ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 04:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe
Size

2.6MB
MD5

5903a8fc3b180ffaaa182ed6c0e09040
SHA1

4e866daf5724641728cc5a44d6042752db832838
SHA256

ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048
SHA512

c27708f9505317ee7f6c1285ec53e66ddc7d93575050deef4f1332017c5037f0a034e04cbc6fed7e89bb5d1f935b6bca18c6719bdb63aa6e56a8d844412bd98e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bS:sxX7QnxrloE5dpUpsb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe

Executes dropped EXE 2 IoCs

pid	Process
2396	sysdevdob.exe
2012	xdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1996	ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe
1996	ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocTC\\xdobsys.exe"	ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintHP\\boddevsys.exe"	ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1996	ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe
1996	ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe
2396	sysdevdob.exe
2012	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2396	1996	ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe	31
PID 1996 wrote to memory of 2396	1996	ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe	31
PID 1996 wrote to memory of 2396	1996	ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe	31
PID 1996 wrote to memory of 2396	1996	ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe	31
PID 1996 wrote to memory of 2012	1996	ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe	32
PID 1996 wrote to memory of 2012	1996	ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe	32
PID 1996 wrote to memory of 2012	1996	ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe	32
PID 1996 wrote to memory of 2012	1996	ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe	32

C:\Users\Admin\AppData\Local\Temp\ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe
"C:\Users\Admin\AppData\Local\Temp\ba527a404c5fbe3ba7aad4783e3a2b2311ed3d57a13e2c89da00407ff8781048.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2396
- C:\IntelprocTC\xdobsys.exe
  C:\IntelprocTC\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocTC\xdobsys.exe

Filesize
2.5MB

MD5
aea53c83d1d4ad06344127f01e2699c9

SHA1
8db6aff9842ff0f9602e12b640a73134797deeb0

SHA256
4160db77ecd76c2e5e8caeda4f85fc7ec47fb1a5a0684189b293ba7225594a45

SHA512
b462272d8385fe480f27e07c3a2dffa22c8d346241d4221c8333e53b9a1b7bd22690f8790e2687c69b8f125450ea8c3cf85b780aab2439e19ccc03648787ca71

Download Submit
C:\MintHP\boddevsys.exe

Filesize
2.6MB

MD5
49c446c6dff11fd07af5881b41d42ec4

SHA1
181a8c69034a1477ea32fbc93a0b9f08f8d51d7c

SHA256
adfa661a89f61e00c441d2c189b7b432ef2b7bf6bf29ef653c6978b49f673ac0

SHA512
d4b2f426303b1797579a71cb439be8d5c274333eeb0455b186a6f58f7ff1f7fd76f14527f63d8794c93fc6f01b40cfc24e1aca7ea122f9b3579f77a5255c62d6

Download Submit
C:\MintHP\boddevsys.exe

Filesize
2.6MB

MD5
b1195100f3c1455b5134b7220b6911d2

SHA1
db82f422a3ebbf4eee67269df22f565286f76581

SHA256
f59849d31a623e03466c166db6b3181f75dc69ca5cfcb68fb30ab501fb631e20

SHA512
b8734f8c2fbf96ea7e3a13bf938eb8866c7cca5d54bdf7624eb393c66fc4e92b7be23c12b4effa9078b8810cd903df5aa22f395d0d83358c175a8dc58e391676

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
176B

MD5
7422085b6e20515cfc9f991a3fda908f

SHA1
973fb40e233bed80be0443419bb0620e0af24aba

SHA256
4e2d3cf3dddd1157884873f42a91fa37c0e379b5d9408baf03bb6f06cdf24454

SHA512
1b188bd2cacc2afe2ef0581062269dca815cdd8cd3f0b0590a2d01ba5d2cc5336937da5139da233e5834251004a36f01af5b3fda61893807aec4bd2bcbf81eaa

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
3cf89be7627b4e7f785f207797a01cd0

SHA1
c907ca41150126403461c9acd8c00583fda2922a

SHA256
6901e611bb1f8ebd814233c1bd63949a0bda75f205c933f077b446c56e39be8a

SHA512
71fd92b3d680a7c7b8e3850c3d9adec4d0dc17712c873c03ff22deec5003af5cfe137eef051c8a11d2ffc3ab52705d763ec11d398ed48f4d7dc826a8ac5ff6ba

Download Submit
\IntelprocTC\xdobsys.exe

Filesize
2.6MB

MD5
7cf415df03576806ef2e0c103e7e9bca

SHA1
51ff89db12cdba197b3a858d3ce4264ff21804c1

SHA256
ee080e2781060274022f4a31afc3ac69321c4e4c97c6499f4423a06fed860425

SHA512
b972d7f950e955d87654bfa4f9e895fce6f091a6907f7a938d155181cd9292991932a3d97861b162f36a874f4f6263594789f252094443d5c28c122f48b6cc30

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
2.6MB

MD5
33492bbc3e9623e2b2b1dbbd3912cb6b

SHA1
963c28e06600df31d973b544062fde21203f3f89

SHA256
de726ce23f7cc705ffa8f01b49a039ea1d7543aa34d3f533e539077936c025e0

SHA512
4b0b48b613db25d741dcb05e4da4f5ffa9f3fe28d7634a3bb27d103e3b99e6966822f2fd9f7124c2a28df21f6a3802a10962503e1aebf0aa8da1bcd585ec6d4c

Download Submit