a768ec0a194cbddb596f44ef5b7fda0490dde44aa8ec6357613313ed77edb379

Analysis

max time kernel
152s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 01:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a768ec0a194cbddb596f44ef5b7fda0490dde44aa8ec6357613313ed77edb379.exe
Size

3.9MB
MD5

062707ab4fbe96733573cf5fd84a9b88
SHA1

3e778757e43fce6743033f49d726fc0a8e93a9ce
SHA256

a768ec0a194cbddb596f44ef5b7fda0490dde44aa8ec6357613313ed77edb379
SHA512

6faa63839f0cfebe70cadce7dfe22fb59b0fdb99840ade84882eb162d0ba3cf943cec7ea11000fa6e7acd01ef01ecaf799e57199c747034d012958d8c8329f6d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBwB/bSqz8:sxX7QnxrloE5dpUpjbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	a768ec0a194cbddb596f44ef5b7fda0490dde44aa8ec6357613313ed77edb379.exe

Executes dropped EXE 2 IoCs

pid	Process
4396	locxdob.exe
3484	devdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeMD\\devdobec.exe"	a768ec0a194cbddb596f44ef5b7fda0490dde44aa8ec6357613313ed77edb379.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintHH\\optidevloc.exe"	a768ec0a194cbddb596f44ef5b7fda0490dde44aa8ec6357613313ed77edb379.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
568	a768ec0a194cbddb596f44ef5b7fda0490dde44aa8ec6357613313ed77edb379.exe
568	a768ec0a194cbddb596f44ef5b7fda0490dde44aa8ec6357613313ed77edb379.exe
568	a768ec0a194cbddb596f44ef5b7fda0490dde44aa8ec6357613313ed77edb379.exe
568	a768ec0a194cbddb596f44ef5b7fda0490dde44aa8ec6357613313ed77edb379.exe
4396	locxdob.exe
4396	locxdob.exe
4396	locxdob.exe
4396	locxdob.exe
3484	devdobec.exe
3484	devdobec.exe
4396	locxdob.exe
4396	locxdob.exe
3484	devdobec.exe
3484	devdobec.exe
4396	locxdob.exe
4396	locxdob.exe
3484	devdobec.exe
3484	devdobec.exe
4396	locxdob.exe
4396	locxdob.exe
3484	devdobec.exe
3484	devdobec.exe
4396	locxdob.exe
4396	locxdob.exe
3484	devdobec.exe
3484	devdobec.exe
4396	locxdob.exe
4396	locxdob.exe
3484	devdobec.exe
3484	devdobec.exe
4396	locxdob.exe
4396	locxdob.exe
3484	devdobec.exe
3484	devdobec.exe
4396	locxdob.exe
4396	locxdob.exe
3484	devdobec.exe
3484	devdobec.exe
4396	locxdob.exe
4396	locxdob.exe
3484	devdobec.exe
3484	devdobec.exe
4396	locxdob.exe
4396	locxdob.exe
3484	devdobec.exe
3484	devdobec.exe
4396	locxdob.exe
4396	locxdob.exe
3484	devdobec.exe
3484	devdobec.exe
4396	locxdob.exe
4396	locxdob.exe
3484	devdobec.exe
3484	devdobec.exe
4396	locxdob.exe
4396	locxdob.exe
3484	devdobec.exe
3484	devdobec.exe
4396	locxdob.exe
4396	locxdob.exe
3484	devdobec.exe
3484	devdobec.exe
4396	locxdob.exe
4396	locxdob.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 568 wrote to memory of 4396	568	a768ec0a194cbddb596f44ef5b7fda0490dde44aa8ec6357613313ed77edb379.exe	90
PID 568 wrote to memory of 4396	568	a768ec0a194cbddb596f44ef5b7fda0490dde44aa8ec6357613313ed77edb379.exe	90
PID 568 wrote to memory of 4396	568	a768ec0a194cbddb596f44ef5b7fda0490dde44aa8ec6357613313ed77edb379.exe	90
PID 568 wrote to memory of 3484	568	a768ec0a194cbddb596f44ef5b7fda0490dde44aa8ec6357613313ed77edb379.exe	91
PID 568 wrote to memory of 3484	568	a768ec0a194cbddb596f44ef5b7fda0490dde44aa8ec6357613313ed77edb379.exe	91
PID 568 wrote to memory of 3484	568	a768ec0a194cbddb596f44ef5b7fda0490dde44aa8ec6357613313ed77edb379.exe	91

C:\Users\Admin\AppData\Local\Temp\a768ec0a194cbddb596f44ef5b7fda0490dde44aa8ec6357613313ed77edb379.exe
"C:\Users\Admin\AppData\Local\Temp\a768ec0a194cbddb596f44ef5b7fda0490dde44aa8ec6357613313ed77edb379.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:568
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4396
- C:\AdobeMD\devdobec.exe
  C:\AdobeMD\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3020 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeMD\devdobec.exe

Filesize
5KB

MD5
35d5f2180b8da2eaecad0679e66dc251

SHA1
3e782e20becd6567750bacb04faafd148aadac06

SHA256
2060beef29432b8908a388df4a1a966c34d69e51cbf1f836ab07935d52f94700

SHA512
15f574e8e815c44b4444d3eb87af7e00b262eebc14f1ab886d4912aae01cf910dc7d4f769f884a3659bce05e28faa5a23be0190cf13a203cff0f3afdb951c493

Download Submit
C:\AdobeMD\devdobec.exe

Filesize
3.9MB

MD5
3840d3317de082a6a06702ba0006b0bc

SHA1
7add01dd4f583d64d7df8ca8c1c81232e601c4fd

SHA256
58e95b325f5d53c5ccf6f0653f0d17150e55f7c6aff34d4af4a56df02195ebdd

SHA512
afe8fc0531239423de17427dcad4d57e765cf286be3e9aaad895376b7d4ad8eb28433a8d61c762a0a870d453ee425060046e68510936d74e12f2245d01466093

Download Submit
C:\MintHH\optidevloc.exe

Filesize
15KB

MD5
62f17a18e2665228331086e6e938bfcc

SHA1
8e2aada25ef3eee33045d7c08ce27d04adfb7da4

SHA256
1f30a15b454a01e1f02a566860b6dea8fe2debfee04aa9dcd02eff1b374b5385

SHA512
0cde9444b74a958f01e657a2f49550b28dac6697a6d01cdde84a080468781943e73e4ca36b1efb6ce7bebd85c014c8ebf526f60943adf83ef100be6249c3a5f3

Download Submit
C:\MintHH\optidevloc.exe

Filesize
5KB

MD5
c346de548654eab088b033eeb72e5ab8

SHA1
61d5e6da50d6f7b00217db8a4faeabab00794f6b

SHA256
1521865ffa35423f24e6bdb83604d41a34fc1c35747152e884821e8d8880940c

SHA512
71996885c5bf78369a6b117b33876a4ff88a61e474d45695d776216dbf0c5c67b726e0167ec40d11578f9ff9e4f05d4d09be5b84116cab7e67d7e09c4188b2df

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
e84d2cb9f3499525f7ff8f761b7a9240

SHA1
5f5b7477924f331ecf1938dd404c918277872ee0

SHA256
37b21cf8e70b48b3300eb78324d95cc54f1b3c883afb4ca01cb98a556922a01c

SHA512
6e80673e13ceca4d62f6e7a363eeefe0af71eb6c9d15a6cd7b70fb7525c3d3261ac0c27e14e6a72384ad8cbbe2747dcf6102099cfc26fc98fee3234d92ad11a7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
d5314ba2ffe5cb8d26795e73d6e244ec

SHA1
de5f8a7427c4890a86c2083f8e31eb1bb98ff47b

SHA256
3829f6abc3e36f2d59e0d8e0e7939af9af91f662cbecce1cf9fa1d92035b62cf

SHA512
a7bde63407de2416617b3e9b4a2ca8aa87ed95d08e2d1ae16b724bf8b21db7c01739516404099288062d404c63120c85aa76cafe40417a794c925a3adbeb44fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
3.9MB

MD5
bf9f72dfd51093ff228f4a6cae7958b2

SHA1
744001a9d6c956c7a56b55e267f06228d8ade7d6

SHA256
5a6ad0c76816b7a764a6947a5d5514e88439a468fc9df417b244bf06f198183b

SHA512
7ff09d190c134a1071ffecb69cf37ecbd68a4f4b465241cd6c4f936df9a99462352c0a4afa771bdb82025f46d7a9cbf4fa37742f393a498695dcfa4a0aa29eef

Download Submit