23e4f367696f8032dc179e89157a1a9cb3d02066e4faf782499c9c94e02caf0a

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10-06-2024 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23e4f367696f8032dc179e89157a1a9cb3d02066e4faf782499c9c94e02caf0a.exe
Size

3.1MB
MD5

0da2e533af3ca7e4ce8f791832fa3efc
SHA1

7b415cd2a87ceb34cfc87a5d08e4bf80210a4e3b
SHA256

23e4f367696f8032dc179e89157a1a9cb3d02066e4faf782499c9c94e02caf0a
SHA512

42120c06cd149b6277c240b2f1719c43f5887060ff151eff1d5d61acabd4ddaca5233df9490cfc572d9ce50131e21fc440c97e1b0e0ddaedb161f8fc1e313a5c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBqB/bSqz8:sxX7QnxrloE5dpUpxbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	23e4f367696f8032dc179e89157a1a9cb3d02066e4faf782499c9c94e02caf0a.exe

Executes dropped EXE 2 IoCs

pid	Process
2108	sysdevdob.exe
3036	xdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
836	23e4f367696f8032dc179e89157a1a9cb3d02066e4faf782499c9c94e02caf0a.exe
836	23e4f367696f8032dc179e89157a1a9cb3d02066e4faf782499c9c94e02caf0a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files7C\\xdobec.exe"	23e4f367696f8032dc179e89157a1a9cb3d02066e4faf782499c9c94e02caf0a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid6M\\dobxsys.exe"	23e4f367696f8032dc179e89157a1a9cb3d02066e4faf782499c9c94e02caf0a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
836	23e4f367696f8032dc179e89157a1a9cb3d02066e4faf782499c9c94e02caf0a.exe
836	23e4f367696f8032dc179e89157a1a9cb3d02066e4faf782499c9c94e02caf0a.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe
2108	sysdevdob.exe
3036	xdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 2108	836	23e4f367696f8032dc179e89157a1a9cb3d02066e4faf782499c9c94e02caf0a.exe	28
PID 836 wrote to memory of 2108	836	23e4f367696f8032dc179e89157a1a9cb3d02066e4faf782499c9c94e02caf0a.exe	28
PID 836 wrote to memory of 2108	836	23e4f367696f8032dc179e89157a1a9cb3d02066e4faf782499c9c94e02caf0a.exe	28
PID 836 wrote to memory of 2108	836	23e4f367696f8032dc179e89157a1a9cb3d02066e4faf782499c9c94e02caf0a.exe	28
PID 836 wrote to memory of 3036	836	23e4f367696f8032dc179e89157a1a9cb3d02066e4faf782499c9c94e02caf0a.exe	29
PID 836 wrote to memory of 3036	836	23e4f367696f8032dc179e89157a1a9cb3d02066e4faf782499c9c94e02caf0a.exe	29
PID 836 wrote to memory of 3036	836	23e4f367696f8032dc179e89157a1a9cb3d02066e4faf782499c9c94e02caf0a.exe	29
PID 836 wrote to memory of 3036	836	23e4f367696f8032dc179e89157a1a9cb3d02066e4faf782499c9c94e02caf0a.exe	29

C:\Users\Admin\AppData\Local\Temp\23e4f367696f8032dc179e89157a1a9cb3d02066e4faf782499c9c94e02caf0a.exe
"C:\Users\Admin\AppData\Local\Temp\23e4f367696f8032dc179e89157a1a9cb3d02066e4faf782499c9c94e02caf0a.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2108
- C:\Files7C\xdobec.exe
  C:\Files7C\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files7C\xdobec.exe

Filesize
3.1MB

MD5
5fdb08890472a126e10e7a2c01dddaf1

SHA1
a7fd788f135893b6fa4f6e1a910efe6ec1298e0d

SHA256
fb3907225794cb05cd08b94b9ee7cb75281d523660cf8d5c43320c7b144b2953

SHA512
8959fa3fa4a1abf81e7c27013ad4c25f0ee71674a54a5cac5b00c4742410b58cf05b778d9850d23b62501d9dccf0027218fe0a1385b92959c4f91a2135a55142

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
65486bba5eaf0c8b4c390ba8c1a6365b

SHA1
3ea926483f1e3ecaf42ed73ea80b74bbbbfb7ecd

SHA256
9fcc575c95b45518cead8c9f336ec5d2fbbc54335774c7e9136abd566a4de12f

SHA512
4fb18b8c3c9d4f41bd1f7845f7214f213a3236279a5a74918b464c9cb6dd637768f0a6430c6571c07ba440e09c9ed076449669d3355ccd7f339739fdfdc1a60c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
334d2648ea47d8a1ea8675a34921d370

SHA1
7bdc1bb595de17b3dd86ae704fcc3448f2bd5f13

SHA256
530add92d9f1bc61f0b350ef2efbaa48f67041c715da4decfb144c366bc0638c

SHA512
dcfed0c937935c9270fe991cc651b9c6e458d4dc7d20579dab39d4fde769d1ed3989a53d4cd563f5cd59188205653eaba81503803e6527fa91ce833f2b70bb9d

Download Submit
C:\Vid6M\dobxsys.exe

Filesize
2.5MB

MD5
e167959716af99b4d7a7ffe6d2f56459

SHA1
41ac8f9f2ed9606bd761b8367a256b9b525cc60d

SHA256
3e275f4a95ace21baecccca052ea2f5b3bfcfa784f7b97624a0b5fc86fca22f9

SHA512
3c5bf1d802ad9852a485ccf864e1d46932d4b0ed6137ffe401f5a2bd02821ea8bf9962c5bab987237aeed429482b212dc984159cf3fda837f38cb963b8f508e2

Download Submit
C:\Vid6M\dobxsys.exe

Filesize
3.1MB

MD5
b9016c45b0643ab1849303f317e3b3ff

SHA1
47a0bb21b55592f195f2f2705c04466ea1057e86

SHA256
a4bddc4cf30ac615f3c76059742b6799b7b16ad5105f278bfd5dcd54879c3e38

SHA512
1699a2528c0301d1a8a35961a549fd90f1135eb8d50a04b10d7291f091937beb545ff43bd852a3d6a73574d0f5f8a190253cd3f1bddead49a607cc82aef5abfb

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
3.1MB

MD5
575de574abd5ef7362eff2e028d1d0be

SHA1
ec012af482f5f63936a86ec33ed90e64ab0b0711

SHA256
7834ca8380ab512777dcbe2e79db455e1191e839af096314153b245fa3ee6190

SHA512
677276c4a5dc17a34d47207fd9fbbc53ef59a1081706ad368dffedf315a60598f8accdc04a846bdf4cfd2113f22c021b5a63f33ebc7560798589e21dfd62f787

Download Submit