d0e2e3ce6992890b66ea4773fd9c6549274d36843ac7467a8107ae0270cdeba0

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
17/06/2024, 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0e2e3ce6992890b66ea4773fd9c6549274d36843ac7467a8107ae0270cdeba0.exe
Size

2.6MB
MD5

39910773f8deb3a8f3dd9e0a65c7e1c7
SHA1

166bf90ea54d8ee3398fa9176c9164265f475078
SHA256

d0e2e3ce6992890b66ea4773fd9c6549274d36843ac7467a8107ae0270cdeba0
SHA512

1ae84a57c9f628584f6754ad0e84c6d82d268f21cd1c3096574572714bae54c7bc1b43103512f9f81fc8a96a978ec900305c867eab82b8d19530f1c5d9f808b9
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bS:sxX7QnxrloE5dpUp7b

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	d0e2e3ce6992890b66ea4773fd9c6549274d36843ac7467a8107ae0270cdeba0.exe

Executes dropped EXE 2 IoCs

pid	Process
1716	locdevdob.exe
2968	xbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2928	d0e2e3ce6992890b66ea4773fd9c6549274d36843ac7467a8107ae0270cdeba0.exe
2928	d0e2e3ce6992890b66ea4773fd9c6549274d36843ac7467a8107ae0270cdeba0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBTI\\dobdevec.exe"	d0e2e3ce6992890b66ea4773fd9c6549274d36843ac7467a8107ae0270cdeba0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc97\\xbodsys.exe"	d0e2e3ce6992890b66ea4773fd9c6549274d36843ac7467a8107ae0270cdeba0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2928	d0e2e3ce6992890b66ea4773fd9c6549274d36843ac7467a8107ae0270cdeba0.exe
2928	d0e2e3ce6992890b66ea4773fd9c6549274d36843ac7467a8107ae0270cdeba0.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe
1716	locdevdob.exe
2968	xbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 1716	2928	d0e2e3ce6992890b66ea4773fd9c6549274d36843ac7467a8107ae0270cdeba0.exe	28
PID 2928 wrote to memory of 1716	2928	d0e2e3ce6992890b66ea4773fd9c6549274d36843ac7467a8107ae0270cdeba0.exe	28
PID 2928 wrote to memory of 1716	2928	d0e2e3ce6992890b66ea4773fd9c6549274d36843ac7467a8107ae0270cdeba0.exe	28
PID 2928 wrote to memory of 1716	2928	d0e2e3ce6992890b66ea4773fd9c6549274d36843ac7467a8107ae0270cdeba0.exe	28
PID 2928 wrote to memory of 2968	2928	d0e2e3ce6992890b66ea4773fd9c6549274d36843ac7467a8107ae0270cdeba0.exe	29
PID 2928 wrote to memory of 2968	2928	d0e2e3ce6992890b66ea4773fd9c6549274d36843ac7467a8107ae0270cdeba0.exe	29
PID 2928 wrote to memory of 2968	2928	d0e2e3ce6992890b66ea4773fd9c6549274d36843ac7467a8107ae0270cdeba0.exe	29
PID 2928 wrote to memory of 2968	2928	d0e2e3ce6992890b66ea4773fd9c6549274d36843ac7467a8107ae0270cdeba0.exe	29

C:\Users\Admin\AppData\Local\Temp\d0e2e3ce6992890b66ea4773fd9c6549274d36843ac7467a8107ae0270cdeba0.exe
"C:\Users\Admin\AppData\Local\Temp\d0e2e3ce6992890b66ea4773fd9c6549274d36843ac7467a8107ae0270cdeba0.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1716
- C:\Intelproc97\xbodsys.exe
  C:\Intelproc97\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc97\xbodsys.exe

Filesize
2.6MB

MD5
3481c4cde23207ea7a633d2b4ab96f63

SHA1
d361989e28643fcd0634235c1879d29843c555eb

SHA256
bffd20cc641da650fa947cb3675ec9384594c5b40831da8b518c602bae3926b3

SHA512
f10aa1009e90d159b4140dd8a7774444747dceb98fc9053dc3cbb733ca1bf2822c94b7c6fedabbf9daa59330d510dd72dd592fbebcc68ab66d506d106450f5ab

Download Submit
C:\KaVBTI\dobdevec.exe

Filesize
2.6MB

MD5
d745b3439de92a2ee2925f43098999b8

SHA1
7240b962017e61e64f484a0d2a889d3f07f696be

SHA256
c8ff44d2e753bfabb5f2d3fd250e22a8e366255562c4d97c3747cbdf614dfb37

SHA512
8ac3fb58e943d4f3578aa8aeab6f73d9adf5f6549ef42f6bfb9dc23b7005a217a31dbe3b8cc832f2edacf48dfecdd3e65941ee708b58579116d204a0c51476b5

Download Submit
C:\KaVBTI\dobdevec.exe

Filesize
2.6MB

MD5
f0857d7d7ed6317a43e3a53b0a081c94

SHA1
84f763cf8b22e8d415dc7c1fb9a624fcb215ec07

SHA256
61d6a7806c26d4d31837015e12d030e3458bd8ae55dc90835353a86fe2f09485

SHA512
ea9c0df0b866d2ca3ffe02f9e749d23b4b7e9e23f3c60cab3050be20cce63043cf0ed82e7494f36ffef1877cf28ec06b1958dd6aa10959de0b0369f4c4b4e447

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
5cae25b1796382d92997ccd6515e0adb

SHA1
3d73b81b2bc96018ece9cadaf3b3a2f9902e87ba

SHA256
98ab5bd35ee98e0b1ff0b29afbf315055b60f5ba6b6ffc144dacc66f528b4f92

SHA512
15f06ce031e9756d9c42eb7190733c85a38ceee76a00b521bc0f2e3ad5ebe1559f44088586b3fe08cd72b893f79d8ff078770cd3b18e09ed7b1729e0dc59b0c0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
106486d045e1af5553a6eb0f627f9c99

SHA1
40bd08876cefb8dd06e44ac082f7e6e6b1fb8943

SHA256
e0ae934b1c57c4852a3061ad85c82076f2cfd5e55acd4635f8ba441ca7919434

SHA512
4100b1fa5b8eff504859f9f1e0b4c21999325484cd68eaf4a5d7b4de3b0047f574699199d23b25967e60fdf11612bb3bc8ab47f6eaa6ec34f8b735d03905b89c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
2.6MB

MD5
6fc3ebd942dbf4cf9f9ce3da2df55224

SHA1
cdf8ce5be197298d6c2171605e1fa1cc56ed6909

SHA256
a726a1e0d1e4708974ecb0741768b760308d548efe4042c994b6913f47d665db

SHA512
2c1c0b2821524f9f032275a5ddebb1fffeda26f1ef3f713c5fde70201ef95e5c4e2e4bd2e64c771af4c41e643dcd68afcb20fbfd88826c71dca84743347df920

Download Submit