f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe
Size

3.9MB
MD5

7112afea309abbdceb6abaa2cc02ef26
SHA1

5ce49d308f912d0aa1b5c35e86b86c0b65cca4dc
SHA256

f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324
SHA512

d9431f85e526065cc654b1a1f24147b19f7f5f04c3e6d482a92c12334dc790737388693d2713424372afac0dbcfb9e89358891041643ad879742651260e9c124
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSqz8:sxX7QnxrloE5dpUpobVz8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe

Executes dropped EXE 2 IoCs

pid	Process
2116	locdevdob.exe
2700	xdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1976	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe
1976	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot7V\\xdobloc.exe"	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid74\\optiasys.exe"	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1976	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe
1976	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe
2116	locdevdob.exe
2700	xdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2116	1976	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe	30
PID 1976 wrote to memory of 2116	1976	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe	30
PID 1976 wrote to memory of 2116	1976	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe	30
PID 1976 wrote to memory of 2116	1976	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe	30
PID 1976 wrote to memory of 2700	1976	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe	31
PID 1976 wrote to memory of 2700	1976	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe	31
PID 1976 wrote to memory of 2700	1976	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe	31
PID 1976 wrote to memory of 2700	1976	f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe	31

C:\Users\Admin\AppData\Local\Temp\f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe
"C:\Users\Admin\AppData\Local\Temp\f29f87a33b537e46e16231705c7575d28cac9e38afa0d943ce0e719e7c0cd324.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2116
- C:\UserDot7V\xdobloc.exe
  C:\UserDot7V\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDot7V\xdobloc.exe

Filesize
48KB

MD5
33b389447d92d1d6bec3b0d88267fc38

SHA1
136c5272702f019838d1e3ece0a088c73e5f0c30

SHA256
f6ba336ee80d621061e4055bd48c36089dd5bcac3a01c98f0856c09232af5280

SHA512
d37aa3d9152be5d420e46e26345ac7aca03aca84843ca0b9692ad41acf39829dd9c81857d06c1bbabf7ee892077e2c7ebcdf327329acb306f707f7bdf36de399

Download Submit
C:\UserDot7V\xdobloc.exe

Filesize
3.9MB

MD5
0c5bc146d1a614730968ce3671cebb12

SHA1
ccef3f0ba6df65677d0a714009e950aab3f591ba

SHA256
a4280d57d71511cacd85f295d52c816f260fa2694e23f8d87ec07c93a1760a96

SHA512
9492db30ad4d9ae98745f86eaf09563220590e32e97ecfc603cf3d3d2619ac5bc0d4d374798f00406ecd9b39f7deff72c706061e7a7c990a8eaa80bbd91c8894

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
1639d10d07810229c45ef5531078cd40

SHA1
fd0f8a650e151ec78c17f5730e2be8b6b76f47fb

SHA256
dc220118e12f9e715aaded5d933c7312c3c2fdedd25efd8388c0a824f082c7e1

SHA512
da854825e0787c290361a6a85cfcc1e58097f663cea805961fd87f9e64cf1ca76057bbd7d7141a2fa8cd06e87096c51368791272cdfe45c4eed94cd77d31f7c1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
1dafbda26c9e6573f5ab29ad0f225e60

SHA1
f5ffb8b18fdbf399296ace0fc6e6627cb6884da0

SHA256
674f1132abcac9a2c6225f46ff5e291568e6b43ee157d827f41a4627fd34c693

SHA512
59ccb50c0b125dfadec0b9139b8059a8ad2043a47294d961d1ca8e1c61f44bc15fd0bcead1463098634b47d1756fe540b0fc20595ab51d9683164679142485cb

Download Submit
C:\Vid74\optiasys.exe

Filesize
51KB

MD5
e52fb9d1def60009196d2a1ac8b754e3

SHA1
3193a2d0238252e36bf03e6e89567f2f573566ec

SHA256
4736a9eeac82f7c03dfaed974d927d405d4d4a395c6f924c3ef9a5c06c63f5ee

SHA512
ca078c2736761bd0b1afa0c1aa3730a3e3ea2637e5ae000f6f6a905cba9f1b73eebdc0ff2e4905b71626858faf8bd15cde70cdba1120cff915609c1389149a01

Download Submit
C:\Vid74\optiasys.exe

Filesize
3.9MB

MD5
cb3708b505cb28422ac371f8fe861271

SHA1
b2acce1f8861ddc124aacc939f3fceebb245538f

SHA256
28538f84c8d9cded931532e3cf58aa759ab0cfcb37c298e29d46cd977cc08601

SHA512
7bb6df314dd65feb4ee36f90f51627c197a34b9e00a278a26ba05e762703aca7b49d6d7b2af53a82e2a5235b05f397144b14cd1e850a2aeea280f00d16b568b8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
3.9MB

MD5
c2fb97a01b901f2c336911886f225f03

SHA1
e1746b8f074315657e9ec5f1a9ac902aeef43a5b

SHA256
333ced57fb783b7a6cd2a2020276ed059baaba61db0cd7aa6279b625fe2a9fa8

SHA512
b732927f37003dfa85c364bcd28546696ac1948ec944227b99d8feaca14c8ad0fa7f7d7b6b33869ab9fb23ce37e6919e67b6282973311af6a8e929f32e7e00eb

Download Submit