b31f9d02c756e95a2eba310bf583e3a0cf97cfab0668751c7ccb6f9197824d34

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20-08-2024 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d44d931b2aab85ab66c3806c6aca850N.exe
Size

4.0MB
MD5

5d44d931b2aab85ab66c3806c6aca850
SHA1

fc51cbe724e9be94a9a3ab061c4693c75324d41b
SHA256

b31f9d02c756e95a2eba310bf583e3a0cf97cfab0668751c7ccb6f9197824d34
SHA512

a38306f47ad955bc5fd0d9dd6d32dd4ceb8979a2bd6a9ac53874c6e0e25fd3705737fa73554a2cc4d5a67cb31fe7695f7379696a3f7dea7a6e537900c8310f37
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp7bVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	5d44d931b2aab85ab66c3806c6aca850N.exe

Executes dropped EXE 2 IoCs

pid	Process
2140	locabod.exe
2688	devdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2084	5d44d931b2aab85ab66c3806c6aca850N.exe
2084	5d44d931b2aab85ab66c3806c6aca850N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintHK\\dobxec.exe"	5d44d931b2aab85ab66c3806c6aca850N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv6A\\devdobsys.exe"	5d44d931b2aab85ab66c3806c6aca850N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d44d931b2aab85ab66c3806c6aca850N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2084	5d44d931b2aab85ab66c3806c6aca850N.exe
2084	5d44d931b2aab85ab66c3806c6aca850N.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe
2140	locabod.exe
2688	devdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2140	2084	5d44d931b2aab85ab66c3806c6aca850N.exe	30
PID 2084 wrote to memory of 2140	2084	5d44d931b2aab85ab66c3806c6aca850N.exe	30
PID 2084 wrote to memory of 2140	2084	5d44d931b2aab85ab66c3806c6aca850N.exe	30
PID 2084 wrote to memory of 2140	2084	5d44d931b2aab85ab66c3806c6aca850N.exe	30
PID 2084 wrote to memory of 2688	2084	5d44d931b2aab85ab66c3806c6aca850N.exe	31
PID 2084 wrote to memory of 2688	2084	5d44d931b2aab85ab66c3806c6aca850N.exe	31
PID 2084 wrote to memory of 2688	2084	5d44d931b2aab85ab66c3806c6aca850N.exe	31
PID 2084 wrote to memory of 2688	2084	5d44d931b2aab85ab66c3806c6aca850N.exe	31

C:\Users\Admin\AppData\Local\Temp\5d44d931b2aab85ab66c3806c6aca850N.exe
"C:\Users\Admin\AppData\Local\Temp\5d44d931b2aab85ab66c3806c6aca850N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2140
- C:\SysDrv6A\devdobsys.exe
  C:\SysDrv6A\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintHK\dobxec.exe

Filesize
4.0MB

MD5
d20f59873ec5805928f68eebcf7f1a19

SHA1
f9eceaa81835c0e7c12ba7251975da0fefceec92

SHA256
65c32e76f46fe462192833d583c2faf1de00e730a2f38538afff39bd2d2a9343

SHA512
ca2278faed1845c30e10f8c77c8e687c1eeb482f32cfd72704ec197de49c3f2c4056c583fdfdc7b0d5ff3f584e967f364386338770f2639990d3b884a1a10e33

Download Submit
C:\MintHK\dobxec.exe

Filesize
4.0MB

MD5
f7ecba7315a4ddc3743a9d71a002d0d5

SHA1
37f5cd5a68b74c35c8915273762098b7a253fa77

SHA256
759068e99a78973cfb763a717bac3a5b3afddc350acdcafd48a9fd011876e7d0

SHA512
5247e572d97b6af3e9fa1365b812e6f72914c5732f07fe0ebde1fb35d0d87b8604645a4f1aff1b2dc446e2de87fac6be5bf1e293a0b3118f0fac3f2d058d6e25

Download Submit
C:\SysDrv6A\devdobsys.exe

Filesize
4.0MB

MD5
5488ffbabbd9dbb0d0194e19c0f37fb7

SHA1
1970b025c29398f1c846ce0664a0945bfd401142

SHA256
aacab2ddf5e121989b7a77e112241b279f24efacf8f44ea22f0e156f940eb61e

SHA512
a90caf00ad0b083ef62a4009ca8cdb00e278d8c84ab0d8a261ae307b01280fc5102679b15ccc1304ba3c81d970e8ed8af508add45485b5385bf457b91abdfb20

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
14c174d19b7645dd8ad0c0ecfd4b34d6

SHA1
4d6b376527fb761e13cfbe30fa7b8f90588a8483

SHA256
669503477723853000183cbeeedf721edfbed879184cc7a6cbc10a1949d6934d

SHA512
8eac0cdda229465460150c5d05f1f47a04210e95d26a0ed6bdfe761fbae1a6a77eb840d2dc9f3ffaba8119957729aaa90141f2979df5da696056bf1ec9b18bd9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
94757ea1dac80286411777bba1946423

SHA1
17157d408bb299c2ac40b28dae97485f1565e72c

SHA256
4a0d3c615ec54cff9eb8a50632182d905a2bc863d4a49bdf84a52192ed96b4d3

SHA512
abf2684a51326bbdfef559f5824693ffa6dd066174a506a84eaff3e652647fbdeec1173a320f17daf4ecc8f85378b385c14d08747d5cfc1d6ae2da79fe50bb9f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
4.0MB

MD5
1cca6a8765ea636e5877d1dc86668e99

SHA1
b5ad971aac79eba4aad2f8cffcf466d9ec868edb

SHA256
adebbb23cf4c8ae677e7b5dd024e434e53837b1f6dee73ceb96741643acd0d95

SHA512
c82cedce0415f1e27fca351782c439161c6615c1294b37ca42d3b9745bfb6eefbc7f3b624064d6d67ab3379694287a46da29e7a797efb3f11c1ff69c69590a91

Download Submit