fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe
Size

2.6MB
MD5

6cf11d2b3a18eeea3ca9d3486072b4f4
SHA1

63b862f53cf28e9a478e960e6ca87565820308b0
SHA256

fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b
SHA512

3b931c4f70cbff192860ed8b8f547da4318f12594469e0f56e41d1fd66f0a455805210c116c3bc2da6d86ce51ad04bf52d1e1e865f670e7df5de4cbc4f3d2310
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bS:sxX7QnxrloE5dpUpMb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe

Executes dropped EXE 2 IoCs

pid	Process
4492	sysdevbod.exe
4604	xdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc8V\\xdobsys.exe"	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBK5\\dobaloc.exe"	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4148	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe
4148	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe
4148	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe
4148	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe
4492	sysdevbod.exe
4492	sysdevbod.exe
4604	xdobsys.exe
4604	xdobsys.exe
4492	sysdevbod.exe
4492	sysdevbod.exe
4604	xdobsys.exe
4604	xdobsys.exe
4492	sysdevbod.exe
4492	sysdevbod.exe
4604	xdobsys.exe
4604	xdobsys.exe
4492	sysdevbod.exe
4492	sysdevbod.exe
4604	xdobsys.exe
4604	xdobsys.exe
4492	sysdevbod.exe
4492	sysdevbod.exe
4604	xdobsys.exe
4604	xdobsys.exe
4492	sysdevbod.exe
4492	sysdevbod.exe
4604	xdobsys.exe
4604	xdobsys.exe
4492	sysdevbod.exe
4492	sysdevbod.exe
4604	xdobsys.exe
4604	xdobsys.exe
4492	sysdevbod.exe
4492	sysdevbod.exe
4604	xdobsys.exe
4604	xdobsys.exe
4492	sysdevbod.exe
4492	sysdevbod.exe
4604	xdobsys.exe
4604	xdobsys.exe
4492	sysdevbod.exe
4492	sysdevbod.exe
4604	xdobsys.exe
4604	xdobsys.exe
4492	sysdevbod.exe
4492	sysdevbod.exe
4604	xdobsys.exe
4604	xdobsys.exe
4492	sysdevbod.exe
4492	sysdevbod.exe
4604	xdobsys.exe
4604	xdobsys.exe
4492	sysdevbod.exe
4492	sysdevbod.exe
4604	xdobsys.exe
4604	xdobsys.exe
4492	sysdevbod.exe
4492	sysdevbod.exe
4604	xdobsys.exe
4604	xdobsys.exe
4492	sysdevbod.exe
4492	sysdevbod.exe
4604	xdobsys.exe
4604	xdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 4492	4148	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe	84
PID 4148 wrote to memory of 4492	4148	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe	84
PID 4148 wrote to memory of 4492	4148	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe	84
PID 4148 wrote to memory of 4604	4148	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe	85
PID 4148 wrote to memory of 4604	4148	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe	85
PID 4148 wrote to memory of 4604	4148	fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe	85

C:\Users\Admin\AppData\Local\Temp\fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe
"C:\Users\Admin\AppData\Local\Temp\fa9d1dab5ce731f4e2b6566db1f76db230865c800c764a7bf8d5054177bfec3b.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4492
- C:\Intelproc8V\xdobsys.exe
  C:\Intelproc8V\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc8V\xdobsys.exe

Filesize
240KB

MD5
ccd6a2945e542c4d7a6d8b95b0b225b3

SHA1
67e901760d8388b8ee4cf909a562dabc8ec4a255

SHA256
ae4d82df2e7f2bef727789d511319b235611c3101059828aa64d192b6dd58b05

SHA512
5f7e5a26dd9e3b12d3532868f0513bc59ffb1a382cec5172cb068ced77bdd6549c3427ea5361a544fbf81f800f719355b90dabd106a5c081267ba14e13ecd729

Download Submit
C:\Intelproc8V\xdobsys.exe

Filesize
2.6MB

MD5
ada06998029b9606f865b484ae8bea31

SHA1
df32d24f154bf337b47c0e1464c16e05713bb438

SHA256
211d4b6253fb6aa6a0a29bc99d5fe8062f8daeef5636203f7281cdc48cd5af21

SHA512
48552319eb97b667c2efe7047251f692f6285f59938e9ea0b9b4a1c309fd4d4b05f427e0e4e995d885cee0427b4873453187660c5f0201e620e1706575e00f9a

Download Submit
C:\KaVBK5\dobaloc.exe

Filesize
2.6MB

MD5
a3cead41e9e4503cd80e331b6e807d03

SHA1
d195bc9d418176a3c361c8fbcefd00a5939cfadb

SHA256
fec2a23826c3c077c5732302847159846e48d25ee7045b0a793694af252e699b

SHA512
a27d3584f12463eb8d1f29b97434f62e546eff5421b41715c1d697547294ebaf501f8a5b68cc80410999f3e4624181fe0fd5b0069aab42afd27685c987b7f028

Download Submit
C:\KaVBK5\dobaloc.exe

Filesize
219KB

MD5
65ed7458cd996c94ee93832deb4d4944

SHA1
a2dec03d782584dc1ad0cd238db5a4c55b3e766f

SHA256
732a90d390cd7e33facd2d23c62fe31e7bd275d758d96963425f5df885ec2717

SHA512
3d8577696165a33bf44982e293840b739058fa7869198b1327f2e1251fd25f1482d4d6276f4c1282d99d0a8c249e65dac69229d655de1ec753865b15102e6372

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
6a17e0dd253ebfea894dd00160017e33

SHA1
7a6575f3f90c60fdb9a0c689ac82a3fdccea6782

SHA256
d1a0c785943a351325d6c9cc12ecd81f666073faf0eb07a775fe49b3965641a3

SHA512
263701b301cc60e337266cf3b3ce7b73dc4d2982c2b5bd2c57fdac70f4461fe8c07f3ae0c8d197c8614582e7f2a920c29e33ca669bc0ce741ba1920724cc06c9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
e644a7b3398a5d1e29022f57eb7efabf

SHA1
ffe832a0e2325fb0580b7558d5cda4acd155e07d

SHA256
606d647b71ffadf5a2f7f7fc87b58c9ae9f4bc982c6d1bb66ff51b8dcf680491

SHA512
2b1f1026f2e3fb82356d8811a1e2bccfd6f37e58bbe24a8ae1f3ba6c64dca623f69e95392bbaafb2d5329382262d8ad5b8f4f773ab7a5c69c35300259e39b987

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
2.6MB

MD5
9657d94a1b33c8bbf8e914c4d92c0579

SHA1
64a469c9d07fa2983d2c9b7fcef4b3a6cc6c24ff

SHA256
7d44e86833c071e09814103dc5dcdc7b751e996e0bf5f778cd4b7a4c603be8cb

SHA512
9d849d0a554c4c49ead18bbe88db5f8f44e83a2097c0d1439a5ccdb201a817cc95b4439f80741b38faffc5f92af0a99d43f1eb162c801c233e24f8b9930cedb8

Download Submit