevdob.exe
2372 xbodec.exe

pid	process
1044	locdevdob.exe
2372	xbodec.exe

Loads dropped DLL 2 IoCs

Processes:

d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe

pid	process
1596	d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe
1596	d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotVX\\xbodec.exe"	d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxSA\\dobxloc.exe"	d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exelocdevdob.exexbodec.exe

pid	process
1596	d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe
1596	d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe
1044	locdevdob.exe
2372	xbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe

description	pid	process	target process
PID 1596 wrote to memory of 1044	1596	d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe	locdevdob.exe
PID 1596 wrote to memory of 1044	1596	d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe	locdevdob.exe
PID 1596 wrote to memory of 1044	1596	d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe	locdevdob.exe
PID 1596 wrote to memory of 1044	1596	d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe	locdevdob.exe
PID 1596 wrote to memory of 2372	1596	d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe	xbodec.exe
PID 1596 wrote to memory of 2372	1596	d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe	xbodec.exe
PID 1596 wrote to memory of 2372	1596	d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe	xbodec.exe
PID 1596 wrote to memory of 2372	1596	d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe	xbodec.exe

C:\Users\Admin\AppData\Local\Temp\d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe
"C:\Users\Admin\AppData\Local\Temp\d44d183781f753d973f2bd2e1e1381782633e2ec157d374d7c0df5f8fe066b05.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1596

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1044

C:\UserDotVX\xbodec.exe
C:\UserDotVX\xbodec.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2372

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxSA\dobxloc.exe
Filesize
2.6MB

MD5
c35e667c59fe7a11bbb21ae9a58b0c24

SHA1
f5557a1464b870e0458903d6f1c8ed78c8447e19

SHA256
d1454c938ec32179070dcabac70b3fd93856ac37e451083954d05065289eeeca

SHA512
8d663de89d3e0feca4c773c8cac550f4b5d1aa8ed25634dea3bc43d12b17b9e622ee13b1be4bf4fba5ae7c4a3867a758483a984708dd043f1d3a1a9ddb4b23b0

Download Submit
C:\GalaxSA\dobxloc.exe
Filesize
5KB

MD5
b1bff5461f6eccee15bc13b90b862c37

SHA1
9b68b3e8bd60c2c4b00d1ff961e9c20b00350466

SHA256
31ee37ebd445cdf1397bb80f305ea15a1b3d12fced2d3dd773fe436cbaaf9498

SHA512
fc655a29154ddbd88a87bbe6eff59a7e0654e6306682a7ea2f70c240b99f1e7026089df3a2803df3ec6f1a12c75d0ea1438ffc856440b95121dbfdcbc15800b0

Download Submit
C:\UserDotVX\xbodec.exe
Filesize
2.6MB

MD5
96208544b5e553b29a3db3f929d95084

SHA1
810aac9df87e528d4bd782fea2af93c58bf4c31c

SHA256
7c0b3bd161a07b5e55924d61e53aff351184c7fbb3f43ae1ddea03b7752978e6

SHA512
c1139887d6f9d69efec88ee795ee207333ecd03e8a954f1b2ec39b87ca5260cb1c6ee84b4cbdbfc1dc367a99bbe9b0acb6c24ea1d9bf10c8fda3bac257cc0643

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
172B

MD5
f5c8976a25be01b71a20d248e7224c4d

SHA1
df6bbfc36501851774bb63af00640c5a0f79c9af

SHA256
c3a9a2b99cd9c836c1f2fb5770770b94346f41d354dcc3de1b3a05a437d33912

SHA512
82934d2e4e073ac0604f7acc0bf59045d9d50ed64921fab8275e0ada887f65fea5b531aa36154f53ffcbe375a368ef860d3b6e71ad002646f6a513a7eea53c74

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
204B

MD5
ac099b768b78f1ab674c80f7a96f4ba1

SHA1
62bb0517349dc7ab2d52589d202174122a823c1c

SHA256
c846fb8fb6c4e0c784ee8a8206e49336519c50208edb6ed5702bb0a044e3fc80

SHA512
4dbfe27cc207a0d3050df1f06962e15be4f6ddbab7791c32f61a15d04a3b365d3b1d5da11c5afbb1daa6fa1bff160fe45d7576403b6d11cc84dfd20583aee17a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
Filesize
2.6MB

MD5
2297c5bbcd6b0250e5c3aff0905b9ddb

SHA1
17601493b2eb89b4fd3e2a25f48467ccaec87797

SHA256
a3f9f19ce9c6d3f109200e2977127db18f9e8c538e9c4d0adbed317388f10f1e

SHA512
2fcaf94a512cede187e2df3b5b5af2a5df1334535b18b1cb2f6852b871fe8c93adcad479d255ee2356c896d609aa961c6742065819b7169200e8e8511aa42920

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads