3615b52e16b586798efc5a8e78dc9d0f823e7926d824d69caff87d8350a313a5

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16/07/2024, 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ef5e12336cde017f467dbfe49bea1e0N.exe
Size

3.6MB
MD5

9ef5e12336cde017f467dbfe49bea1e0
SHA1

3e9f4b22c937cf90b722d1ab9a576beb7dbdf765
SHA256

3615b52e16b586798efc5a8e78dc9d0f823e7926d824d69caff87d8350a313a5
SHA512

54760b19b91f5474cfeda3af1affd16c27cea01a3e504ecad1974a08b8c7dcd9b9e57ffc4ff0b8a2e09e21551492d3dfe9a81b918d3fbaff0d61ed77e7e0ae66
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bSqz8:sxX7QnxrloE5dpUppbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	9ef5e12336cde017f467dbfe49bea1e0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2532	locaopti.exe
2052	devdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2392	9ef5e12336cde017f467dbfe49bea1e0N.exe
2392	9ef5e12336cde017f467dbfe49bea1e0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvAE\\devdobec.exe"	9ef5e12336cde017f467dbfe49bea1e0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB6G\\dobxsys.exe"	9ef5e12336cde017f467dbfe49bea1e0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2392	9ef5e12336cde017f467dbfe49bea1e0N.exe
2392	9ef5e12336cde017f467dbfe49bea1e0N.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe
2532	locaopti.exe
2052	devdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2532	2392	9ef5e12336cde017f467dbfe49bea1e0N.exe	30
PID 2392 wrote to memory of 2532	2392	9ef5e12336cde017f467dbfe49bea1e0N.exe	30
PID 2392 wrote to memory of 2532	2392	9ef5e12336cde017f467dbfe49bea1e0N.exe	30
PID 2392 wrote to memory of 2532	2392	9ef5e12336cde017f467dbfe49bea1e0N.exe	30
PID 2392 wrote to memory of 2052	2392	9ef5e12336cde017f467dbfe49bea1e0N.exe	31
PID 2392 wrote to memory of 2052	2392	9ef5e12336cde017f467dbfe49bea1e0N.exe	31
PID 2392 wrote to memory of 2052	2392	9ef5e12336cde017f467dbfe49bea1e0N.exe	31
PID 2392 wrote to memory of 2052	2392	9ef5e12336cde017f467dbfe49bea1e0N.exe	31

C:\Users\Admin\AppData\Local\Temp\9ef5e12336cde017f467dbfe49bea1e0N.exe
"C:\Users\Admin\AppData\Local\Temp\9ef5e12336cde017f467dbfe49bea1e0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2532
- C:\SysDrvAE\devdobec.exe
  C:\SysDrvAE\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB6G\dobxsys.exe

Filesize
3.6MB

MD5
1be9b6574a290727859bde776e6034ce

SHA1
efcc609e8d0fd901c114b64c46e182dbc93120c7

SHA256
c17235d9bedfd4110c67d88e46e2d6b6a435354887a4ca92ca4aabdfe0eb641c

SHA512
8798ee890635038a2ab85ec76f0bbded52d3ce98de6f0a82eec9d25a86571d98f53da0836990728bb16dc44bf2cd20bc6c3b1da2bc657ffa24f567dc10b8634e

Download Submit
C:\KaVB6G\dobxsys.exe

Filesize
3.6MB

MD5
97060657f4d28bc647b2edd925d75c43

SHA1
be2d632cdbd72a864051d0e56732def2e3800565

SHA256
c5bde730dab7ceda7696873acc1791f5106ed56945684ab9ae77e1783184b83c

SHA512
569af72ecbcf0721d98daecafd53e0dfb1542196fa64aa3b017d520efbd9a2973d11da40e18fd98c54bce0efd4b61a618374d8ad06eddcf77cc887640db031ca

Download Submit
C:\SysDrvAE\devdobec.exe

Filesize
3.6MB

MD5
c455294acff8ff2ff17fe8cb0eefc1f5

SHA1
8b3fd119f1f8d7595cfda713f9b0869eafeeab78

SHA256
f1352322a64662d8ecc798696fb2b0441d4b272676492798ce112f584b63ceb2

SHA512
72bd06028f9a4b45ba2a45369f4c1392f934fde99f0ebd7e8a802139dbe37461a34ff71ef3c8c6d87170bd94d04151698aa8988afd916373667ad94cffbd9e0c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
2121d7258c936e0665e2790253cd9cc9

SHA1
8a6d808545a5c0e230c7c202f91843386c6ab1a7

SHA256
f2b2e4615bf768a510a9dcf2b64ebbca80a3647b4f0762914e035910db1f79bc

SHA512
db3582b56b0bc8f40c150e89f053892c01559c9baa1b743c5ea71cf1d7c0829850643754415e49fe03882ba2a7cd2676f69637e967dc4154575ee7573ac532a2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
3df2165d865bae84e2ff3e0cc95de9c9

SHA1
5ceac1126514e6c70897e21646c28fe16f6d6e52

SHA256
6da9bfb13974efa9402627f8722f59487d54367de2f966d3e636784e9c477c14

SHA512
515d6874d04ee6f11745e6cc2a3eb28731fccf0750ad5d022c28320aefc27a185405c17a106e3406e3a0515402cd12b3e3efcab10fc6e306701bb231a2222745

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
3.6MB

MD5
b7b20ef3ac39c47f648f8efc5f30208b

SHA1
ac6784bb6994546a428a6f2cfc3e461a5eebabfc

SHA256
4ab3f540b56b9b0fb0613fef98e1bc67bfc6695ad385efd4140d739f4421cb82

SHA512
d9e67b4db5f2ad5b2df1327048fc936ce82cf5a6a097db75551dcf9dd9ee29032ccbc31a6523b774b8e793308b81a89236f83f1eb36d92d92e965ff5c99d1a7c

Download Submit