fb05ae11d06772d76a936a5b701caccb633f76a301bf0920af2a51128c7e7f02

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-09-2024 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88c4d212a99db077cb052ab573e39bd0N.exe
Size

2.6MB
MD5

88c4d212a99db077cb052ab573e39bd0
SHA1

2761e936eaa3c9773b474aa37cc58d727c723874
SHA256

fb05ae11d06772d76a936a5b701caccb633f76a301bf0920af2a51128c7e7f02
SHA512

c7efde04080339690db6778bf27ccccd3f6842c457bd3ee4640980887962c1c1c35be15a7d2f918256542b778217af771e2b470deb07d5d77fb384e8bc555b4a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBBB/bS:sxX7QnxrloE5dpUpSb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	88c4d212a99db077cb052ab573e39bd0N.exe

Executes dropped EXE 2 IoCs

pid	Process
3064	sysdevopti.exe
2328	xdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1480	88c4d212a99db077cb052ab573e39bd0N.exe
1480	88c4d212a99db077cb052ab573e39bd0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesFI\\xdobloc.exe"	88c4d212a99db077cb052ab573e39bd0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBHN\\dobxloc.exe"	88c4d212a99db077cb052ab573e39bd0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88c4d212a99db077cb052ab573e39bd0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1480	88c4d212a99db077cb052ab573e39bd0N.exe
1480	88c4d212a99db077cb052ab573e39bd0N.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe
3064	sysdevopti.exe
2328	xdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 3064	1480	88c4d212a99db077cb052ab573e39bd0N.exe	30
PID 1480 wrote to memory of 3064	1480	88c4d212a99db077cb052ab573e39bd0N.exe	30
PID 1480 wrote to memory of 3064	1480	88c4d212a99db077cb052ab573e39bd0N.exe	30
PID 1480 wrote to memory of 3064	1480	88c4d212a99db077cb052ab573e39bd0N.exe	30
PID 1480 wrote to memory of 2328	1480	88c4d212a99db077cb052ab573e39bd0N.exe	31
PID 1480 wrote to memory of 2328	1480	88c4d212a99db077cb052ab573e39bd0N.exe	31
PID 1480 wrote to memory of 2328	1480	88c4d212a99db077cb052ab573e39bd0N.exe	31
PID 1480 wrote to memory of 2328	1480	88c4d212a99db077cb052ab573e39bd0N.exe	31

C:\Users\Admin\AppData\Local\Temp\88c4d212a99db077cb052ab573e39bd0N.exe
"C:\Users\Admin\AppData\Local\Temp\88c4d212a99db077cb052ab573e39bd0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3064
- C:\FilesFI\xdobloc.exe
  C:\FilesFI\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBHN\dobxloc.exe

Filesize
281KB

MD5
757cd2abae6fe2657d5ef0b8cbc16b59

SHA1
164d48910e2d3840e1a0ec9c0dead1927270ad58

SHA256
defd3b5fe4f88780b18c86db93b10c9185539edf821a7f35795f0733eaacca29

SHA512
c3a194fbf9dc566d2f8f1081e4016431924f7e785173717f0adc8e74aa629688577cec15bd163cd490d4a5b4b200b97547272352c439eec765d3407ff3cbc2e5

Download Submit
C:\KaVBHN\dobxloc.exe

Filesize
7KB

MD5
20ec6effd447fb35f7db816f8c616148

SHA1
c8c9edd9f30b93dc161fc035c69b57e7af305dce

SHA256
43b6a06c6d792569dc3a4b802a1882bcef34d458cb6c626267bf303fc8dc3fa7

SHA512
6a01a317698e30eec8ab65c628488a1e6108d6eb9dd6bdef9a769d497807ace3b68a23452d40d010b95f19759903bb9bc1910e8d7e46fa618aaa3fbf6a80fecf

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
110be56adb75a336dc2407260bb0ca8e

SHA1
c9fe47efcb8c053265dd4c986c40c837e9124eb4

SHA256
d13c98cded951ea18f8d26a0a51c30ea4ec18142fc075cc4184da9166e567cf2

SHA512
6827c323304216affc27a514ced8710e8158909cc952feba68d82fada39bf7095d500a4e7053285af07ddeaaedb1aed337348f1bbe432aedb98d65783b0d2db2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
4933c9f30b3d458944d15af27ec0874c

SHA1
81c8bf4496aa1caea4ebbe6247c5a7210592fa04

SHA256
94b48615ab4c70b22214eebffaaf1971d6eeb5572ec9aaedef46d02059d627fa

SHA512
e59b883e7e27f5dcd2d0e868b29ede73aea6d79439354149765d00ac85c2619f20d7e5b5320209465082647d18f0bab13174ef302d311df8235ba6378022b824

Download Submit
\FilesFI\xdobloc.exe

Filesize
2.6MB

MD5
e1f415ef1a91ef3c86ff31f7d8ef8fdd

SHA1
d93ef82547314ba6895ec2b0e5aec9f35b67bd96

SHA256
4aaf35b06b2840bf8a4c094d3dc5db95db9a4c7057aa0cad86b9d955216405ce

SHA512
8ad9e4980ff1bdda931193eb56d01610c4aa95adfd07f0e20ddc74cf7877152b12076f1182c96fd1c378515049b1057bdf77e4a676ebcd09385216132a1b0813

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
2.6MB

MD5
ac7f3f813a6242d8b21ae8640a407dbf

SHA1
20337e1d085077ffd4dd78bedf0f51b0fa6d1e7a

SHA256
fa2a92e9669d9ea43fddad065feba71b8907fca2f95ba1dffcbd01c952a53ef5

SHA512
d9ef34692cc541040efd741b28af0b83a9c56fc28894b44423373cefa24e533dfb7a4f476faa9891dcd043260cc75df8e2cb9961f444c4b0e075a291bb1e01ec

Download Submit