1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2024 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
Size

2.7MB
MD5

f625bcf9f2cdd921a1dfed2c1a2410f0
SHA1

36587f4aa258dbb2e5e95c3fc8c6c81f48c67239
SHA256

1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9
SHA512

da683e47c8247c22547cab280ba3f71b9800bf9b0b884f748085ae25f74cf2acf21370784222ae53c4d6cc79a45bce42634f84b031cb88682e5def1316592689
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB/9w4Sx:+R0pI/IQlUoMPdmpSpf4

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\Control Panel\International\Geo\Nation	Admin%

Executes dropped EXE 2 IoCs

pid	Process
5036	xdobsys.exe
2792	Admin%

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc0B\\xdobsys.exe"	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid8Y\\dobasys.exe"	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin%
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4756	NETSTAT.EXE
4064	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3944	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
3944	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
3944	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
3944	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
5036	xdobsys.exe
5036	xdobsys.exe
3944	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
3944	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
5036	xdobsys.exe
5036	xdobsys.exe
2792	Admin%
2792	Admin%
3944	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
3944	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
5036	xdobsys.exe
5036	xdobsys.exe
2792	Admin%
2792	Admin%
3944	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
3944	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
5036	xdobsys.exe
5036	xdobsys.exe
2792	Admin%
2792	Admin%
3944	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
3944	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
5036	xdobsys.exe
5036	xdobsys.exe
2792	Admin%
2792	Admin%
3944	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
3944	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
5036	xdobsys.exe
5036	xdobsys.exe
2792	Admin%
2792	Admin%
3944	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
3944	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
5036	xdobsys.exe
5036	xdobsys.exe
2792	Admin%
2792	Admin%
3944	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
3944	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
5036	xdobsys.exe
5036	xdobsys.exe
2792	Admin%
2792	Admin%
3944	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
3944	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
5036	xdobsys.exe
5036	xdobsys.exe
2792	Admin%
2792	Admin%
3944	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
3944	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
5036	xdobsys.exe
5036	xdobsys.exe
2792	Admin%
2792	Admin%
3944	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
3944	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
5036	xdobsys.exe
5036	xdobsys.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4756	NETSTAT.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 5036	3944	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe	86
PID 3944 wrote to memory of 5036	3944	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe	86
PID 3944 wrote to memory of 5036	3944	1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe	86
PID 5036 wrote to memory of 2792	5036	xdobsys.exe	87
PID 5036 wrote to memory of 2792	5036	xdobsys.exe	87
PID 5036 wrote to memory of 2792	5036	xdobsys.exe	87
PID 2792 wrote to memory of 1988	2792	Admin%	92
PID 2792 wrote to memory of 1988	2792	Admin%	92
PID 2792 wrote to memory of 1988	2792	Admin%	92
PID 2792 wrote to memory of 3788	2792	Admin%	94
PID 2792 wrote to memory of 3788	2792	Admin%	94
PID 2792 wrote to memory of 3788	2792	Admin%	94
PID 2792 wrote to memory of 3116	2792	Admin%	95
PID 2792 wrote to memory of 3116	2792	Admin%	95
PID 2792 wrote to memory of 3116	2792	Admin%	95
PID 1988 wrote to memory of 4064	1988	cmd.exe	98
PID 1988 wrote to memory of 4064	1988	cmd.exe	98
PID 1988 wrote to memory of 4064	1988	cmd.exe	98
PID 3788 wrote to memory of 4756	3788	cmd.exe	99
PID 3788 wrote to memory of 4756	3788	cmd.exe	99
PID 3788 wrote to memory of 4756	3788	cmd.exe	99
PID 2792 wrote to memory of 1776	2792	Admin%	100
PID 2792 wrote to memory of 1776	2792	Admin%	100
PID 2792 wrote to memory of 1776	2792	Admin%	100

C:\Users\Admin\AppData\Local\Temp\1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe
"C:\Users\Admin\AppData\Local\Temp\1f2f86f30a4ae82d2997f4f49a2945d0b0654174a8d439d2877b068cb9eae0c9.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Intelproc0B\xdobsys.exe
  C:\Intelproc0B\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Users\Admin%
    C:\Users\Admin%
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig > C:\Users\Admin\ipconfig.txt
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1988
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig
        5⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:4064
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netstat -a > C:\Users\Admin\netstat.txt
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3788
    - - C:\Windows\SysWOW64\NETSTAT.EXE
        
        netstat -a
        5⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        Suspicious use of AdjustPrivilegeToken
        
        PID:4756
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c dir C:\*.txt /b /s >> C:\Users\Admin\grubb.list
      4⤵
      System Location Discovery: System Language Discovery
      PID:3116
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c dir C:\*.doc /b /s >> C:\Users\Admin\grubb.list
      4⤵
      System Location Discovery: System Language Discovery
      PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc0B\xdobsys.exe

Filesize
2.7MB

MD5
d57537d4d8c9c965f1a9de020345c6b4

SHA1
5a48a7b23043d350261906218ce494ec9c862515

SHA256
8d768f8bea445b41a66703c668b996a6cc164040070e7cbbfa86acaeb1ff3fb8

SHA512
9e3fd4018c04335a6c5c98bafe4a48851751b9aeda644f8953bc2e3b6f31f677b9ca87b4fcea00f60ec12cc884ce6d9ea9a3642803f62e77d4c5edb76bd995c9

Download Submit
C:\Users\Admin%

Filesize
2.7MB

MD5
03014d4e46d47b134a5314be0a44752c

SHA1
1d6d0895ba39e70715526d534aba7a682acc3148

SHA256
ee4bcb708dcff4eafbfdc89fccc28fe86684cc02f60cc481fb1161e15a439f4c

SHA512
4e526b10a237f62a5d2df3859d67c585613313100d8affc14ea54e2f787aa62f5b2b8c96084a9b66a60d37eb567807e3a6bdd5457a993dd2dffd263f4bd6489d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
209B

MD5
33523f025a5db53b569602766f7bb974

SHA1
305d359517f9dbfdb28a7e7cd539955a6520f3cd

SHA256
a6f72d9995320720f78f235055d0da62e9246ea5305ba08b36701b022ef92563

SHA512
e977d027acd56e984ec0ae167a24d2a4484c91decad5a47a8dfd732efbdcea105ef5d477d0da08fd44f946d77b4fa45e70b8c9a65dd97d7d07965441c91f418e

Download Submit
C:\Users\Admin\grubb.list

Filesize
39KB

MD5
2d1852d94df2bbb05ab8d5d1d41505ea

SHA1
a12079628fbbd9a97bfcf4a5942d26a36b40501c

SHA256
8da9976107940f9aad671176daa77106acccee99e7cbafb77a128750a3049ce7

SHA512
5db6f2b3644e41016bb2dcf24c745701717c9e8a87c7371349a414877c2587e2a8a9bcd3973a968e711668eb97b2262ed6f57dac58450a8cc6ce42583246ff55

Download Submit
C:\Vid8Y\dobasys.exe

Filesize
22KB

MD5
c2a1eee7e7165aeafe294f576af25052

SHA1
c2cacdff58101f66b2f9005b91f54c2fe05c557e

SHA256
dc0a9aa300c6b268add9d1803c12250444394a8cd052b6378e11149ca2c5f279

SHA512
0a0aef1f47ac33f03a2d9d297bffcf4ebd4fada8ca58b46c1e3964516572e38e1d90a9de87255d5ea7159122efb02fe73c45c77e3398ff9c30113f5c49fbb8a4

Download Submit
C:\Vid8Y\dobasys.exe

Filesize
2.7MB

MD5
a0b7efbe78551f8734dac1badf32bb8f

SHA1
17a8b84f7e6180ef97e50f61035a792323518c55

SHA256
0ed44d3e018544b100c3c5f6a9fc1bf44e7f9422c986f93cdc4b228b234c3be9

SHA512
7e6ed40a949e7db4d323b0742c86478e657a2df9dcd79fb25b609dbfdb3cf4f4ce2f1675543cb1ff563bc4ead85ed934dec9c19907cbc59d2d4fe968ab99e841

Download Submit
C:\Vid8Y\dobasys.exe

Filesize
19KB

MD5
13b7be4099f3920c0a076cbbf5b83643

SHA1
a81de9811a57ec2cdbfe1e3a6cbedfbf2fbcfd4e

SHA256
7897ecdf3ddcd3490c17f2cc193f10a2e0b047eddef77884b9b5f187f0d09004

SHA512
fca7da7ace3651a9ca715a8593ce988a8b4f41cdc02d53bb79b7379add25e21edc3c75d7da18fcd92f433fd130cb2c29ea8d686055b1dbef197d00c85fdde05c

Download Submit