5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe
Size

2.6MB
MD5

2203c5fd720df2de5a72372ddcbdda13
SHA1

4ae371fb653954094da9d1a328d43ce680802422
SHA256

5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54
SHA512

8d1eb95e7d18f68e80f95ae638e692cbdf4a544b8687549d613a912aa71985ea9ba6bcfc0398f2be9f03d16c1865cdb0a094bccce2a8dffe3e49b04f96571ff6
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bS:sxX7QnxrloE5dpUp7b

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe

Executes dropped EXE 2 IoCs

pid	Process
1944	locxdob.exe
2540	devdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2796	5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe
2796	5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7M\\devdobloc.exe"	5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid9U\\boddevsys.exe"	5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2796	5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe
2796	5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe
1944	locxdob.exe
2540	devdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 1944	2796	5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe	28
PID 2796 wrote to memory of 1944	2796	5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe	28
PID 2796 wrote to memory of 1944	2796	5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe	28
PID 2796 wrote to memory of 1944	2796	5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe	28
PID 2796 wrote to memory of 2540	2796	5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe	29
PID 2796 wrote to memory of 2540	2796	5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe	29
PID 2796 wrote to memory of 2540	2796	5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe	29
PID 2796 wrote to memory of 2540	2796	5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe	29

C:\Users\Admin\AppData\Local\Temp\5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe
"C:\Users\Admin\AppData\Local\Temp\5831f4e19cce52087619e178b06757026d3a434e0b84b870a026e28ce7602a54.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1944
- C:\Adobe7M\devdobloc.exe
  C:\Adobe7M\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe7M\devdobloc.exe

Filesize
2.6MB

MD5
5187ae33836d5e537b76f8d35fe8775a

SHA1
2246bfaf3573252cfbdcb9e1477f25eb3706fb0d

SHA256
9300fc509363ea36e4486730d2aeb85f51d5790d3748a6bb69a8590482586266

SHA512
1cd21ad4f4dd893fb553256e8eebea4c4451d67e6d8359b5cb1a4735b58ce1ed61211a9ea74698c73fd2e24a8a9f39a4127ed426534e54ac917bd16fa52ae59f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
a7483d3253f7ee2d7dba286b2cfa41cf

SHA1
74f637c1ad42ac6304692db80c9457616c863af5

SHA256
18dc6d7ce2717bde86f694603e2d57888d41e95cae6c0a8d5319cc521338f740

SHA512
9b05f06fdbff7037121eb1f9b0fa61a0e221c4d5aa0a668a849067ad9e8a8d0b84b5af5a1d1013fa2020a2e7c948574fb7d0f6cee19f1809bf43366c33f8ff6c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
10ff3d15b58211473f930d6ba7caa19b

SHA1
4faf3d2e1b0b015149d52ac4ade25871874c780f

SHA256
3c0763177f6d0e15ea88bf814e11e59ffb3d1cf311276f9d6618307fd29cd372

SHA512
194bfc207198c464d576fb8c01d7b426c5ca4d0df9bac0cd03cd5e25d4b1694919ff16e37463e72e92d324c0aa2fb1f4060f08af6f9602e574dc47163f56621e

Download Submit
C:\Vid9U\boddevsys.exe

Filesize
2.6MB

MD5
367c09b563bfa07d6cfa4a264431faef

SHA1
300438b925a4a8b84f804e5b8fed8e0f94c8504b

SHA256
fc321dfc8df43f96ee06e09d36dd2a48c1748c1e0ea7a7bea272f498d1dcd25a

SHA512
bd47374df6443bba09a099b9a8d1f6ed416352aba82f96d8cc4e9a8befd4ebfd8c8040126eb9c58b0a82ab0d8ca13ed2c0c6bacf38ed0f33453a055c0508fd48

Download Submit
C:\Vid9U\boddevsys.exe

Filesize
2.6MB

MD5
5abeda35ae7c525319343320ad4ad6d6

SHA1
e69c0eae826cb8bc900817688dceda916a66c633

SHA256
53221bf866e5be3aea9abb0581cdae75703f71a54356ef68be6f6857dd11677d

SHA512
b7f3565e0c1f192bd3703da74f6a07bf46fa6bcf60ec1d5329cabb65a81fbf3a5993ef3ca951eda09b2819531811fdcf05bca6ca94216fe61aed7bff9e6ae678

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
2.6MB

MD5
ab8d6015d629fa9a3ad497aafffc7bfd

SHA1
9a6e3ef6e7d8c2c026bce166316b0cf4bc207ba7

SHA256
6cb6bdaa52e8e384b501b2254c190b896b95380836dce33fe7f3e9a72c2348ac

SHA512
dd1c4fec01a4bf2e0c8cb1a8d38d24cde8d7bf806fffbf8e29d58ef88de37ce057d85d92ced507fc954bc4f10ceb92985c609b0d3c00f9c3b441903f6f038fbc

Download Submit