fb8d59353379d69d40b1628b55a40735888e179401cd4a71099c58bcd4cf9742

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08/08/2024, 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb8d59353379d69d40b1628b55a40735888e179401cd4a71099c58bcd4cf9742.exe
Size

3.9MB
MD5

fb7051b0fe554cfe928dc5afe33989d4
SHA1

a8181ee2a9e8489cbbe7af943bd0456f4c5c9380
SHA256

fb8d59353379d69d40b1628b55a40735888e179401cd4a71099c58bcd4cf9742
SHA512

7979118d94725f7edb4c7c5e2b9d6c64604fb58b687c4803e2e72ea28390adb79aee9536bdfd3bcbfe50ae3b3888d322176f214c819c6753ebe58aa4e87b93dc
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpDbVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	fb8d59353379d69d40b1628b55a40735888e179401cd4a71099c58bcd4cf9742.exe

Executes dropped EXE 2 IoCs

pid	Process
3052	locdevdob.exe
1948	adobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2864	fb8d59353379d69d40b1628b55a40735888e179401cd4a71099c58bcd4cf9742.exe
2864	fb8d59353379d69d40b1628b55a40735888e179401cd4a71099c58bcd4cf9742.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBC4\\dobxsys.exe"	fb8d59353379d69d40b1628b55a40735888e179401cd4a71099c58bcd4cf9742.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv22\\adobec.exe"	fb8d59353379d69d40b1628b55a40735888e179401cd4a71099c58bcd4cf9742.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb8d59353379d69d40b1628b55a40735888e179401cd4a71099c58bcd4cf9742.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2864	fb8d59353379d69d40b1628b55a40735888e179401cd4a71099c58bcd4cf9742.exe
2864	fb8d59353379d69d40b1628b55a40735888e179401cd4a71099c58bcd4cf9742.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe
3052	locdevdob.exe
1948	adobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 3052	2864	fb8d59353379d69d40b1628b55a40735888e179401cd4a71099c58bcd4cf9742.exe	30
PID 2864 wrote to memory of 3052	2864	fb8d59353379d69d40b1628b55a40735888e179401cd4a71099c58bcd4cf9742.exe	30
PID 2864 wrote to memory of 3052	2864	fb8d59353379d69d40b1628b55a40735888e179401cd4a71099c58bcd4cf9742.exe	30
PID 2864 wrote to memory of 3052	2864	fb8d59353379d69d40b1628b55a40735888e179401cd4a71099c58bcd4cf9742.exe	30
PID 2864 wrote to memory of 1948	2864	fb8d59353379d69d40b1628b55a40735888e179401cd4a71099c58bcd4cf9742.exe	31
PID 2864 wrote to memory of 1948	2864	fb8d59353379d69d40b1628b55a40735888e179401cd4a71099c58bcd4cf9742.exe	31
PID 2864 wrote to memory of 1948	2864	fb8d59353379d69d40b1628b55a40735888e179401cd4a71099c58bcd4cf9742.exe	31
PID 2864 wrote to memory of 1948	2864	fb8d59353379d69d40b1628b55a40735888e179401cd4a71099c58bcd4cf9742.exe	31

C:\Users\Admin\AppData\Local\Temp\fb8d59353379d69d40b1628b55a40735888e179401cd4a71099c58bcd4cf9742.exe
"C:\Users\Admin\AppData\Local\Temp\fb8d59353379d69d40b1628b55a40735888e179401cd4a71099c58bcd4cf9742.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3052
- C:\SysDrv22\adobec.exe
  C:\SysDrv22\adobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBC4\dobxsys.exe

Filesize
3.9MB

MD5
38146a6be06a47a961edd2d4b53671e3

SHA1
d53d1fd8e3ac845eaacd8edb722938e0879f0196

SHA256
acf72f7554b06c94ad49ff4102080b39066cf8b0283e85b9b606565bd6e97b29

SHA512
f32e02299e9f41f9bcc78d881c3488808fc319777b22365e417441241e780728576a64d3fd96834489718fe9d11a73ec6890224d00bfe9d653b21f2b812bf176

Download Submit
C:\KaVBC4\dobxsys.exe

Filesize
3.9MB

MD5
1c11c99f55fe66e350d04eedeea46bdd

SHA1
d4b6d5b38a870d45b068d7d8bdc16296bfd4bdef

SHA256
9d1f06e3bde19966e7dd8f645a4dea25988c64047c38c9dec5d41853d8297f2d

SHA512
4ee79306a762d73c807e0fc6415c8627484e44d8faa6bf445c40681daadffc592d7cd38c224c984dfd2371bf5c7c46ca7168ce0263785bfae4d6c65c6a1a4765

Download Submit
C:\SysDrv22\adobec.exe

Filesize
3.9MB

MD5
d71933ce7a8f280a085721056c035c2e

SHA1
cff0657cc583a04ca397a88d5688ae1835fb288e

SHA256
a0650a6caf7a3c0926ce2015da231b7118a0d4b3afecea14228a5d19851d6acc

SHA512
d789454c983035da66672244bad0fdd55eca375bda86c9061048040a08770fe8fa29bf57bbc64c38afe011cbe2ff143f08ac7898aa3c84d2303249e92d5d15aa

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
1f11e6a23c3ccb1adac4b5da06506626

SHA1
bcd65e55b53131b096da8fc0995c1bbd93468db2

SHA256
9d999bb0530c5287458f76d67205d1b01c21b34be9fe9b6197ae8752ef6dfca6

SHA512
a7508effd4f6d4f7c915d5435f82ca0e64b576ee880362475e0666766bd4245ed87817236edad59482d2510d5e3e516f5a1701f254c60c2d6967f4c4e1ac1786

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
d5209db2ff1e2e4dc1ec785c77e27a0c

SHA1
1688e134cae7a5e7739267dde8c6274104a9a132

SHA256
f614b366f98aafa92b746a06dae4533b1f0376263ab73f2353cdedcd753aa60c

SHA512
c43f3d8634eeeeee0b3b7c81baef1b907196cf52c125c650f3305ec3645cfeb46ba550b81a3cc7c1b6ddceb590ea5023b1b0ec6b4ab4a6823c82b5236daed8c1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
3.9MB

MD5
d2fd345e613a62753705f10aff0ee3b1

SHA1
c3a002602274ff56df2c1eb5c29d3f4a82b97bb7

SHA256
4e9092897b934107bc83e8348980c76027096a4c659e2b0b7870e15718485436

SHA512
2a5b8d2bd899cc838108477a466cc728a0cc52980ddeb4de4e1100d8a02f7e03328bdd7da8ed0f9c55682877bfd27bdac0a54f7dbb2ca820250f0fca2d500c9e

Download Submit