352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c

General

Target

352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe
Size

3.1MB
MD5

7326e2cc8b19595770965d72e1041325
SHA1

e1758cbd4eea1c45ef714d1c0651abe27d91fe93
SHA256

352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c
SHA512

a94365d8c26f6042c75f9fe0eb7945509ef6d5f2fc3f7e5252678efb3bb1fc2dc1efeaaa007e849c279703f66074c08a63686e96c780a35287ebbb2c4fd92236
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpobVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe

Executes dropped EXE 2 IoCs

Processes:

locdevopti.exexdobsys.exe

pid process

3000 locdevopti.exe
2140 xdobsys.exe

pid	process
3000	locdevopti.exe
2140	xdobsys.exe

Loads dropped DLL 2 IoCs

Processes:

352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe

pid	process
2956	352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe
2956	352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocQQ\\xdobsys.exe"	352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax0Q\\dobaloc.exe"	352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exelocdevopti.exexdobsys.exe

pid	process
2956	352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe
2956	352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe
3000	locdevopti.exe
2140	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe

description	pid	process	target process
PID 2956 wrote to memory of 3000	2956	352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe	locdevopti.exe
PID 2956 wrote to memory of 3000	2956	352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe	locdevopti.exe
PID 2956 wrote to memory of 3000	2956	352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe	locdevopti.exe
PID 2956 wrote to memory of 3000	2956	352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe	locdevopti.exe
PID 2956 wrote to memory of 2140	2956	352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe	xdobsys.exe
PID 2956 wrote to memory of 2140	2956	352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe	xdobsys.exe
PID 2956 wrote to memory of 2140	2956	352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe	xdobsys.exe
PID 2956 wrote to memory of 2140	2956	352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe	xdobsys.exe

C:\Users\Admin\AppData\Local\Temp\352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe
"C:\Users\Admin\AppData\Local\Temp\352cb323fe4e530753a091672973f95f8287db6ce19bf86b9aaa17df909a245c.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2956

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3000

C:\IntelprocQQ\xdobsys.exe
C:\IntelprocQQ\xdobsys.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax0Q\dobaloc.exe

Filesize
2.8MB

MD5
4a3a3a621376877e555eddc5b97e706d

SHA1
0a5f8c0c688510d3b84c3ac0dc8d76cd00f262ce

SHA256
e59c0139a9dfda4fd6af210ff09d93596766c1044836805c30f50176bc60f71b

SHA512
c1dea18b7a6cf3941783835c7c46c43862d4254ac7dee6816f8d9bdf0cf9a23047944eae95724d70a93a8e66d6f4eb8ed09fe9885360a74ab59d41370ca9a9e9

Download Submit
C:\Galax0Q\dobaloc.exe

Filesize
3.1MB

MD5
51cad8754747b58e6770ef2f937b6073

SHA1
3728ea1c02af51dfe6abeb24f24a28930f99a8c1

SHA256
0c88a30896a1b8237772068ffdd5efa395ddb8799d85bb73c3741eb66ec55269

SHA512
2538d17ad4ccc41fc8f953b8d855e6b7dc3643a94bcea1c7fb05693e12f54012043180521739917b3f828c98125a62faac9450b3ceb4607c512402f22ebe7252

Download Submit
C:\IntelprocQQ\xdobsys.exe

Filesize
3.1MB

MD5
38327cc4f5737445b621e278bb59fd7d

SHA1
45784d63a822bc071674e3864ebc6f2b5c0fb5ad

SHA256
3e31896d6fad8b0a80a4c15a0b93fb782c7250195a144c42ef2febaa05ee6c9f

SHA512
3f07b0a98b9687dbdb531753c239af3cbfa83b2e2e07af835a598560f1de4446f05b1145077a82471ddcb86de37225d6e5ca776ccd5bbc3d03712a9398d58d5d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
176B

MD5
e5b9b3e2a1ce57f949596d80bfb7fcfd

SHA1
14c57ee8ac739fc196894a17c8e41596636c1079

SHA256
9776d32b84b009045c898124997d8b4d2c1e1bf7ce5979ea4ff42fff095e24f0

SHA512
f76b2010c6358879e243412e20a75efce5bd4b97052d8d9ca2eda94835a1ed28574bc1dd2c4238f165513e05759cb1009f52daa2e0cf20cdd3e9002c5dff4cf9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
af9387996df1527ae72349008f76a98a

SHA1
e07e2fe38e2d82aa81a238244155c286c122b7ba

SHA256
fb4a3adeb7744ebb952d3f4bf5a263ede5abe2dfb68e62ea13115df9a98aec89

SHA512
77c5d82a34b98f82f77627cbe6520987a66e01a47bf22671605f0bd09c6862d5aa6d084ad0e4a22a26883546f4c324c1e85e66fbd5357897b960570aecc5c50a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
3.1MB

MD5
11456bd2463e4f19a8f6e659da57690f

SHA1
a0f746b9f45b4a3dcbbcb49cb71d9c2662476734

SHA256
dd1ca18f4c7b8142747a28887af8df458b5ce494171fbac2ced5028c9ad623e9

SHA512
145870e7d3f8d44c21553dfe136189f23361ee73219072ff854ccaf82a587f585725cc5c8616e3f4383211b361c1ab9708f7c8d5170921394ec3bafaf213eb14

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads