e6902600a9a281182910743371f654a9cf988fe2c6494d7a061ace3a44f859ea

Analysis

max time kernel
120s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

357b4c2ed31bd6162b28608d10e696f0N.exe
Size

2.6MB
MD5

357b4c2ed31bd6162b28608d10e696f0
SHA1

b95b88176b716e4537ca7f5ba3a50b418e23f899
SHA256

e6902600a9a281182910743371f654a9cf988fe2c6494d7a061ace3a44f859ea
SHA512

0ca8a3e6135bc282cd692ff46060aa9308e6a81990bd9024efacb74a65c6a4402ec490821a329435c28b4350cf19a0fd78b738ca93cb11f6c12bc3d15a10b79f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bS:sxX7QnxrloE5dpUp+b

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	357b4c2ed31bd6162b28608d10e696f0N.exe

Executes dropped EXE 2 IoCs

pid	Process
4044	sysdevdob.exe
2468	xdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocE6\\xdobec.exe"	357b4c2ed31bd6162b28608d10e696f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZQB\\bodxloc.exe"	357b4c2ed31bd6162b28608d10e696f0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2972	357b4c2ed31bd6162b28608d10e696f0N.exe
2972	357b4c2ed31bd6162b28608d10e696f0N.exe
2972	357b4c2ed31bd6162b28608d10e696f0N.exe
2972	357b4c2ed31bd6162b28608d10e696f0N.exe
4044	sysdevdob.exe
4044	sysdevdob.exe
2468	xdobec.exe
2468	xdobec.exe
4044	sysdevdob.exe
4044	sysdevdob.exe
2468	xdobec.exe
2468	xdobec.exe
4044	sysdevdob.exe
4044	sysdevdob.exe
2468	xdobec.exe
2468	xdobec.exe
4044	sysdevdob.exe
4044	sysdevdob.exe
2468	xdobec.exe
2468	xdobec.exe
4044	sysdevdob.exe
4044	sysdevdob.exe
2468	xdobec.exe
2468	xdobec.exe
4044	sysdevdob.exe
4044	sysdevdob.exe
2468	xdobec.exe
2468	xdobec.exe
4044	sysdevdob.exe
4044	sysdevdob.exe
2468	xdobec.exe
2468	xdobec.exe
4044	sysdevdob.exe
4044	sysdevdob.exe
2468	xdobec.exe
2468	xdobec.exe
4044	sysdevdob.exe
4044	sysdevdob.exe
2468	xdobec.exe
2468	xdobec.exe
4044	sysdevdob.exe
4044	sysdevdob.exe
2468	xdobec.exe
2468	xdobec.exe
4044	sysdevdob.exe
4044	sysdevdob.exe
2468	xdobec.exe
2468	xdobec.exe
4044	sysdevdob.exe
4044	sysdevdob.exe
2468	xdobec.exe
2468	xdobec.exe
4044	sysdevdob.exe
4044	sysdevdob.exe
2468	xdobec.exe
2468	xdobec.exe
4044	sysdevdob.exe
4044	sysdevdob.exe
2468	xdobec.exe
2468	xdobec.exe
4044	sysdevdob.exe
4044	sysdevdob.exe
2468	xdobec.exe
2468	xdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 4044	2972	357b4c2ed31bd6162b28608d10e696f0N.exe	87
PID 2972 wrote to memory of 4044	2972	357b4c2ed31bd6162b28608d10e696f0N.exe	87
PID 2972 wrote to memory of 4044	2972	357b4c2ed31bd6162b28608d10e696f0N.exe	87
PID 2972 wrote to memory of 2468	2972	357b4c2ed31bd6162b28608d10e696f0N.exe	90
PID 2972 wrote to memory of 2468	2972	357b4c2ed31bd6162b28608d10e696f0N.exe	90
PID 2972 wrote to memory of 2468	2972	357b4c2ed31bd6162b28608d10e696f0N.exe	90

C:\Users\Admin\AppData\Local\Temp\357b4c2ed31bd6162b28608d10e696f0N.exe
"C:\Users\Admin\AppData\Local\Temp\357b4c2ed31bd6162b28608d10e696f0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4044
- C:\IntelprocE6\xdobec.exe
  C:\IntelprocE6\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocE6\xdobec.exe

Filesize
19KB

MD5
d016b0ad254ae9664284c6bec29c5ba6

SHA1
7ae5e9559a1832a9fb2100c1032f300c8dc78e9e

SHA256
7c02f64b740ff9995b503e0f1e0c8c01d837aa4bd8585709cf0f8dfe61831374

SHA512
c22c1b33c86d3a40515e18681d66290f6976b7510b3d4fce432a93ed4220ed0ce1cc8d8f3ddbabfe38b8176b15e6f826172e59fc74b34f4e1ca4414306ea2430

Download Submit
C:\IntelprocE6\xdobec.exe

Filesize
2.6MB

MD5
debb829e6dd440ebff9f28c64ce55c85

SHA1
c63f617e041c023ecd8fef8a18fae3dd91c8ee27

SHA256
9f336190c79ccb20fa4cb464484f2ec452425a706897c97b16e79195cb8f841d

SHA512
c3aa5c8e678e112e0ab61de0e9dfb48fe677d0979b5b83a22acf7c1f534043844fd58e2eaabbb328c749b1dc1ebd6b1421fb79183f08edbce16a167a38eea7de

Download Submit
C:\LabZQB\bodxloc.exe

Filesize
2.6MB

MD5
1d7ead06caa0336fd126b748ae9e4007

SHA1
8fbd47ab9549accf11525d047bf3360a5f9405db

SHA256
69ad285415bf312488757f750bd548898497c4392a962af3b199a5994f820282

SHA512
dfb633aaf2340d200b132ba71e83b78aa6155ff9593b7d76e6bf73ae123d0a7325d9a2f980b1d2d27c5c266b556cee9143a6ce6f14d0147f5fdfd6615ec15bdb

Download Submit
C:\LabZQB\bodxloc.exe

Filesize
76KB

MD5
cf68ebe137dfef0b41dca0175115bd05

SHA1
42c45d2adc2ebe87926a1343b4d9dbe9367ece3d

SHA256
e43530ec783c8acb32200a9d77882920376f517caa7e8fffdaf838d19f757844

SHA512
3d44889b4d03f96f3bb1d2b0fc920ac63e5bfa42f02b085c45d64eca2c61c8182735defbb82b664a1e0dba2973f7e7eab599d94687d5bd3ea13a12b15fd0046b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
b0c2889f4af3df2755ae627aac2905fc

SHA1
67e893b26cce1be707d15a1ca7ae5bf1ea6fd8a8

SHA256
662295bb5eda94fdb0a1e0db99832d902ae864b46f78058bdd0a2f1bebd5e269

SHA512
bd35f5f8b203004893c948f4a749c02e76891b3514c7ecf7c45099616cf68a2fd43cc15ea489a597f7656c9218087953f308bccac2a8a99efb4a8078ad349597

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
3c41735be421f0031c173266fcab47a6

SHA1
fa2d12e75806e73c57ac769b074275e416ab1457

SHA256
2550ece781fe1249c86c2d4ceb36f5de964c49d6b648eb64a01e428809a2c0f1

SHA512
9d6de2239d5389a7e49a747a48b4ffec3fd1ceff5fcab47a25f9b2f243870164ca1a2b16ea30cab2a16e4805c4d1f5875866fdb57838c8816f9c8e31a0a5ad6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
2.6MB

MD5
6858981fb3e71a3f45c87b25a3221c82

SHA1
b69f3af7fa0417fc3665988c856e90ad9d29a534

SHA256
081c7a535e571ee9ce9124c373ae3a740c8fee75f18b26edd379c5c359f337d3

SHA512
1c47aac397194d8b138cb593255f56c03c2cd746ff3af03d1320cd2765d77be9d5c7e85d580985b5a644300fa6dab6c2bb9b74b508f9ffa9029f911c2f70e201

Download Submit