d741fa5ac80fd1bfc13871273923dd6d17f020cf0b942f0020f788bf9bda2b42

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 21:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0d7fdb9d4a53641c88821b8fd0ef8960N.exe
Size

3.2MB
MD5

0d7fdb9d4a53641c88821b8fd0ef8960
SHA1

32c78b53ec624cb12fe7fc758438331bcf07ad41
SHA256

d741fa5ac80fd1bfc13871273923dd6d17f020cf0b942f0020f788bf9bda2b42
SHA512

fdc357fab85b93f5360762dda31ad16157d407fbc1faa16aae371807a89fa87c70f1f323934de680493eb59e28335ce4dc538a685103c618b86d5d4ce9f8095a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp3bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	0d7fdb9d4a53641c88821b8fd0ef8960N.exe

Executes dropped EXE 2 IoCs

pid	Process
996	locxbod.exe
4932	devdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotAX\\devdobsys.exe"	0d7fdb9d4a53641c88821b8fd0ef8960N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxGD\\dobdevec.exe"	0d7fdb9d4a53641c88821b8fd0ef8960N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4844	0d7fdb9d4a53641c88821b8fd0ef8960N.exe
4844	0d7fdb9d4a53641c88821b8fd0ef8960N.exe
4844	0d7fdb9d4a53641c88821b8fd0ef8960N.exe
4844	0d7fdb9d4a53641c88821b8fd0ef8960N.exe
996	locxbod.exe
996	locxbod.exe
4932	devdobsys.exe
4932	devdobsys.exe
996	locxbod.exe
996	locxbod.exe
4932	devdobsys.exe
4932	devdobsys.exe
996	locxbod.exe
996	locxbod.exe
4932	devdobsys.exe
4932	devdobsys.exe
996	locxbod.exe
996	locxbod.exe
4932	devdobsys.exe
4932	devdobsys.exe
996	locxbod.exe
996	locxbod.exe
4932	devdobsys.exe
4932	devdobsys.exe
996	locxbod.exe
996	locxbod.exe
4932	devdobsys.exe
4932	devdobsys.exe
996	locxbod.exe
996	locxbod.exe
4932	devdobsys.exe
4932	devdobsys.exe
996	locxbod.exe
996	locxbod.exe
4932	devdobsys.exe
4932	devdobsys.exe
996	locxbod.exe
996	locxbod.exe
4932	devdobsys.exe
4932	devdobsys.exe
996	locxbod.exe
996	locxbod.exe
4932	devdobsys.exe
4932	devdobsys.exe
996	locxbod.exe
996	locxbod.exe
4932	devdobsys.exe
4932	devdobsys.exe
996	locxbod.exe
996	locxbod.exe
4932	devdobsys.exe
4932	devdobsys.exe
996	locxbod.exe
996	locxbod.exe
4932	devdobsys.exe
4932	devdobsys.exe
996	locxbod.exe
996	locxbod.exe
4932	devdobsys.exe
4932	devdobsys.exe
996	locxbod.exe
996	locxbod.exe
4932	devdobsys.exe
4932	devdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 996	4844	0d7fdb9d4a53641c88821b8fd0ef8960N.exe	86
PID 4844 wrote to memory of 996	4844	0d7fdb9d4a53641c88821b8fd0ef8960N.exe	86
PID 4844 wrote to memory of 996	4844	0d7fdb9d4a53641c88821b8fd0ef8960N.exe	86
PID 4844 wrote to memory of 4932	4844	0d7fdb9d4a53641c88821b8fd0ef8960N.exe	87
PID 4844 wrote to memory of 4932	4844	0d7fdb9d4a53641c88821b8fd0ef8960N.exe	87
PID 4844 wrote to memory of 4932	4844	0d7fdb9d4a53641c88821b8fd0ef8960N.exe	87

C:\Users\Admin\AppData\Local\Temp\0d7fdb9d4a53641c88821b8fd0ef8960N.exe
"C:\Users\Admin\AppData\Local\Temp\0d7fdb9d4a53641c88821b8fd0ef8960N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:996
- C:\UserDotAX\devdobsys.exe
  C:\UserDotAX\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxGD\dobdevec.exe

Filesize
3.2MB

MD5
826520b0718fc4ae5271aa2c329622c9

SHA1
f119ac2cd0bb4b822a02c15ff6bd8dbc8e5961c3

SHA256
3f6d315ffe6a86fdd1e6a3a193bf087e691b91ec32aa8cb9660e2c008b7e9444

SHA512
dcb7f4d68e95cbef563d6ef01d74c2847098b70d05f1468976d71e8c9d1ac08ee26262f77ec49ea4f581a612539e35897702b3b315f34baf9089d042fb86df17

Download Submit
C:\GalaxGD\dobdevec.exe

Filesize
2.1MB

MD5
c68e521716d984f7baed320ae66bdb7a

SHA1
7d1408fdd81ea279cca296fb492203d81929f296

SHA256
7a971741636102af4fda34f0e2b45ea34c308a6b584ea8ad6928addb3573ee7d

SHA512
542dc9b5a1b45830588d48760ecff47128dd04b92b5d5ce91b777718ab02c5c61644378f51eece0561db84843de2e8df810d41f1a41d65c244f0782660ee9e5e

Download Submit
C:\UserDotAX\devdobsys.exe

Filesize
3.2MB

MD5
4c1b77a639b33a768984184a93d7df03

SHA1
e44728ac530e2d56bb784c8ca65a159d0544d56a

SHA256
4df6d62284ee4e0d9df141f61102791d7af83578549869f5db2dcba16de07ce3

SHA512
5a07c4c83e08cb22931a9b73fc670bea9875790727c752624f4cbbdc053f019f4c48bec0de07fecf65db14d106fc2bfae7a953e2638226eadcd284d1e6770ae3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
48972975c2d9024347c7c1659b995da5

SHA1
4d0c5c25f3d08026f86c7b6627e4b384968235fe

SHA256
891cddf2903c63965d97c95a28339fd8a551a7bf425439c1222d57e2f9e97bf6

SHA512
8155c08918b52b184299fd3888f013d2dec89cd4da30bd4e2169535542513f3f99bf23037b3b18fe1ab738191428bc9ad87d6597bd6b44f61d61aad7e64eeb3b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
5b35cd0c07ef9d368dc141985942ec1f

SHA1
32d248ed995e6341dddd7dbb4f056002bdb10f26

SHA256
aef75e72d458c18a1b5d1c55a7bea7ec9359c016f22568e435219869538ba44e

SHA512
39b14073f68f6b58a497754c5ec8cd2754893a81cf7636066462a68a109b4c094860ebaefe4779612ad07f88733a0498a89460efaa60b4b856ec719c1f7daa03

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
3.2MB

MD5
40a1ceaccaa2cc6f56b2e5f7e9bb0bcd

SHA1
3a23a30f2a138062bd857112c91e6a75b4c7d64f

SHA256
e125234168b4dd6bc8e51da1c1186570108d4e521c18e9e6b2da6d288d830a6f

SHA512
7c46324060e48b00a214663731156a12e66026be9a0e6a565bc7553680e4c2085b8c271650b5172a69002206c2e4a0f35c2a7dda3ca536a05d64cf3498cf6008

Download Submit