7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18

Analysis

max time kernel
150s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe
Size

2.7MB
MD5

3a2285665c5560b1dcbb35e435d6b9e5
SHA1

647715821467584b6fd543c036d890a03ab6a2ee
SHA256

7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18
SHA512

feafa858e26b88fd8598454ebc5a765d6ed54f6a1738cdde3932560fd1f761de5ff45ff17f7960d32b77db70d84e3aee688f19f0e0ad79d8526f3b9267cb9877
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBN9w4Sx:+R0pI/IQlUoMPdmpSpt4

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe

Executes dropped EXE 2 IoCs

pid	Process
1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe
1712	devbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ2S\\dobdevsys.exe"	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotCB\\devbodec.exe"	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1140	ipconfig.exe
4948	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe
1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe
1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe
1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe
1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe
1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe
1712	devbodec.exe
1712	devbodec.exe
1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe
1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe
1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe
1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe
1712	devbodec.exe
1712	devbodec.exe
1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe
1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe
1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe
1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe
1712	devbodec.exe
1712	devbodec.exe
1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe
1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe
1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe
1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe
1712	devbodec.exe
1712	devbodec.exe
1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe
1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe
1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe
1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe
1712	devbodec.exe
1712	devbodec.exe
1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe
1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe
1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe
1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe
1712	devbodec.exe
1712	devbodec.exe
1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe
1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe
1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe
1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe
1712	devbodec.exe
1712	devbodec.exe
1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe
1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe
1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe
1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe
1712	devbodec.exe
1712	devbodec.exe
1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe
1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe
1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe
1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe
1712	devbodec.exe
1712	devbodec.exe
1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe
1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe
1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe
1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe
1712	devbodec.exe
1712	devbodec.exe
1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe
1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4948	NETSTAT.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 1288	1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe	84
PID 1136 wrote to memory of 1288	1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe	84
PID 1136 wrote to memory of 1288	1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe	84
PID 1136 wrote to memory of 1712	1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe	85
PID 1136 wrote to memory of 1712	1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe	85
PID 1136 wrote to memory of 1712	1136	7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe	85
PID 1288 wrote to memory of 1272	1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe	88
PID 1288 wrote to memory of 1272	1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe	88
PID 1288 wrote to memory of 1272	1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe	88
PID 1288 wrote to memory of 4532	1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe	90
PID 1288 wrote to memory of 4532	1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe	90
PID 1288 wrote to memory of 4532	1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe	90
PID 1288 wrote to memory of 1584	1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe	92
PID 1288 wrote to memory of 1584	1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe	92
PID 1288 wrote to memory of 1584	1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe	92
PID 1272 wrote to memory of 1140	1272	cmd.exe	94
PID 1272 wrote to memory of 1140	1272	cmd.exe	94
PID 1272 wrote to memory of 1140	1272	cmd.exe	94
PID 4532 wrote to memory of 4948	4532	cmd.exe	95
PID 4532 wrote to memory of 4948	4532	cmd.exe	95
PID 4532 wrote to memory of 4948	4532	cmd.exe	95
PID 1288 wrote to memory of 4584	1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe	96
PID 1288 wrote to memory of 4584	1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe	96
PID 1288 wrote to memory of 4584	1288	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe	96

C:\Users\Admin\AppData\Local\Temp\7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe
"C:\Users\Admin\AppData\Local\Temp\7a47f413f24576ee81cfa7b735e23492c607c4409b79f76f8816978e2d755c18.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Users\Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe
  C:\Users\Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig > C:\Users\Admin\ipconfig.txt
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:1140
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c netstat -a > C:\Users\Admin\netstat.txt
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4532
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -a
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:4948
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c dir C:\*.txt /b /s >> C:\Users\Admin\grubb.list
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c dir C:\*.doc /b /s >> C:\Users\Admin\grubb.list
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4584
- C:\UserDotCB\devbodec.exe
  C:\UserDotCB\devbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ2S\dobdevsys.exe

Filesize
2.7MB

MD5
72e5c87519a889e40fa176ed04cf52a7

SHA1
697442cfee703a7b73f2d134fbc322686dc5db53

SHA256
b3a885d6a106f7dbbb584a88e1b074a22bb20969a75d8372842867c36b6c8cf9

SHA512
f42b7d22a9893b9f2840a33d4ebf23532365e27608b46c59930854bdb74d2523f12660d33d6cef6e6fdf705b30d5e2b2f94ee3b82a860da84bc99fb8cfe27729

Download Submit
C:\LabZ2S\dobdevsys.exe

Filesize
21KB

MD5
88c4193a34bc33ed642c08b873d8f01d

SHA1
09090721da01bb4de69a935354eb91e434b18f1b

SHA256
885ae505ce1d9fe457313dec50b16b13a0467d754c98013814cc7e643b27ce0e

SHA512
bd78e8ee2067c7a441769636d628685fd84921ccd58e82b05257dd862af095dba0fbe9642b38d161c7bad148f749c65592c682bad75a7ad362ae9514d2c6dc50

Download Submit
C:\UserDotCB\devbodec.exe

Filesize
1.5MB

MD5
aa9739b6fbf8fd2f81cf156c0ff48142

SHA1
9b2a87a6082504771e65c7fe9836802a0ec9e147

SHA256
e8c51f417517542bf366569f2081f65bf1d10ba54586b16e665352dd1d64dbb0

SHA512
f72baaee7722a616ea91dbd26f7e70633c2b8cf0671d46a3a070cadcc776f0b71ee48c1d2374fc61825a35700b2af2da74b625c962a96bfc9012826074ee3278

Download Submit
C:\UserDotCB\devbodec.exe

Filesize
2.7MB

MD5
fa3e079a63b2dbd307b4245dcfe2dd2a

SHA1
1a3084d2f3d83918efd8006a63f3ab725ed62c18

SHA256
171487893f7da2dd9231ca416aaa89732bfb32e482d7e4e1ad34179246acf585

SHA512
ce8942e54200e5f3728931611155a0d77dbbfb5dd7bd43253809b21d5ec994e94c8a1279989d40a6bf10b4de2017e34111e4a0bec2df604f24a214f14d0ff677

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
511a184f9c1e790cb15846b4fc3892e0

SHA1
2e763466b37663c7392596215c2720f954cb3e1f

SHA256
c776f92c809b225359401103b54f8e38fb60ce5915127ee84222183b9a67561a

SHA512
56aacf2702e279024e2ad758a6c6cc7ad6b74341abce4c3f3f2f0155b6d7be8d552b2248ee7bc369144fd833308dbd44035304cf6eaa5c801560462c3a9e9047

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
2b1165c1e77c9e0208c1c42a34ab3168

SHA1
e4396b9f9e7bc1f770f04c4618291c6353d00285

SHA256
a78807a821ee263c4618888e9a7c8dda03522f5b48b00c752d42e4499c4e5e39

SHA512
32eb49d3522d232fa4ce199fcb93de5034e25a02f312e83cbf2b9a7a82e19e3a06773cfcd68341cba04f967b80f1093fef6935f7bb74363bc5dfb020e6d9d5f2

Download Submit
C:\Users\Admin\grubb.list

Filesize
40KB

MD5
ddd22827b8ecf8820794e591d508fb82

SHA1
ef197da5376170b7342fe35cd64643ec98dc8cb0

SHA256
6a43ae4eeb63690b6eaf47120c7f62d1ffe0015be99a40aaa4ca178cbe906705

SHA512
5c531038bd1bf227010df6bb034c9c7f6eb52ac869455d73b6e4909108434fd54c15fc1eda872d44afebe8e760d14426b5878d7ae4f14d0a1bef3e2fd694c72d

Download Submit
C:\Users\Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`sysxdob.exe

Filesize
2.7MB

MD5
b9655ca4e8a80e90d58b3ab61d62b621

SHA1
09d02e917cfc42a3ee040fdaecb349c2103aa347

SHA256
4f9cdb2fe269102247ffed1f299b25c859e02de1d9aee1b5b9b525bd54f7c678

SHA512
8235bbe77bdaf051eec74988c2298d7337b01069a603d34ac48a43c07930a12e61093c4bcc90859903455a603b45dc4b6cdb29f92bf93872b2628fdf10fc8aca

Download Submit