81e6c979adf293bac60b2a85d5360704ebdb4c92b05dcc715b2424649328dec4

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81e6c979adf293bac60b2a85d5360704ebdb4c92b05dcc715b2424649328dec4.exe
Size

3.9MB
MD5

df4955894166e3a3d22857881490b5b6
SHA1

4c9de7ef58b18bbf21fa68a52abf86a116a5c5cf
SHA256

81e6c979adf293bac60b2a85d5360704ebdb4c92b05dcc715b2424649328dec4
SHA512

cb1939ff788ab82dbd76b1e2ed13761aa22e9db30b9d723b4d38e4bffddaa55112ff044c5c1fc871a00c7ce9a3fd40ed54b61614946811f5aae248e951c3ec5d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpAbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	81e6c979adf293bac60b2a85d5360704ebdb4c92b05dcc715b2424649328dec4.exe

Executes dropped EXE 2 IoCs

pid	Process
3052	locxdob.exe
1280	xdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2520	81e6c979adf293bac60b2a85d5360704ebdb4c92b05dcc715b2424649328dec4.exe
2520	81e6c979adf293bac60b2a85d5360704ebdb4c92b05dcc715b2424649328dec4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesI0\\xdobec.exe"	81e6c979adf293bac60b2a85d5360704ebdb4c92b05dcc715b2424649328dec4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ6E\\dobasys.exe"	81e6c979adf293bac60b2a85d5360704ebdb4c92b05dcc715b2424649328dec4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2520	81e6c979adf293bac60b2a85d5360704ebdb4c92b05dcc715b2424649328dec4.exe
2520	81e6c979adf293bac60b2a85d5360704ebdb4c92b05dcc715b2424649328dec4.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe
3052	locxdob.exe
1280	xdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 3052	2520	81e6c979adf293bac60b2a85d5360704ebdb4c92b05dcc715b2424649328dec4.exe	30
PID 2520 wrote to memory of 3052	2520	81e6c979adf293bac60b2a85d5360704ebdb4c92b05dcc715b2424649328dec4.exe	30
PID 2520 wrote to memory of 3052	2520	81e6c979adf293bac60b2a85d5360704ebdb4c92b05dcc715b2424649328dec4.exe	30
PID 2520 wrote to memory of 3052	2520	81e6c979adf293bac60b2a85d5360704ebdb4c92b05dcc715b2424649328dec4.exe	30
PID 2520 wrote to memory of 1280	2520	81e6c979adf293bac60b2a85d5360704ebdb4c92b05dcc715b2424649328dec4.exe	31
PID 2520 wrote to memory of 1280	2520	81e6c979adf293bac60b2a85d5360704ebdb4c92b05dcc715b2424649328dec4.exe	31
PID 2520 wrote to memory of 1280	2520	81e6c979adf293bac60b2a85d5360704ebdb4c92b05dcc715b2424649328dec4.exe	31
PID 2520 wrote to memory of 1280	2520	81e6c979adf293bac60b2a85d5360704ebdb4c92b05dcc715b2424649328dec4.exe	31

C:\Users\Admin\AppData\Local\Temp\81e6c979adf293bac60b2a85d5360704ebdb4c92b05dcc715b2424649328dec4.exe
"C:\Users\Admin\AppData\Local\Temp\81e6c979adf293bac60b2a85d5360704ebdb4c92b05dcc715b2424649328dec4.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3052
- C:\FilesI0\xdobec.exe
  C:\FilesI0\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesI0\xdobec.exe

Filesize
3.9MB

MD5
b1ce9d159611715284b9cfb25e9d3765

SHA1
d968b51b717dead8c5176b56a5005787087050eb

SHA256
22754e157ee5426afd3028424624002fdf9a226ad02f578782f35936cf2c84e8

SHA512
d64f3fcde428d121ea771cbd6cb0ddc22d0df8e86e7ca01867ebbd98583f18d5df048bae2ec0f737c4c0acc61c5147570cd60ba9314b1f0cfc26588bc8004e23

Download Submit
C:\LabZ6E\dobasys.exe

Filesize
3.9MB

MD5
c6a9c8e972afa18588e6f088cff44558

SHA1
cf6f492d5d1b27cc32736a31b97fdc1c8ad99ae3

SHA256
fa755f8dc66045189b1cc2baa1ab943ea3b226a467c934dd1b6ecf8f3a1e7039

SHA512
e1df8e0d877597c90490889a1c2df3d6e8fcd52fbae261201c01561f02628bd604bd63a91ac0c302156b73faca8011035404d94d9284f2504732a3b934846a07

Download Submit
C:\LabZ6E\dobasys.exe

Filesize
3.9MB

MD5
28dbcc6b1706c56f2d96b40b382beca6

SHA1
9ddf0db085b9ac01a9f56556be167c1b9630fbec

SHA256
5d61fcee67aeb07ebe5fc74653a21a5220f7487b6094b247270612e085758ee5

SHA512
5a1559dcb36108ae946027f5e73d82624843de8d1eb87d08d73e8ca8b51b440d8cbb873aaad34b3fe9ceda96d9047fa8f84b9448237d92ddc6b4c9288d137f68

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
167B

MD5
832c2c826ac7f2f754a0a8717c8e12fa

SHA1
3030a179b4f5e03441bd228cfdb0d91d6ffb9162

SHA256
515059b73d7548d4615aeb959f626d74696c91bff95809788b8d52fbe42668d1

SHA512
ef987ae8ec4e76efbf7534a2515ea6ce179f397df430ca14902271ce723b3daac7e6321ba2f9c8efe7ef91f9f7758a8840c836951b446294b0c8c3fcbca376c1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
199B

MD5
c0c987787533addeb9797009edbb9ac1

SHA1
c36c467472b147eb7fd2ac15cd6fe561569ac067

SHA256
a0216c998da558d22f579a239fa07fc9cf2c4fa7f8ce0b5adac8329815fabf5b

SHA512
23b8f16afc4d2e207de8fa29f12d84dcb3c5bec874dc1d156bd5d698f5907d1ee434618ee72c7b2e34ee7daabd583039bd73d23795d0eda7e34b5f9cdf9017d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
3.9MB

MD5
12f42d9d785aa7fcfd231f4e8392c8b5

SHA1
30b283f42bd807cb32170489b467325b84887589

SHA256
a38f00b778e08315f1cc3b98cf37e514831df93d16624a9808942823382d0619

SHA512
71950c3afcca2c0a32dfcf0122eb556ceccf41007e9d149903adf587a4bcf72ec85e290886fd649e0d97882a0990048d53f53f2738ec54c6e6482d3333cddfca

Download Submit