5da9a62041ccee01094e9f6aae9ed6fefeded85e14e17ae83c6c436479fe9748

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 03:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6d13a078ed03f7435f1e79b66e6b6120N.exe
Size

2.6MB
MD5

6d13a078ed03f7435f1e79b66e6b6120
SHA1

f66e6f1aea762eea1db7107f947dbda57956d9cf
SHA256

5da9a62041ccee01094e9f6aae9ed6fefeded85e14e17ae83c6c436479fe9748
SHA512

e2bf72f5e9810ac77703526e80592eae1f378465bcfa30335c99eb1d8d5844d5efd716ba0f7a41a18fe7e3f8aa37f38395e5329ce4f266b9ea8f6ac93e0d5b9d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpOb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	6d13a078ed03f7435f1e79b66e6b6120N.exe

Executes dropped EXE 2 IoCs

pid	Process
2108	locdevbod.exe
2684	xdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1928	6d13a078ed03f7435f1e79b66e6b6120N.exe
1928	6d13a078ed03f7435f1e79b66e6b6120N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv3I\\xdobloc.exe"	6d13a078ed03f7435f1e79b66e6b6120N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBM9\\dobdevsys.exe"	6d13a078ed03f7435f1e79b66e6b6120N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d13a078ed03f7435f1e79b66e6b6120N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1928	6d13a078ed03f7435f1e79b66e6b6120N.exe
1928	6d13a078ed03f7435f1e79b66e6b6120N.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe
2108	locdevbod.exe
2684	xdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2108	1928	6d13a078ed03f7435f1e79b66e6b6120N.exe	30
PID 1928 wrote to memory of 2108	1928	6d13a078ed03f7435f1e79b66e6b6120N.exe	30
PID 1928 wrote to memory of 2108	1928	6d13a078ed03f7435f1e79b66e6b6120N.exe	30
PID 1928 wrote to memory of 2108	1928	6d13a078ed03f7435f1e79b66e6b6120N.exe	30
PID 1928 wrote to memory of 2684	1928	6d13a078ed03f7435f1e79b66e6b6120N.exe	31
PID 1928 wrote to memory of 2684	1928	6d13a078ed03f7435f1e79b66e6b6120N.exe	31
PID 1928 wrote to memory of 2684	1928	6d13a078ed03f7435f1e79b66e6b6120N.exe	31
PID 1928 wrote to memory of 2684	1928	6d13a078ed03f7435f1e79b66e6b6120N.exe	31

C:\Users\Admin\AppData\Local\Temp\6d13a078ed03f7435f1e79b66e6b6120N.exe
"C:\Users\Admin\AppData\Local\Temp\6d13a078ed03f7435f1e79b66e6b6120N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2108
- C:\SysDrv3I\xdobloc.exe
  C:\SysDrv3I\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBM9\dobdevsys.exe

Filesize
29KB

MD5
c2b58e7bd0d9d36929797d78aa1d3e51

SHA1
8fc011635fc3980b8429b2956954a84ef4f62f48

SHA256
d5277dd43fac6b920dc73e189c8ce3c2b5d25215f887f88a07155db345eeb18c

SHA512
78c62f3f40b38eb2f380b786661968a0da8840a04924336873b4f4aceba9dd3bd8652ebb78ce9ba2b6128880c6d2ac12c784def607e382a7ede8e458ed4932e0

Download Submit
C:\KaVBM9\dobdevsys.exe

Filesize
2.6MB

MD5
2146e90446f2d17842993307abf5d9fb

SHA1
4ddd8cf1542209f84550fd473807edf006829fb8

SHA256
d30fe7de4947e496414cb68dd0c9ecad34dfd22da85627e7ebb062e63f5fb7dd

SHA512
d80fdc2507ecc5159095791f9854f77fb7e085e4fddecf418c7160fd6e9c90ed7cfd7356138c64c7f455045f84b9dda39788c8deed1a5ee174cac061dded8a04

Download Submit
C:\SysDrv3I\xdobloc.exe

Filesize
208KB

MD5
b5d0d977b82d8ac3b032a75a1f44f72b

SHA1
c417ad4b249ea68e43e7c799fbe892cff9821c3a

SHA256
c6f28d6c43511ac74a30ba109445a17d62210fb870961e076450206b2f705e48

SHA512
ebfc235f3a647bcd74c686978d00259c309762a1107dd74cee6c87d9a0e4bae67979df3e7f0621f6c2ed71b852715055b695bbcbea01f704d4b6d81a4f32ddaa

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
c40fa359188d43d2e2f97076896aa3aa

SHA1
3a4a4a663af3ec51d5671721e8342bae7cfd98ac

SHA256
cec499a471b578a14a403def3e80e082b8369cad2fbee2f2b9134edfe9fda78d

SHA512
d3dcc03f5cf903aff400b77f15b93957f7de4f24bd436cebc5a5dc9b1d4f0a58cdaa39f8e1b338b74ead2615d1709a06a6b061d9aba8ca25e454048e94c978e9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
3cc03d08d47fc8a8432b78e3ff7ef1be

SHA1
21cb3c1693f84404f16277481e8762f176940ec1

SHA256
06b0df73537d87f73642a98fa717dc0d19bdca62f50683f7422dff2ed02b5bf8

SHA512
48981bf448ed7d40eeba6b7b7d1ed19f43f07fa1186ae0124df4a12d8d53dd09d41d6ca654046e703b89b8159b41e22be7abbd07c9c33a72d4a81aa37faa7e50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
2.6MB

MD5
88038bb0042030140f231ceeb428a06f

SHA1
3c98df49d294577f702705bb7c34052727c0c526

SHA256
f190a3aa518aa43bd2237e8b529021e3a7a9b7eff1ea9f01e6fee309d5c4f2c7

SHA512
d2465803bf205f23df1fc814f11950a8fcb60f2921dd8067030a6943ba25bf3c84c14d2590f6a91801084841ea01cacae4e7a3a699e4f21b705a132b23e9e839

Download Submit
\SysDrv3I\xdobloc.exe

Filesize
2.6MB

MD5
41340713697cdf5b70b6406bc64d1ae2

SHA1
d447fd5fa317001cb75741f097e62f7f39db37a9

SHA256
b45789cfe4f90ff337580568e5ed1b8e7bae689f6249a47e2a4d67f8a39fe725

SHA512
45ec24a1fea9875aae7df9bae8d10606af021064af55fbc6aca04abf23531d9f86a4ccfc75449b6ba91b73516ddea75b4befedd3eefa5452d183bf1be7168b5b

Download Submit