5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829

General

Target

5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe
Size

3.2MB
MD5

39413179a6127b7934c1ab92ada07e3e
SHA1

8c33ddd736a43f51fa7688042a4cb4023e9a4a4f
SHA256

5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829
SHA512

b8eb03c514efa123b5011b74fd11adbd5d421d9932fcfe96c5a81597809a28b760374737ecf308fb591813f344650aaf019d3073f561a3836dda84a43e7533db
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpZbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe

Executes dropped EXE 2 IoCs

Processes:

locdevbod.exexdobsys.exe

pid process

3728 locdevbod.exe
3408 xdobsys.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3728	locdevbod.exe
3408	xdobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeQ8\\xdobsys.exe"	5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZHK\\dobdevloc.exe"	5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exelocdevbod.exexdobsys.exe

pid	process
4688	5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe
4688	5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe
4688	5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe
4688	5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe
3728	locdevbod.exe
3728	locdevbod.exe
3408	xdobsys.exe
3408	xdobsys.exe
3728	locdevbod.exe
3728	locdevbod.exe
3408	xdobsys.exe
3408	xdobsys.exe
3728	locdevbod.exe
3728	locdevbod.exe
3408	xdobsys.exe
3408	xdobsys.exe
3728	locdevbod.exe
3728	locdevbod.exe
3408	xdobsys.exe
3408	xdobsys.exe
3728	locdevbod.exe
3728	locdevbod.exe
3408	xdobsys.exe
3408	xdobsys.exe
3728	locdevbod.exe
3728	locdevbod.exe
3408	xdobsys.exe
3408	xdobsys.exe
3728	locdevbod.exe
3728	locdevbod.exe
3408	xdobsys.exe
3408	xdobsys.exe
3728	locdevbod.exe
3728	locdevbod.exe
3408	xdobsys.exe
3408	xdobsys.exe
3728	locdevbod.exe
3728	locdevbod.exe
3408	xdobsys.exe
3408	xdobsys.exe
3728	locdevbod.exe
3728	locdevbod.exe
3408	xdobsys.exe
3408	xdobsys.exe
3728	locdevbod.exe
3728	locdevbod.exe
3408	xdobsys.exe
3408	xdobsys.exe
3728	locdevbod.exe
3728	locdevbod.exe
3408	xdobsys.exe
3408	xdobsys.exe
3728	locdevbod.exe
3728	locdevbod.exe
3408	xdobsys.exe
3408	xdobsys.exe
3728	locdevbod.exe
3728	locdevbod.exe
3408	xdobsys.exe
3408	xdobsys.exe
3728	locdevbod.exe
3728	locdevbod.exe
3408	xdobsys.exe
3408	xdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe

description	pid	process	target process
PID 4688 wrote to memory of 3728	4688	5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe	locdevbod.exe
PID 4688 wrote to memory of 3728	4688	5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe	locdevbod.exe
PID 4688 wrote to memory of 3728	4688	5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe	locdevbod.exe
PID 4688 wrote to memory of 3408	4688	5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe	xdobsys.exe
PID 4688 wrote to memory of 3408	4688	5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe	xdobsys.exe
PID 4688 wrote to memory of 3408	4688	5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe	xdobsys.exe

C:\Users\Admin\AppData\Local\Temp\5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe
"C:\Users\Admin\AppData\Local\Temp\5c0acfd3519a9e38f5d877bc7cf0b22e50516f91d1fab1d2692a2f1c63369829.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4688

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3728

C:\AdobeQ8\xdobsys.exe
C:\AdobeQ8\xdobsys.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3408

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeQ8\xdobsys.exe
Filesize
3.2MB

MD5
e9cda93b51ba199c3b3a89afbd86c434

SHA1
bf6939d4de354c35cdff5c9b1fbb09d49445e73e

SHA256
eabe2e3a7a4645a746a61177ea63f4c328c03fbe76ffcbe904a775fe5d1df36e

SHA512
4158064d9513c2a795a61dd018b86c3f49d0d809a5463db4073452474e030087712faab25a479a78585786bcca3cae16494716e0d76dc08eda4f6c426ffc6d59

Download Submit
C:\LabZHK\dobdevloc.exe
Filesize
563KB

MD5
589fa683e554f8843c34d62a83f513a3

SHA1
973f88023482ee80c274c64005f127805053a709

SHA256
b0b4f4dac8f1e6e5d91613f6b7b1e8951f55b6dadb0fc0d59bf1bbfd46100ce1

SHA512
047cd733d6a97ff87715ca3b0fcbd02aecc89e5d8f5c7a5eb0ed4fe28497ce0fcd251c7ff00eedbd81373ffe6879d4174a0bd45c249f1599541a395aac17ac44

Download Submit
C:\LabZHK\dobdevloc.exe
Filesize
132KB

MD5
b23c82bd23ebf7749e12fbb1bc5b17a3

SHA1
b571fd2de2d7b20f7d5726e39ad10e8a725f25ea

SHA256
2546c5389d887f776e6b0fb053d880dd700d51bdee0e7c15e95431065d3ba10a

SHA512
c9d66244c57de3dd9f0a17ee11c34f0d35fd9dc7095002982d1d40eef6dae38d4a2fe1609aaeff85411210347b06f903aacc5e800ef5866b7a8f1338c0ef1449

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
204B

MD5
e58fc5a0a2aa67564c0bfdb1669f6de6

SHA1
8cee14566e0b33401967622237b2bc41f3898f8e

SHA256
9f7fc27bcfb84497974f61496545e3eb1107ef9278f8790e1de55e0c74a161eb

SHA512
13a55bb7ff58e3435ca6191bb5a2f8589d497982453ff842e6caeccb9eccdb13be51f07a168d3e43e7019c3efae5d1c06ae0665ea6eeab4ed3c1396b069eb1e6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
172B

MD5
3dc4f0865b013b77ea1c1e40d17dccde

SHA1
b83c72c8fd79ce675131066eb3c1252900e2a2df

SHA256
9ec26492357be56db6f4c1d9d7d8ca8fcc31958f1ed040e1f1c9e382881bad61

SHA512
733c311e900f1581e60888d9bedfa79f122fd4365502b69d21a5750988649cbee2e045cfb44e4b0130d6dac88ba28f332688cfe612c48dc4e228c56a948b3c65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
Filesize
3.2MB

MD5
977a7546e99ba9b1af89b35d6872d2ab

SHA1
ce3a737bef731801eeefeda167074aca2a2ca3e3

SHA256
1966a513ea1ad2e5c10ea6262a5c6a5a813d66b6d625c609e627080d9fbce503

SHA512
8f779857329ae16e5aa82fc7054e700eed37d33653946e8c952680efa4939233947a76a36d790ddbd5c92703101d484adeffb78d4cec7d02dcef28169fb80a16

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads