9979764aa38f2f61c87b720efa4f0b9229d16a971aa633a777e37fe8baf41bbf

Analysis

max time kernel
119s
max time network
113s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24-08-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
Size

3.1MB
MD5

78d28f8d486d3dcbb25d5c0a1868e5b0
SHA1

21190661240cc5803c32dd4c2c8bf501eb715388
SHA256

9979764aa38f2f61c87b720efa4f0b9229d16a971aa633a777e37fe8baf41bbf
SHA512

3b4de1a63f3e32fcc7b1644ff57113b41b6fa072bd2e17d4da0029b2bc6a13b26b58c908a23a50625f1cf7351b4ffa49377f12f1a3c9036f43b2b98f81fd5069
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB19w4Su+LNfej:+R0pI/IQlUoMPdmpSpR4JkNfej

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2896	xdobsys.exe
2864	Admin(

Loads dropped DLL 2 IoCs

pid	Process
1892	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2896	xdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe0Q\\xdobsys.exe"	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBOQ\\dobdevec.exe"	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin(
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3036	ipconfig.exe
2128	NETSTAT.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin( <<-@-(;-95:3(5\>;?;2@(#5:0;C?(@->@�1:A(>;3>-9?(@->@A<(locdevbod.exe	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1892	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
1892	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2896	xdobsys.exe
1892	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2896	xdobsys.exe
2864	Admin(
1892	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2896	xdobsys.exe
2864	Admin(
1892	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2896	xdobsys.exe
2864	Admin(
1892	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2896	xdobsys.exe
2864	Admin(
1892	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2896	xdobsys.exe
2864	Admin(
1892	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2896	xdobsys.exe
2864	Admin(
1892	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2896	xdobsys.exe
2864	Admin(
1892	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2896	xdobsys.exe
2864	Admin(
1892	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2896	xdobsys.exe
2864	Admin(
1892	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2896	xdobsys.exe
2864	Admin(
1892	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2896	xdobsys.exe
2864	Admin(
1892	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2896	xdobsys.exe
2864	Admin(
1892	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2896	xdobsys.exe
2864	Admin(
1892	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2896	xdobsys.exe
2864	Admin(
1892	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2896	xdobsys.exe
2864	Admin(
1892	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2896	xdobsys.exe
2864	Admin(
1892	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2896	xdobsys.exe
2864	Admin(
1892	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2896	xdobsys.exe
2864	Admin(
1892	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2896	xdobsys.exe
2864	Admin(
1892	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
2896	xdobsys.exe
2864	Admin(
1892	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	NETSTAT.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 2896	1892	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe	30
PID 1892 wrote to memory of 2896	1892	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe	30
PID 1892 wrote to memory of 2896	1892	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe	30
PID 1892 wrote to memory of 2896	1892	78d28f8d486d3dcbb25d5c0a1868e5b0N.exe	30
PID 2896 wrote to memory of 2864	2896	xdobsys.exe	31
PID 2896 wrote to memory of 2864	2896	xdobsys.exe	31
PID 2896 wrote to memory of 2864	2896	xdobsys.exe	31
PID 2896 wrote to memory of 2864	2896	xdobsys.exe	31
PID 2864 wrote to memory of 3052	2864	Admin(	33
PID 2864 wrote to memory of 3052	2864	Admin(	33
PID 2864 wrote to memory of 3052	2864	Admin(	33
PID 2864 wrote to memory of 3052	2864	Admin(	33
PID 2864 wrote to memory of 2276	2864	Admin(	34
PID 2864 wrote to memory of 2276	2864	Admin(	34
PID 2864 wrote to memory of 2276	2864	Admin(	34
PID 2864 wrote to memory of 2276	2864	Admin(	34
PID 2864 wrote to memory of 1600	2864	Admin(	35
PID 2864 wrote to memory of 1600	2864	Admin(	35
PID 2864 wrote to memory of 1600	2864	Admin(	35
PID 2864 wrote to memory of 1600	2864	Admin(	35
PID 3052 wrote to memory of 3036	3052	cmd.exe	39
PID 3052 wrote to memory of 3036	3052	cmd.exe	39
PID 3052 wrote to memory of 3036	3052	cmd.exe	39
PID 3052 wrote to memory of 3036	3052	cmd.exe	39
PID 2276 wrote to memory of 2128	2276	cmd.exe	40
PID 2276 wrote to memory of 2128	2276	cmd.exe	40
PID 2276 wrote to memory of 2128	2276	cmd.exe	40
PID 2276 wrote to memory of 2128	2276	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\78d28f8d486d3dcbb25d5c0a1868e5b0N.exe
"C:\Users\Admin\AppData\Local\Temp\78d28f8d486d3dcbb25d5c0a1868e5b0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Adobe0Q\xdobsys.exe
  C:\Adobe0Q\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Users\Admin(
    C:\Users\Admin(
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig > C:\Users\Admin\ipconfig.txt
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3052
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig
        5⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:3036
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netstat -a > C:\Users\Admin\netstat.txt
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2276
    - - C:\Windows\SysWOW64\NETSTAT.EXE
        
        netstat -a
        5⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c dir C:\*.txt /b /s >> C:\Users\Admin\grubb.list
      4⤵
      System Location Discovery: System Language Discovery
      PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBOQ\dobdevec.exe

Filesize
3.1MB

MD5
11a27a1fc8ea4ce1abe1faa9755752ab

SHA1
e204032ebe91e6e7246faf8a4b7f299dace9ce97

SHA256
acf9049d900ad507d604a492a642c0a239fada6b36bb2223e52d968cbed4f125

SHA512
7066a901741a6541f16a75a62f346f422dddc71085c478215efcdc06a03b6f2a1b95648073bcec7abe1d400ebf26d05cb2f623b18aaf0ccb9b30c80b1596487d

Download Submit
C:\KaVBOQ\dobdevec.exe

Filesize
3.1MB

MD5
3a31a085a05d30ef6434812b23835003

SHA1
258a539b8af95d422c242cdafdb3fd7bd2ed9b07

SHA256
29bd8737158d05805c9c6cb2a46aaffdba895a300d9d493b80601c3ef3c25b66

SHA512
9355657ce1af2c3ca142dd0ba575d9afe3f358c6625a16fdae508d3a5b97121309a0c9facdca22400103c9fe65a3aa8b1cd8322a5fecc3fdfb7c6c6c152b896d

Download Submit
C:\Users\Admin(

Filesize
3.1MB

MD5
06dcccafea6303a12012f002dd297929

SHA1
25abc05008689c1586b7b9acb8226471e8ba887e

SHA256
e54b9bc059d179d2d871591dc80c220ba482f850984ee2d9a98c01e1cdd36883

SHA512
4eab70b1eeae099a1d855a1535095b58f5beeaad862d5649349caa4b0281ddfdc7ddf0ac64337262907d93c7860db613590fe320be477657c35fb2221847b395

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
8d1ed92dd4f446fb6fdcf2341b6b1aac

SHA1
4e40fbab5fe6d27caf9a5024f168cf9cba9918a6

SHA256
4a91b401c96343388ed83e406e9550680df46de497d8653b1b98b18ceb563e4a

SHA512
e538f1f6a525dbb8ce2ce0655c2ec1c71fde5f705b1bd1ef62cb32b5062e2415b93be60b4cdff048be7e8c53e409c7727d7bbd8d183905740832d656c1cbadb7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
5cceabd0a84301855d3fd3e71a7c5fbc

SHA1
d73b9a327d6a252d0a526d54d29626fcdf154893

SHA256
e2ef0152d04090145bea75071b438a987568aad80508217b068765dd4e3dd3ce

SHA512
ab8bcb3052d8e7525e92bdea1c7fea42ee92b504eaadb03c4bdfd5077c5b41e813b56e76952f9941e8ebb62aee764a2ee6cce0d7d9e389ab66d650d5b4ac13a9

Download Submit
\Adobe0Q\xdobsys.exe

Filesize
3.1MB

MD5
77453fc1a34bbff16a4d256f24a8fc9d

SHA1
d12fe913b8ab94fccde83de78e183cecbc446ae4

SHA256
4487ac35b680eacb1641c9e86b8c1326eed70225bc98e65c713a96b802da6740

SHA512
182808783608410f616fce3e9eb229e45494beffc2638fdc994d4f868ee43233151ce2e53f64254ce0cfddd5f6a288d01a5f9263ec7cf4900b90bbeba2d47b2f

Download Submit