Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 00:51
Static task
static1
Behavioral task
behavioral1
Sample
9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe
Resource
win10v2004-20240508-en
General
-
Target
9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe
-
Size
3.9MB
-
MD5
5960c9baf8b550d272ffb4560d83213b
-
SHA1
927608f67a071cb85586d5693c7e4f84532794aa
-
SHA256
9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11
-
SHA512
a647936bf55c7c7116d6deffcf5ce0ba8ee89fdb57e5ea85456b95d915ead7419dd4356d7d1a3f26deceeae13ee97ae2bd0dbf51766cae1ab0271eab2ec190a2
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8:sxX7QnxrloE5dpUpPbVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe -
Executes dropped EXE 2 IoCs
Processes:
sysxdob.exexdobloc.exepid process 2012 sysxdob.exe 4036 xdobloc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesU4\\xdobloc.exe" 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBUR\\dobasys.exe" 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exesysxdob.exexdobloc.exepid process 748 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe 748 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe 748 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe 748 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe 2012 sysxdob.exe 2012 sysxdob.exe 4036 xdobloc.exe 4036 xdobloc.exe 2012 sysxdob.exe 2012 sysxdob.exe 4036 xdobloc.exe 4036 xdobloc.exe 2012 sysxdob.exe 2012 sysxdob.exe 4036 xdobloc.exe 4036 xdobloc.exe 2012 sysxdob.exe 2012 sysxdob.exe 4036 xdobloc.exe 4036 xdobloc.exe 2012 sysxdob.exe 2012 sysxdob.exe 4036 xdobloc.exe 4036 xdobloc.exe 2012 sysxdob.exe 2012 sysxdob.exe 4036 xdobloc.exe 4036 xdobloc.exe 2012 sysxdob.exe 2012 sysxdob.exe 4036 xdobloc.exe 4036 xdobloc.exe 2012 sysxdob.exe 2012 sysxdob.exe 4036 xdobloc.exe 4036 xdobloc.exe 2012 sysxdob.exe 2012 sysxdob.exe 4036 xdobloc.exe 4036 xdobloc.exe 2012 sysxdob.exe 2012 sysxdob.exe 4036 xdobloc.exe 4036 xdobloc.exe 2012 sysxdob.exe 2012 sysxdob.exe 4036 xdobloc.exe 4036 xdobloc.exe 2012 sysxdob.exe 2012 sysxdob.exe 4036 xdobloc.exe 4036 xdobloc.exe 2012 sysxdob.exe 2012 sysxdob.exe 4036 xdobloc.exe 4036 xdobloc.exe 2012 sysxdob.exe 2012 sysxdob.exe 4036 xdobloc.exe 4036 xdobloc.exe 2012 sysxdob.exe 2012 sysxdob.exe 4036 xdobloc.exe 4036 xdobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exedescription pid process target process PID 748 wrote to memory of 2012 748 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe sysxdob.exe PID 748 wrote to memory of 2012 748 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe sysxdob.exe PID 748 wrote to memory of 2012 748 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe sysxdob.exe PID 748 wrote to memory of 4036 748 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe xdobloc.exe PID 748 wrote to memory of 4036 748 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe xdobloc.exe PID 748 wrote to memory of 4036 748 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe xdobloc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe"C:\Users\Admin\AppData\Local\Temp\9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2012
-
-
C:\FilesU4\xdobloc.exeC:\FilesU4\xdobloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4036
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
826KB
MD5c8bd6d33faf7f68452dffc3f6fde33cc
SHA1510eca8974bc02b8344e1b5becb02d798ad77cbd
SHA2566b98263146257b38aad02e2bf5155d30ae4033013db9ca77a526efea76cec6e2
SHA512a99f5c5915e5f73adf17d7dbeef963f151edd108e43933d4ee047fe0d57faf291f0a5f2e830a42c1584a422fd930a80897bf670d7fd560cdfc4c72d17f9154c4
-
Filesize
3.9MB
MD50e245105ac0501e80567149253e984fe
SHA131ee67f48a4965f8075daccff9a354f969936d58
SHA256cde8aa2a5e0ad12dbe656d1c14c6341bc86282c49e7b38fa89aae29c6934afc4
SHA5122419055a734ef4a1f7e9fb643d5af555e9e24ddf9b680fcae6dd15d1f1b040e8c219ac561050a80384e7475c25a0faa60f9a4da0d8d20b7a3fa0a1816a0e9e9e
-
Filesize
3.9MB
MD5711a9ed78b1403054c666c46cddda14f
SHA19d9ff8e0a6ded142404eb9a13d40af602e9772b4
SHA256a5133ca0e8d0b16f5afe99246273d4bf1b5b4cd1ed1595978cc5244e98368210
SHA512da9c958e93bc384cadc271ed624dfbe94223e2c02ba893decbec60a1d3ddc577de605575bd7426210ecdb6ab3bec02aa5f215120ff98a765680555f840a6d6ce
-
Filesize
3.9MB
MD5165af7408aefd6680877863a8854344e
SHA13d071df64142a7db8e87614445574c6f35d3e680
SHA2565e17fcf0ccfdc324eea924d8d8fbe1dc963a49097de3e6b060691aaee9ec38d6
SHA512ffbedccf3589ea0dfec03532f88334cab3dd7a038f5b3271e53e9cd58d89327d3ece721cba8020835d760537f298f31e0cefb1413ec1a9b1f45ef1d5aa07b3d3
-
Filesize
200B
MD5956feaa236c588376be57a9bfb7f9b97
SHA1b5926b66a708713f7d0c27f64ec1fc1b738a7d86
SHA256d4c95d16f886c5e7da4c460cf12dad3a919ef147bdc07fe20311fcea17e7e06d
SHA5127240dc6d331fce0eadd94e9c166911a664c3450c39a380bd1a2fd519b6606388e6a07566bad36d0880476d819062267c8ef75f7e124a109a9d4c647080b7c385
-
Filesize
168B
MD57dcb7586f0a7d5b3d31868358ff623d8
SHA11393dfa31c3c3ad43ba01cfbb4461bf128dc27d8
SHA25608b99d4b5b8e81e6fd5b6fa98cf2bb0fdfd0bb598d422e4f79f36af61ccfb760
SHA5127bdd865d541ed67271cccab71c502a319b7254492f2c240fa971889478b2c10cbacd2a3ceff23f9254926b81b6654ff35750922c80126cd8597ab02ddff5a95b
-
Filesize
3.9MB
MD562773fd311d66b5105b4310d7566920e
SHA198bdd5633ea52424099b74353f3082ea495a1d91
SHA256aaa2e2888adc895bdf5ac5cd209715e99ff05b4589ec4d008c69e931a7736993
SHA512330c1d99e18ff52da317da25844db2378ff1527f14ec17f595312a0bcd0dd5b175d27e03a95a637c23a857298fb5aab7ad75878e89fcfa3bd26d439fccb3a24e