77d87be7e52fa7d8e6fe95da9879f3f76a6aef416a9b2823edee5ffd049fb982

Analysis

max time kernel
120s
max time network
21s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50671fe5a08ce927be83ce02cc151020N.exe
Size

3.6MB
MD5

50671fe5a08ce927be83ce02cc151020
SHA1

261affaab1c258e4c0ea175eb5a8e6fb94db525c
SHA256

77d87be7e52fa7d8e6fe95da9879f3f76a6aef416a9b2823edee5ffd049fb982
SHA512

dd52ff8325fd85fcd49e1d5c8ca112cc502cc090492881f6eb7baaa25fcea67c391e7b43999f94da38205904fb76d0fc07e0e4a93d1c2046f6fc5662d8f25ba0
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bSqz8:sxX7QnxrloE5dpUplbVz8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	50671fe5a08ce927be83ce02cc151020N.exe

Executes dropped EXE 2 IoCs

pid	Process
936	locxdob.exe
2264	devbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
1000	50671fe5a08ce927be83ce02cc151020N.exe
1000	50671fe5a08ce927be83ce02cc151020N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesM3\\devbodec.exe"	50671fe5a08ce927be83ce02cc151020N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZJI\\dobxloc.exe"	50671fe5a08ce927be83ce02cc151020N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50671fe5a08ce927be83ce02cc151020N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1000	50671fe5a08ce927be83ce02cc151020N.exe
1000	50671fe5a08ce927be83ce02cc151020N.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe
936	locxdob.exe
2264	devbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 936	1000	50671fe5a08ce927be83ce02cc151020N.exe	31
PID 1000 wrote to memory of 936	1000	50671fe5a08ce927be83ce02cc151020N.exe	31
PID 1000 wrote to memory of 936	1000	50671fe5a08ce927be83ce02cc151020N.exe	31
PID 1000 wrote to memory of 936	1000	50671fe5a08ce927be83ce02cc151020N.exe	31
PID 1000 wrote to memory of 2264	1000	50671fe5a08ce927be83ce02cc151020N.exe	32
PID 1000 wrote to memory of 2264	1000	50671fe5a08ce927be83ce02cc151020N.exe	32
PID 1000 wrote to memory of 2264	1000	50671fe5a08ce927be83ce02cc151020N.exe	32
PID 1000 wrote to memory of 2264	1000	50671fe5a08ce927be83ce02cc151020N.exe	32

C:\Users\Admin\AppData\Local\Temp\50671fe5a08ce927be83ce02cc151020N.exe
"C:\Users\Admin\AppData\Local\Temp\50671fe5a08ce927be83ce02cc151020N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:936
- C:\FilesM3\devbodec.exe
  C:\FilesM3\devbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesM3\devbodec.exe

Filesize
3.6MB

MD5
268786ac1728e59a08ed4f1c962c5056

SHA1
f716be027244741a6fea34124e2665bc4d9f36a3

SHA256
1bdb6a4e3c6a95be24a752081e2469c6b2daa3a5a7625177ccdc1ea75c2d77d1

SHA512
c4375d379b4c7e8ddc9c5d06717d3f1e4c65c85a45e853f242967fb8dbc27d19a9f63661ba76f30712b6ed528eb8d03fa832547e045ac3f62829437b0887b2ba

Download Submit
C:\LabZJI\dobxloc.exe

Filesize
2.8MB

MD5
fd341bc398adcc5e4d77143b60914e34

SHA1
b4f26624bb6596c1e1e9fdf9246dbab3d83e3e27

SHA256
bcab21b43b1aadb239fc92a26ad2a0de76016f93246a969426d716defdc78cdf

SHA512
1c095d0b489afa913d37eb231252e8542e46c92c9f9d76a22fed18202a9075d7ba2496236331a80b58beca29ac0c95384c5003e7dcf67931c4333b6e8bf0e1e1

Download Submit
C:\LabZJI\dobxloc.exe

Filesize
3.6MB

MD5
8afa3fe6e97e0fb2da4890d7d3aa47d4

SHA1
35cd28246e63eed8df7940e74074ee6c7c6ba2fe

SHA256
f8f4cdc9cf81fc0dd4286e879dcc7cbff03cf1ae49c399d94dfe414e7966df8b

SHA512
9bf93b0733e8939bab061678408140b1f5701719831f2f78df4b0bce4bd70af6a672544fbd6c34a0e1ae124db1d4c64b9d6951be40cf947c2000d9667463665c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
c06f2957edb7d4630113710abfc7be54

SHA1
c8300b952cc9959894f4f63b14d04be944ac68fc

SHA256
11b25901250bdc19d7a6eca74f8115c4d6a2fbd9335248b836fe1f1652e02d0f

SHA512
ed69540e976327787434bad065c1df778b581b1872bf4bebfa98005cf5849cc05a5bb49a76371f0ead1e5ceef41ff81df3f02bde18eaca3c7f9fa6df302eed1f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
96ee573875ed8d1d113e49a4a46253d5

SHA1
0dc640eb0eaaa2843678cd7cf6059e86892e505f

SHA256
c2146f552987530ca1c77d335399427802c10005a67853a6c243aa4b26214a60

SHA512
34bcc03d309c5851c2ceac2e646a697b5e500e904a14d4dbb77048478a0945524d8d6d5e691fc0119ccd97024dcf2126130952cb433345c057e738edfc65f2e7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
3.6MB

MD5
c8724ed79403950acb764c7453770f0b

SHA1
d70133c38c546171ac7dd72c2ac78c71cb383818

SHA256
958b03dbefd8439cf22b96398e329c5643eb2ad05eda6a307f75678fba5af171

SHA512
f6a4871222d020693b165a35c4a79421e684ce08f20bf7c04f6489c86739c043676a28fe2fa44bfcb80f5d023e1bea51dba63cf8eb944ce8ec313c0832d2c6b3

Download Submit