b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe
Size

3.1MB
MD5

8de8acc6200012a1460fb562cf972223
SHA1

c07ced7fe4c0e3471fac9e2ab4cff7b8d72ac05c
SHA256

b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382
SHA512

d48078ca20d303bf84c0115c9a63872a7aae22a40b8fcf5ae88da54cd7f2889f281635cac757e386b00b8b2c0de617d4520670d336e1c681c0e23b93d4eb89f5
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bSqz8b6LNXJqI20:sxX7QnxrloE5dpUp5bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe

Executes dropped EXE 2 IoCs

pid	Process
2212	locdevdob.exe
2588	xdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2580	b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe
2580	b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvPZ\\xdobec.exe"	b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxVI\\dobxsys.exe"	b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2580	b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe
2580	b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe
2212	locdevdob.exe
2588	xdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2212	2580	b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe	28
PID 2580 wrote to memory of 2212	2580	b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe	28
PID 2580 wrote to memory of 2212	2580	b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe	28
PID 2580 wrote to memory of 2212	2580	b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe	28
PID 2580 wrote to memory of 2588	2580	b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe	29
PID 2580 wrote to memory of 2588	2580	b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe	29
PID 2580 wrote to memory of 2588	2580	b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe	29
PID 2580 wrote to memory of 2588	2580	b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe	29

C:\Users\Admin\AppData\Local\Temp\b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe
"C:\Users\Admin\AppData\Local\Temp\b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2212
- C:\SysDrvPZ\xdobec.exe
  C:\SysDrvPZ\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxVI\dobxsys.exe

Filesize
1.8MB

MD5
a11f76255b9ca6234bfd6aa66474643d

SHA1
e3cc3fe2e8e1a624e3288e828320a33d91a8d733

SHA256
2a97025511d98dd7e5dd0d7449ac38752616c9d970792c41fea246edadffc1d6

SHA512
5b3ad563c733fb5554189481e067a3fcec5460f763afe6445d5eb45bde640f5543a6c59de55edeb77e6711b5792e8c3ee8001ab9a7d7f8f8fcdcc56932530c56

Download Submit
C:\GalaxVI\dobxsys.exe

Filesize
3.1MB

MD5
203224893186f6fae622fa3a2d26a4e0

SHA1
5e4c2a7b927397653f12e5646ad5daa32fa7e154

SHA256
da78ae039a1f2474eb48bc94fc2a10af7fa6ae00f50e3371325fe3bb853042cd

SHA512
32d6a2d9dbd3922bc98d466505b86a8a8f7e2254656a55b0630b0ab22730e3fd7bce2893fdb39aa6819a513d07bcf96d9186a36a185a81a44a03bfe200e663e4

Download Submit
C:\SysDrvPZ\xdobec.exe

Filesize
3.1MB

MD5
ee808cf9bc8f2a572f536f45227ff5cd

SHA1
76761a98ea28670d82da13a541281f21f6b5c8e9

SHA256
1dc6579f7f4a86c8627b0d60adda401cda6a2c582fe1e4ecc8a1424698b30304

SHA512
2cc4ba728315adba7377b98bd094fa5a574bc422e26e79fe922008db18e545d87e24c245245736722a31ba89c7e62766bbca74680b6d4577b8ca706d58382d66

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
f23072877976d7a7281e17277a179209

SHA1
80a4df64a1b588fa526880791ad810134d29465d

SHA256
36511abb5a884cf5f5978a321ebd9c46353cb22f65c63743f2971d7c13372448

SHA512
eb768cc9b27cfa26a942818d1005d9b17e0232eaac15a783396ebd0520bd87e6be9b6a57225f41a3cea00ab766057fd4adc36cddf3cef8f1420cc7ff97c399f2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
3cf82aa36a53785896c69a2b3d9bb951

SHA1
bc199c507d7dd6e6771756ad899cc80f3b5429b9

SHA256
a31198fc2996e6582320a5d7227c588db291d151e33e6f53c548d5193cdda6ef

SHA512
9bde891ce3f79b5a80aa6319494e112e9dd929bf64626d084b629972aa3c250edfeaa49b99fa9a7a49a5b39155901540113289805364fe4632deb551a026dc6e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
3.1MB

MD5
5c9993d8f6af820c78edf04e188bdd40

SHA1
dd1a34a47f55b3be7e27eb66a0cafb139e83c5b3

SHA256
0e0565c1b395e5d5f6d22cb8472a9be3fa28ca7282319a535ea3a20fe3a4f6e5

SHA512
2cdcffe30cd6577a352cd1b82f278d167b7803f66297a1be2bc1882ebbbd0cf857cfc9936c2bccbd3dc06f4f2414f798e8453709bc4963adf59467a0c6c4c9af

Download Submit