9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe
Size

3.2MB
MD5

875fa26be7067383c3f73c9de74b3141
SHA1

d02babe66a661ed2b46e8b6869b48f519b51b1a0
SHA256

9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717
SHA512

851f322c6690a7e5a67dc876141c2473c3b95f54f2418d96543d5751d64232366e3f645a27a6a38af61360d76bdd361be0c610d0617a59ddbd72de0927095765
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp5bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe

Executes dropped EXE 2 IoCs

pid	Process
2760	locdevdob.exe
2932	devdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2276	9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe
2276	9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc07\\devdobec.exe"	9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBV0\\dobxsys.exe"	9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2276	9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe
2276	9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe
2760	locdevdob.exe
2932	devdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2760	2276	9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe	30
PID 2276 wrote to memory of 2760	2276	9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe	30
PID 2276 wrote to memory of 2760	2276	9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe	30
PID 2276 wrote to memory of 2760	2276	9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe	30
PID 2276 wrote to memory of 2932	2276	9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe	31
PID 2276 wrote to memory of 2932	2276	9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe	31
PID 2276 wrote to memory of 2932	2276	9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe	31
PID 2276 wrote to memory of 2932	2276	9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe	31

C:\Users\Admin\AppData\Local\Temp\9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe
"C:\Users\Admin\AppData\Local\Temp\9082c74cb3efa29601cc7ecc2e58d5544fdce56c3ef106436575839044b57717.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2760
- C:\Intelproc07\devdobec.exe
  C:\Intelproc07\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc07\devdobec.exe

Filesize
3.2MB

MD5
7b7e928f3ac2feec0c6278a7d6bef235

SHA1
c298d4c336f09903995eeb878e7af53afec51b51

SHA256
3c81f4f48d888ed862f5a9b3a5bca2d1a09f88cff5f7586f866d294496b85cd7

SHA512
204aea65f2661857c1df4fe5301b958fd8028cf680070ca796f4171fe691a7a4774d57d5b3806cf4dd826b6b689906422623db50495f4493a865d82cb7ad30d7

Download Submit
C:\KaVBV0\dobxsys.exe

Filesize
3.2MB

MD5
5e966c1f43d98f165c41ed88b72dc697

SHA1
c04752b71f557af36239f630ea37ffd837678b1c

SHA256
9e99c9e13f9eef6e6ef8e19e37b2fc67cf304b3dc4df75dbc9f72ff6a3457871

SHA512
9cd4b4eb2c427415790ce4f4221fece111929efbf010dcdd81940a6bab72d363f3e89ef23fc5d25e6aaa82d95b03c67286924cb39f0198148ec46fa0d48cb1b2

Download Submit
C:\KaVBV0\dobxsys.exe

Filesize
1020KB

MD5
dfa8fa050045d78d42b38074f9fb0822

SHA1
c78c59e11e8422945b8284a9c6d8fdd2a4bb7edc

SHA256
48f8b0812be52c0226235a9d1b2ecf7a418227b30d04fdc8009610702a79d34e

SHA512
15cb02b7560ccf07b8736937bc5b07602ba3990944ec79615d157d37c27742670c8f2983353532ee786d063e15d9771d1e67e57955fd1837a7102cd2b1336208

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
6d88217873894aeba7fa54bc3c15c431

SHA1
65e7cf9d18fa541c0fa78af4ba4a0ced6e97a5b0

SHA256
6e9081d85c79ef36e24e869753af49a3ddacd8d37762d2067939ab4b9b974b4f

SHA512
1b4d300f4de5e2e95b50da0b60cc6c3cb6f5785c337b3b09012a34323617e07c4af8dca49c6f12bb77069b6ec6292040aa9ffb9fdcb9eaaa857a213462bc1a4d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
12459983d1f4a6fc196b17217d0674bb

SHA1
15d7e6c86f53a8a8e817bd2e7066293da2662492

SHA256
71d1506c15e6c40998295869aace5892dbc8cc12a8c156efd74a114a9ef34a80

SHA512
e7ab6b5a300beab0c5de89b904d1f9b2ca813d33d2ee66a093a410f972c0cc9278cef914d23ad9b78459596e9ebd3b4e196baa48ec4add697e30d6a077b95171

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
3.2MB

MD5
7374e2c7641f1bf73794bae2261c99dd

SHA1
5ac764a9b640c6938a35655cb8e04d34e62ade1a

SHA256
5b3bb67e9a36ed4f4c0892e4c6a947ee2c4bab90c470e591301ca54b7c7d311c

SHA512
a07d552265e57100698724096c6e18f97f09c544ebe4166c35940f3454a58ee20d2be7ac9e4e8531c568e9903619ab48bdb0d8bfe53aa6a99818e3cba2f0688c

Download Submit