18cf582b76c82ddaa646d1cc0f795f43bd35b329a2437dc24c50bb001cbdfbb0

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-07-2024 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f4f5d24a30577a25dc563c2eb85a550N.exe
Size

3.5MB
MD5

5f4f5d24a30577a25dc563c2eb85a550
SHA1

f74ffc62034ed4ff3738f58e4e723f081cc69c86
SHA256

18cf582b76c82ddaa646d1cc0f795f43bd35b329a2437dc24c50bb001cbdfbb0
SHA512

81cc9be60cf8090a67f1aa4d1b1afc1685f711466ce3753ff919a6f7c61876287e355b64b394cebb691246cf39774b85f19d50516d589d3d5c9cc6442d1643a7
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpVbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	5f4f5d24a30577a25dc563c2eb85a550N.exe

Executes dropped EXE 2 IoCs

pid	Process
2056	sysdevdob.exe
2516	xbodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2676	5f4f5d24a30577a25dc563c2eb85a550N.exe
2676	5f4f5d24a30577a25dc563c2eb85a550N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotNZ\\xbodloc.exe"	5f4f5d24a30577a25dc563c2eb85a550N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidRV\\optidevec.exe"	5f4f5d24a30577a25dc563c2eb85a550N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2676	5f4f5d24a30577a25dc563c2eb85a550N.exe
2676	5f4f5d24a30577a25dc563c2eb85a550N.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe
2056	sysdevdob.exe
2516	xbodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2056	2676	5f4f5d24a30577a25dc563c2eb85a550N.exe	30
PID 2676 wrote to memory of 2056	2676	5f4f5d24a30577a25dc563c2eb85a550N.exe	30
PID 2676 wrote to memory of 2056	2676	5f4f5d24a30577a25dc563c2eb85a550N.exe	30
PID 2676 wrote to memory of 2056	2676	5f4f5d24a30577a25dc563c2eb85a550N.exe	30
PID 2676 wrote to memory of 2516	2676	5f4f5d24a30577a25dc563c2eb85a550N.exe	31
PID 2676 wrote to memory of 2516	2676	5f4f5d24a30577a25dc563c2eb85a550N.exe	31
PID 2676 wrote to memory of 2516	2676	5f4f5d24a30577a25dc563c2eb85a550N.exe	31
PID 2676 wrote to memory of 2516	2676	5f4f5d24a30577a25dc563c2eb85a550N.exe	31

C:\Users\Admin\AppData\Local\Temp\5f4f5d24a30577a25dc563c2eb85a550N.exe
"C:\Users\Admin\AppData\Local\Temp\5f4f5d24a30577a25dc563c2eb85a550N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2056
- C:\UserDotNZ\xbodloc.exe
  C:\UserDotNZ\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotNZ\xbodloc.exe

Filesize
80KB

MD5
7d1bb0cc0e3f7ecb4f15fca47bc032fa

SHA1
8c08b21ac5a8982475580e68a964746ada68750a

SHA256
3d70791224421ef8ad82bb34a17e31c86f51048fb812f13651f883e5b691247d

SHA512
39ccd3478ec8ed1edb688eb1a229c22fda2a51fe1bce727de6762d12f391bb7ed48c3b2a2d0dc1c214ad3eb7a92af0c03ec4cee2079219bd898e86dd2eebc4ae

Download Submit
C:\UserDotNZ\xbodloc.exe

Filesize
3.5MB

MD5
2551a2c48d040ba88ff3b1704e9155a7

SHA1
4be6ade33f5c555d8ce21fc48c654515fdb15aa9

SHA256
ef627e79810c65efa928a3265e4eb7f1c93a8c12c57f328a52f9d2eeadc1bf12

SHA512
b9f1d41f598be50282bc1f590ed2e2c9bf012be10e274b68b8c8a2aa2b3109071260add0b5ef73e22cc05c72b15ad5104b161b432401e12ee1b452509f8ee878

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
8aafe38e54392500d0e16d55cd34fbbd

SHA1
fed00eae24fc7225a1f99d939c1f641c68c9b1ae

SHA256
52bd6d6a046467c0dbee23c94118c26a1eb5740090479a5f04f18f630e71ab64

SHA512
d93594197ed3167e7fe992784a6cad40b11953844e231aa4c2f3d1efdd1199882d0ad6aa24aa47614e786576601cc031ccf24a7320e12ffb4cbc8465e90da465

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
6aa47c0def53d617bfc391b85a7842e8

SHA1
b4d1689157b152b0cf00a68fff2e4efa6676afd1

SHA256
355c3e6648667a78f153ff577047d3e3deaefcf474f5805dfa63c5a1aa848255

SHA512
598c8ce94db325fd58f84f69aeb2ba5da7f60b97a2bbf7d5da75aeab112332c68c23f19ca6fb915bd73319393d482941bff7bd63d776fc3547803326d949ea51

Download Submit
C:\VidRV\optidevec.exe

Filesize
1.2MB

MD5
0d61d29c0041ed3a807da8861fbc5c5f

SHA1
57dda1821e14f0da82ba26c14ef792ffe4c56a87

SHA256
457bfcd379a866020d32615aa6931968ffea68130d1ad5e5b817b46ecd30ec06

SHA512
ada82fc7ee39acbc1822aa3556fa13a3123524c06cb84ec8cb7d24dd067f61c019ec9722ec29d06356a4173074843289082dc656ed4e5e6f316ae1ee7a6c1223

Download Submit
C:\VidRV\optidevec.exe

Filesize
3.5MB

MD5
adfdccb1d9e782a009865e3448739ac5

SHA1
65546744798def117cec4735704321059f2155b0

SHA256
7c410f6db9ed7794bff432680797a08dc1bdcfc21e3a2387e70254b14246ce3a

SHA512
2a97ad5087fce4e4e6f2b1a57ebedd243ae799992d7cb4756620f66ecffc5bc61911ab600ae0d21d023cb1dd6dfb917a7969324020f98bca95a5dca495027ef1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
3.5MB

MD5
9ba7f5c282ae7481cec45ed16ae747f3

SHA1
69a33215a6f3d2cc1bc12c893e4368da263baf29

SHA256
1e7e02cbe367a6a4b518f7d36152e316ecee8608d07b693aa5d2c1e93574d855

SHA512
d5c41a6d45a50c62f1defee060305b3a6d6c609eee2f4e07ea1c27a593cf93e69fc2e8dc3e694348681c8edfcfb053caf1c90bacafc15417852cf6ce07c11e81

Download Submit