9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f

Analysis

max time kernel
148s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe
Size

2.6MB
MD5

0e9bb61baea41784bed2bfb475523a55
SHA1

4b4900aa8ba0611b31cc8d97cea7f1da410f7eaf
SHA256

9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f
SHA512

09edec55c4b20defdcbf7fa8d9b3cf0439876b522240097968d05e84ba52ce3549afa3dbc605fba89a185cfb3f571453dbf8ffbcc37b6c51f6556af35fa7779d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bS:sxX7QnxrloE5dpUpUb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe

Executes dropped EXE 2 IoCs

pid	Process
3016	sysdevbod.exe
3040	xdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2640	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe
2640	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotKG\\xdobloc.exe"	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxL8\\dobaloc.exe"	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2640	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe
2640	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe
3016	sysdevbod.exe
3040	xdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 3016	2640	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe	30
PID 2640 wrote to memory of 3016	2640	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe	30
PID 2640 wrote to memory of 3016	2640	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe	30
PID 2640 wrote to memory of 3016	2640	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe	30
PID 2640 wrote to memory of 3040	2640	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe	31
PID 2640 wrote to memory of 3040	2640	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe	31
PID 2640 wrote to memory of 3040	2640	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe	31
PID 2640 wrote to memory of 3040	2640	9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe	31

C:\Users\Admin\AppData\Local\Temp\9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe
"C:\Users\Admin\AppData\Local\Temp\9b49ae605a70aa9624b693dc87ec77d14738f6735702178844b4ce81da88786f.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3016
- C:\UserDotKG\xdobloc.exe
  C:\UserDotKG\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxL8\dobaloc.exe

Filesize
1.9MB

MD5
c29ca554b2d51bc91a74bba218cadf6b

SHA1
e54997d90f515d594c3ace31712ab3912d6f886a

SHA256
09c4c6926a63910b01f9272e813dd0c7f9a8643d777913d519aed25c24d7f5ab

SHA512
02ecf26a7b46843e90ee3041df614bc4b44477d763133efce0eef13095aa9a42f3094e933f5d24d0de1d3da4f468a7006e95d20701a3c9ba09f53b3959a17c96

Download Submit
C:\GalaxL8\dobaloc.exe

Filesize
2.6MB

MD5
ac54cf4bdfbc5169157465f7a4567f43

SHA1
a424c6fae48d2a0f524fca593fce8b880cc657b8

SHA256
de98d8946dc41a060214147fe8cc3325e76bf07c4e5fe6bace2117de8fb34bc7

SHA512
4b16de1e0d32da35c16c39fd631a4b17bcc55209110fcde2ec7ee809dcf419ff9ba12580e90bf7ea68897a1166010e687e849d3e483d46d530106865dd4059ce

Download Submit
C:\UserDotKG\xdobloc.exe

Filesize
2.6MB

MD5
ea77cb381a5896c3bd572015566202a1

SHA1
89cd32d958bffcc9180a5e8ee912b0dd071e68aa

SHA256
e54e20394e29f9b68675b90c20fb2635828c22742d37002a278249b5ef413029

SHA512
a78b758f5baf86d6689b4fec424de00209127106e14bf5ca54db1b217a386e94dca8b30115dcbabc4676101536846cac88d665f7fcb37f7a4ba73742ce710305

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
c88eed7f6e78375ba3ac3d65bbe7a3ad

SHA1
c10c9d6b292b2d54fb6c7cc226cc4f99633c45f1

SHA256
1d0effd00a4c0bf1a28eefb0d1ee3b52ca1d5af17cc1c0de41cbb9d284108175

SHA512
97956e4e895667fc72b935e6b39e88d4de6670b0f7b436d5d39b8b6b10ce86b84324beae245a06b074791a482d30ba366f0e4fa2e4d328376c668a7525d0ee18

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
5f5eee79fa75fb8eeddf588d0813e606

SHA1
a07558e3a020f0c70671c2a4d86079f7de08cec7

SHA256
6e339c74ed5a3beac5e7f0e5a076f36065d8061405bb223855ae1d7d3e7b7e17

SHA512
1f5d60e17287d5d71fd86dfca70c261b61ec2778edc671c5e3cd72d6cf5dbac8f24261ba75c0e9ef20f658d78d589a1633e7e6eb1d080598a09ba235acf8edaf

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
2.6MB

MD5
9d5511778e28a8850590a157a9cb9267

SHA1
3820483866631f4f5f5a7aefee60eafbb9c36d3a

SHA256
e775b6154995ce85175ac36f0802c27dae8508440f4099738a0af4b773573341

SHA512
8c36d0b3c9d125688f894d6bc8b8c495fcc5fe04bccaac4b71990700a6681f1ba7cfcc4a8c6016f4a54ccd86d7438ed38f4d4723ca00f5a63adf1ac672561b4f

Download Submit