17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe
Size

2.6MB
MD5

31aaa86082487967ae1f7644660e8902
SHA1

4196115f67f867e8b8364e7ab8bb22fb910668de
SHA256

17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059
SHA512

b1a4892b2ad5bbbad26f77d17b6146fd5463af62a4feb5aeea8abe9ee827bbc89db64916c089e519a65b2755edc79a4fea5e5d23ecd0d1191f69c46eb675f71c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bS:sxX7QnxrloE5dpUpHb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe

Executes dropped EXE 2 IoCs

pid	Process
4780	sysxdob.exe
2288	devdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobePR\\devdobec.exe"	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidA1\\dobxsys.exe"	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1464	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe
1464	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe
1464	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe
1464	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe
4780	sysxdob.exe
4780	sysxdob.exe
2288	devdobec.exe
2288	devdobec.exe
4780	sysxdob.exe
4780	sysxdob.exe
2288	devdobec.exe
2288	devdobec.exe
4780	sysxdob.exe
4780	sysxdob.exe
2288	devdobec.exe
2288	devdobec.exe
4780	sysxdob.exe
4780	sysxdob.exe
2288	devdobec.exe
2288	devdobec.exe
4780	sysxdob.exe
4780	sysxdob.exe
2288	devdobec.exe
2288	devdobec.exe
4780	sysxdob.exe
4780	sysxdob.exe
2288	devdobec.exe
2288	devdobec.exe
4780	sysxdob.exe
4780	sysxdob.exe
2288	devdobec.exe
2288	devdobec.exe
4780	sysxdob.exe
4780	sysxdob.exe
2288	devdobec.exe
2288	devdobec.exe
4780	sysxdob.exe
4780	sysxdob.exe
2288	devdobec.exe
2288	devdobec.exe
4780	sysxdob.exe
4780	sysxdob.exe
2288	devdobec.exe
2288	devdobec.exe
4780	sysxdob.exe
4780	sysxdob.exe
2288	devdobec.exe
2288	devdobec.exe
4780	sysxdob.exe
4780	sysxdob.exe
2288	devdobec.exe
2288	devdobec.exe
4780	sysxdob.exe
4780	sysxdob.exe
2288	devdobec.exe
2288	devdobec.exe
4780	sysxdob.exe
4780	sysxdob.exe
2288	devdobec.exe
2288	devdobec.exe
4780	sysxdob.exe
4780	sysxdob.exe
2288	devdobec.exe
2288	devdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 4780	1464	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe	95
PID 1464 wrote to memory of 4780	1464	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe	95
PID 1464 wrote to memory of 4780	1464	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe	95
PID 1464 wrote to memory of 2288	1464	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe	98
PID 1464 wrote to memory of 2288	1464	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe	98
PID 1464 wrote to memory of 2288	1464	17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe	98

C:\Users\Admin\AppData\Local\Temp\17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe
"C:\Users\Admin\AppData\Local\Temp\17b825ca94718ad7d308674307d224ae438612ec57831882edfc940e14412059.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4780
- C:\AdobePR\devdobec.exe
  C:\AdobePR\devdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobePR\devdobec.exe

Filesize
1.3MB

MD5
701aa20a843a62020a679eb11c98f5d5

SHA1
bf63c0a1421270d197868116d40797ea439af0d5

SHA256
6294e9aa5bb0fde58b458e4d3ed3b33fae685747dc5a8665b7948eec22f065ee

SHA512
4cc74dc7c80733da205e682c52415dbf002f2246c5b179678cbbbba236b76bbe8edbff8701d935007d4dcbdd70d209ad739d79306e39012e6680a8d364688bb3

Download Submit
C:\AdobePR\devdobec.exe

Filesize
2.6MB

MD5
3a5014fda180215489f230d11dd518a4

SHA1
e87c5fef1d163625e5d1dd2bef7b915e937fc066

SHA256
1f6b8c0dfe281e968a806221dbae110e7cfa89090b05a605eabe5525258d25f7

SHA512
b7506e273473fe8c5ab5f1abc011c25af5d514cc7ac35de3c4760458b292a45db5f003df696c665cef6d14067664f1274f2240c0c8f3f390c0f2f664ab274a34

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
f02a7404a854cfa4897f0dc7b0050d77

SHA1
82af70e181559ff31feeaf9286b98345ec253b13

SHA256
4d3d7ae7c3bf6b79be070d612a0a81eb0c7f1ff566c3b20c08c6d5bdb4912c82

SHA512
3cb5c5a5ab7dac74f7295972f4c2093fd1e9b0cb20551bc5efedb40d0b48009841c18cac34cca53b4de3d4341bb473543879e178c71870ce795afabfe179f3a0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
183983e8bd026454a84cbbdaf293195a

SHA1
b1f4b088cea61e292502606c66aea334827f0d0e

SHA256
9b95bcfbb082ee8ee2e25c1d0bf93c60a759293e25c74df7a677512f9c57285a

SHA512
416aa38687f73348cdc179a2b4d0d5c45bde3efe8382fd19433e2aad0cd94316924d9d916c2c5814289e08f4322422b134f6b28fa86e6396bb407a02639373cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
2.6MB

MD5
bbf0afdc06a984d1b33a7f1ed7223492

SHA1
cfb0c2624b7eddf7f698e86b877671fe250d3ab1

SHA256
c57dc9ef991479c50c823a8873d1aa1babddfec9debf58936af183557d9cc737

SHA512
b27fb37f1f52fde57ad52a39bc4ca70967e15f45ae74e13ca71a699cab478972433669a4c8fddca757dc00a6a8fac8b1f9787a0326ec5ad479ea63339b52def3

Download Submit
C:\VidA1\dobxsys.exe

Filesize
233KB

MD5
d0aa7497e44634d1a96ecd9bbc62a408

SHA1
eca2d8b27adbf2b9fe80ce51520e33b95106765a

SHA256
8a048f25e82e54dee2b9e4307ce6b1b37accb7bd4f13954865e9d27a18dacaa5

SHA512
91f0398bb80e295291797635569b1036aae33e582161395127b03083bd302ac5594d709d9edf7abd5fc5a0033b98afc2df274114e5a80d82f2cd976b45d34b8b

Download Submit
C:\VidA1\dobxsys.exe

Filesize
2.6MB

MD5
ee4a4225b6771dc2849aedb4cf34e56b

SHA1
4ae78cf85ed3a444f3628d864d293f89587dcba6

SHA256
a05e90fbd45d79788b63463be06431df65a538ed3042c621b6f2f4adf5d82a3f

SHA512
cfe27fab72f561fac6d2adb25c94d0c5d4a930e07ad8b380b24082cf8f3ddfa18add4f512dcfe44a7dafa1cd2e332ee41b2f053bd8a4bcf428bf2413ce85a1d5

Download Submit