8329b2e790d12dc878bd1b4199d4e6777794efe4ba1281486836dc5781edbc7a

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8329b2e790d12dc878bd1b4199d4e6777794efe4ba1281486836dc5781edbc7a.exe
Size

2.7MB
MD5

632c9274330d6e8cc4826c6cace9f65a
SHA1

1f9c286628d1a495f7a64a0b27b6409eeef0ae23
SHA256

8329b2e790d12dc878bd1b4199d4e6777794efe4ba1281486836dc5781edbc7a
SHA512

8c0c7408318370fa6fe90ba5287e745b4c6e47098758c59acb6d554e33ddd172011b339bca1e13dc097367878c74d4a982c86cb0f08900e58cf7fe48dae5b047
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bSq:sxX7QnxrloE5dpUpLbV

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	8329b2e790d12dc878bd1b4199d4e6777794efe4ba1281486836dc5781edbc7a.exe

Executes dropped EXE 2 IoCs

pid	Process
1588	sysxdob.exe
2612	devdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
3064	8329b2e790d12dc878bd1b4199d4e6777794efe4ba1281486836dc5781edbc7a.exe
3064	8329b2e790d12dc878bd1b4199d4e6777794efe4ba1281486836dc5781edbc7a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotBP\\devdobec.exe"	8329b2e790d12dc878bd1b4199d4e6777794efe4ba1281486836dc5781edbc7a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidD5\\optixec.exe"	8329b2e790d12dc878bd1b4199d4e6777794efe4ba1281486836dc5781edbc7a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3064	8329b2e790d12dc878bd1b4199d4e6777794efe4ba1281486836dc5781edbc7a.exe
3064	8329b2e790d12dc878bd1b4199d4e6777794efe4ba1281486836dc5781edbc7a.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe
1588	sysxdob.exe
2612	devdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 1588	3064	8329b2e790d12dc878bd1b4199d4e6777794efe4ba1281486836dc5781edbc7a.exe	28
PID 3064 wrote to memory of 1588	3064	8329b2e790d12dc878bd1b4199d4e6777794efe4ba1281486836dc5781edbc7a.exe	28
PID 3064 wrote to memory of 1588	3064	8329b2e790d12dc878bd1b4199d4e6777794efe4ba1281486836dc5781edbc7a.exe	28
PID 3064 wrote to memory of 1588	3064	8329b2e790d12dc878bd1b4199d4e6777794efe4ba1281486836dc5781edbc7a.exe	28
PID 3064 wrote to memory of 2612	3064	8329b2e790d12dc878bd1b4199d4e6777794efe4ba1281486836dc5781edbc7a.exe	29
PID 3064 wrote to memory of 2612	3064	8329b2e790d12dc878bd1b4199d4e6777794efe4ba1281486836dc5781edbc7a.exe	29
PID 3064 wrote to memory of 2612	3064	8329b2e790d12dc878bd1b4199d4e6777794efe4ba1281486836dc5781edbc7a.exe	29
PID 3064 wrote to memory of 2612	3064	8329b2e790d12dc878bd1b4199d4e6777794efe4ba1281486836dc5781edbc7a.exe	29

C:\Users\Admin\AppData\Local\Temp\8329b2e790d12dc878bd1b4199d4e6777794efe4ba1281486836dc5781edbc7a.exe
"C:\Users\Admin\AppData\Local\Temp\8329b2e790d12dc878bd1b4199d4e6777794efe4ba1281486836dc5781edbc7a.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1588
- C:\UserDotBP\devdobec.exe
  C:\UserDotBP\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotBP\devdobec.exe

Filesize
2.7MB

MD5
676494c7abe8e2cc088ba80e6429c505

SHA1
212781fa7459573079ef177094320008f4930e10

SHA256
95bdc3e8fd8e4ea771e00d34c92beaa2aa6242eeb4eb6944e6ed8645733f2a7b

SHA512
609a15f9af0daf9274029ae6d4677935a41f3e813a3464677d8d6b2b83fd6d268ec634a083317c2ffe286fdded6b9137fdc2199147df895361d35513af181be5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
7425a988321152a3c7304e2d118191f1

SHA1
aa1713fbc85760d49cadfd4526e57772ea87a1ff

SHA256
302debf8b45e34835370bc238c7593bd7d287025ef350a00f4346c39d28cd868

SHA512
76c8b99af798e5b40e866757da31f2a0dcc625a9045c8eee95fe0136a78fcf53f27bd12a56e41838be4734f90866578a27d423cabcf4f82be53f6baef9b9081a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
50f2428679aa595072b99c02f70af307

SHA1
a04e2e17364e9d168d7c36eb356fae44e64d6c89

SHA256
bf53a8e40b25a488ed5803119a8163231553164bf1b12cf66ae35386f7266985

SHA512
e7c45701d7166b3feedce2b64b211440c92c86cdb2b45cb18948ed3b5e144942e5a9a367248a2a12d72fedac37a4ffcbe1fb8c9820b78da8babd1be9755536a8

Download Submit
C:\VidD5\optixec.exe

Filesize
2.7MB

MD5
55a5751279ad0fcead37329c05d71010

SHA1
977dc1d3eff666acdb8bc73725c8ae89a9ecb2d6

SHA256
670a5f1148b4d8af3bde090e0ce129fd6215712e361851415344a59a2a295c2d

SHA512
4efd1c1f14c3b67d5baba5e58008b93e3d7f55f7373df4b9d3360c4a5fdc34bd5df97f50a38c56fb60f1a7ae07df5d632b9454df6606cb4403bb65466d805f3c

Download Submit
C:\VidD5\optixec.exe

Filesize
23KB

MD5
969ac00dbffd6557e1c48d54cf506905

SHA1
39791b9fc753abcffd68ec7c0de08c4da5b3f047

SHA256
9260f4caefeefac2fcbaf4580eab602d2b21ef02340693d7c546e21a52d77325

SHA512
37090e98574e4a4a8b55af3f97862c91e3d4693b1b3d13d0e4910ba989da537093f63f6ec31e6cf54f96e3da7e624d782378ccd3c9dee5ce34a3f44bff5ead26

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
2.7MB

MD5
ea40fe9f6129b99476ad7e67982baad5

SHA1
fec0dc8e3f736acb4ea4d54006fac828d9960973

SHA256
4377481f8db4022eb2929d0a802a0bcd6c0c2285e53ecfb2e498a9b1175f279f

SHA512
271823bc94876edd0c82fdfc27fa6edb15d0344e0f85458d2b99524ad9d2182bdabd2677749a69786492efbff0c6eea2471421fa895aebbb82e567ff92e3077e

Download Submit