5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe
Size

3.6MB
MD5

c71c91733fe800e568affb613421009f
SHA1

0cc824669220064639b6580a32d5547767f0180c
SHA256

5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b
SHA512

ec74682e9c9b45a945514a3ffb2673a5fcfff63e003c5698a17f3f65c5b7df0b6d159e32aa38d583ad463bb98fabefa3605e31725ffb4560045ec830ce828cd6
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpmbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe

Executes dropped EXE 2 IoCs

pid	Process
2204	sysdevdob.exe
1560	devdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1556	5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe
1556	5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintA1\\boddevec.exe"	5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv68\\devdobloc.exe"	5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1556	5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe
1556	5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe
2204	sysdevdob.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe
1560	devdobloc.exe
2204	sysdevdob.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 2204	1556	5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe	28
PID 1556 wrote to memory of 2204	1556	5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe	28
PID 1556 wrote to memory of 2204	1556	5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe	28
PID 1556 wrote to memory of 2204	1556	5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe	28
PID 1556 wrote to memory of 1560	1556	5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe	29
PID 1556 wrote to memory of 1560	1556	5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe	29
PID 1556 wrote to memory of 1560	1556	5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe	29
PID 1556 wrote to memory of 1560	1556	5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe	29

C:\Users\Admin\AppData\Local\Temp\5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe
"C:\Users\Admin\AppData\Local\Temp\5de369fbc88c203225f53660ef07b37c0eacd06cfe2129cfefa02b4cf5685b2b.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2204
- C:\SysDrv68\devdobloc.exe
  C:\SysDrv68\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintA1\boddevec.exe

Filesize
3.6MB

MD5
910b5d6afc98eccff5349e6e8ad61824

SHA1
e13936a81f679521f982a32925f8ff78064445b6

SHA256
847e782b228d4066122b1d8c2a6baf0bcb299b3dd8d0f516ece326417b280a41

SHA512
9b5db0705a70b18a5b5720e9d59c669d6651337510c6a56fc0178db7874f1ef5bc3db3e9e84e151f9750bab3edc793886e7a52905c558ef8179c5c2bd3c1e7d9

Download Submit
C:\SysDrv68\devdobloc.exe

Filesize
3.6MB

MD5
e04fa48292e49e1176131c54fdb43591

SHA1
6a7ca4db55af5f54c69f996b6c338dd766967679

SHA256
786cd5f9cd3a54529853cc24a68a30ab9c0c61aac9e3c4f8be562d28b3702347

SHA512
1b32cf3340b114f185f5d28679267cd6dd6f6f7d5868ff5d21af72180df95e93f213829bcda77d9ddac56a68f90dd7c1adc9a7cf4b96c40c6249646af20bbff7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
43e3dc9724793d7e59ad481c2a14c416

SHA1
ae19ec8751c9fd3fb728b6da252f1698686e81e4

SHA256
c3d1c5c04a47e39d18defb3df9dc995ff849b276ce022192b54ca425b7041539

SHA512
31a941fc48ffdb0da37499ef714663b33fcb2ce89adb424a05b35842a1df3c0bdff954eb62f23882025ed6ccbadfd9aa78f7f2846e3a91e5d0a5c754e427a626

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
2d440d44ffa308a29b2fe5c494d10866

SHA1
f3539dea8b7871710603dfb0f5fb1608a347a28d

SHA256
62a719afaf43df525e8e31e0171732290fdbf755a41698f504efbd4fc7fa1f13

SHA512
c088eab2855c6d940453ca58b4c16cb70a19a556df2d15aab8228b5fafc394bcd61a213b3ec14edfc6151a684811a2b8334ca7394fbdb4375136f19454413565

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
3.6MB

MD5
61c92deb3a7ce4dfa162926d39c9e7e6

SHA1
cb6223691aff6a84e917bc752896068e24daf683

SHA256
739e8ecca7e281768ce2a84ab2eb5ea1ccd816ace599271ccff8a234973763a9

SHA512
8dfcbab05749358750fd911ebab13196054f06d3d9e722040dce4d0049dcc971c9437e1aa09f43419b0c94b65e3a711ef01ac985ba1a4d5cda82d2f5e2b57726

Download Submit