0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe
Size

3.9MB
MD5

2050253ec7997ee98060c1375716ce9c
SHA1

99fb10d0c4624774b32ffd62f3ee808bdb51f42e
SHA256

0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e
SHA512

f8f77388194ad58c19f01d7a34da5ef10949d8f89917a8d0c4c0659dba30798af637849ad7a0d01b304c1eac3baf5daaea3b0935c918af22211b17553d656317
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bSqz8:sxX7QnxrloE5dpUpSbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe

Executes dropped EXE 2 IoCs

pid	Process
2184	locdevdob.exe
2568	xdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
3016	0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe
3016	0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc52\\xdobec.exe"	0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB06\\dobaec.exe"	0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3016	0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe
3016	0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe
2184	locdevdob.exe
2568	xdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2184	3016	0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe	28
PID 3016 wrote to memory of 2184	3016	0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe	28
PID 3016 wrote to memory of 2184	3016	0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe	28
PID 3016 wrote to memory of 2184	3016	0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe	28
PID 3016 wrote to memory of 2568	3016	0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe	29
PID 3016 wrote to memory of 2568	3016	0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe	29
PID 3016 wrote to memory of 2568	3016	0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe	29
PID 3016 wrote to memory of 2568	3016	0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe	29

C:\Users\Admin\AppData\Local\Temp\0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe
"C:\Users\Admin\AppData\Local\Temp\0feb487b2787d486b748250c135ee7a6d1ab9594c06132d99105fb80e93b7b0e.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2184
- C:\Intelproc52\xdobec.exe
  C:\Intelproc52\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc52\xdobec.exe

Filesize
3.9MB

MD5
93828ebf1713766fc2a10b50a2dd324e

SHA1
34c6a2890cc1c0df580684215c181c1956a97aaa

SHA256
8ce59e1c1470230834158bd35852d79a0e9072dc64e83b1ba5b9b6c18ebf8533

SHA512
80296d45644a37e092dfa129cdbf9647553eec82efd4cec5a01e2e8523fb52917a2ea9cf30b8678415c86a14a25b374e111f5361e944d6259ebdd19422b6990f

Download Submit
C:\KaVB06\dobaec.exe

Filesize
3.9MB

MD5
3d71b8125495ea621b64432a300a3e3f

SHA1
270856c0131baee56395abb869ebb79ed208dd17

SHA256
b5ed7e70da94d39282cf7940b7dc87e5d25cd22f75598c8d3c0eb353aff24149

SHA512
61d2d465fff74ada744d5e7924eea0345102b4315b89a402763ac708a40fe26ae844b8fe917a86f35e58205adfcf9266c82e2295f1ba21775b1fb56796b64e19

Download Submit
C:\KaVB06\dobaec.exe

Filesize
3.9MB

MD5
1087751920bcd3a31a00bcb4d8cf57ef

SHA1
4a1e2f1dad0f59858bb3125cad5d619941815c7e

SHA256
cb5951b1e7bb2ad0d922299a424594c13add3a92ab7ecb5670111907c8258c7f

SHA512
bcbdb60892cc8896093c3df2f9a6da0178b89969a73960d4ddb0373d3461f3c8767cdeca3600c875152796e350d7586cd07daf8f5d59ac1d506a98592e8ef0a0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
121360ed9cbf7c50fa960513b0881bf4

SHA1
f4bb6ce909367d3db02e97688bc8e36166df7198

SHA256
3c0ebf2775387bdb0f7e2e40439ccd8c3ef744bc2c9ae67640b1bdf4f6e14431

SHA512
8a53c0022d75f23e91f7eb740f7030e03a2b0fed4f87b90bfc0f0c7895c0d8689923cc8d5269e8e63c8f1677ad61c2fb5600c42d8394079c204d8288c82fb7ae

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
989f0b91330f0ebf2746eb5c97174e7a

SHA1
02051accad58b9b199bbb525c42365a9d67b774c

SHA256
22c4be303cafd18cca3b6bed040adfb64d01f86a85ca91234e69c4bf5c72897b

SHA512
e9562869f88f56f375f34de595f3d203411647a2795d1e06f23d84c4cfdd0ead0c38a6c94fea907993a6de2bf658afcfcee5dfa884446d92ea3a7f64c39d4b96

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
3.9MB

MD5
7cf4b78cfd84792f042e0302343f3a3f

SHA1
74bfc68c650f399ab33f62afd7c8e474e698ee39

SHA256
aa03a16fdfc98281f09f40481ce2ad9c62a2d5134e113258eeac703fdc2a4c2a

SHA512
702b6d3bb1638865ab0f5fb731b4e377c049917f0cb442c4916cb276f95ccab7a6642de4bb4053b4339415c5bc40f08856bf56b70a30c993ea501a93e0637e04

Download Submit