69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b

Analysis

max time kernel
150s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe
Size

2.6MB
MD5

2a1d3cf6c550582b05d052897e4cc18d
SHA1

4bcd069c7a1cef1004255493398ec261ccceb671
SHA256

69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b
SHA512

4def24e7dd2557d2e699cf53ef865a039e7b5166f4d0f87d85ee9dd78625e883615b8b6481b982f8506f32210e3faf4b696a5c42de4060dac14e7da8e6a5f6b4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBoB/bS:sxX7QnxrloE5dpUpDb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe

Executes dropped EXE 2 IoCs

pid	Process
792	sysdevdob.exe
4444	devdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe95\\devdobsys.exe"	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB53\\dobxloc.exe"	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4796	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe
4796	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe
4796	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe
4796	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe
792	sysdevdob.exe
792	sysdevdob.exe
4444	devdobsys.exe
4444	devdobsys.exe
792	sysdevdob.exe
792	sysdevdob.exe
4444	devdobsys.exe
4444	devdobsys.exe
792	sysdevdob.exe
792	sysdevdob.exe
4444	devdobsys.exe
4444	devdobsys.exe
792	sysdevdob.exe
792	sysdevdob.exe
4444	devdobsys.exe
4444	devdobsys.exe
792	sysdevdob.exe
792	sysdevdob.exe
4444	devdobsys.exe
4444	devdobsys.exe
792	sysdevdob.exe
792	sysdevdob.exe
4444	devdobsys.exe
4444	devdobsys.exe
792	sysdevdob.exe
792	sysdevdob.exe
4444	devdobsys.exe
4444	devdobsys.exe
792	sysdevdob.exe
792	sysdevdob.exe
4444	devdobsys.exe
4444	devdobsys.exe
792	sysdevdob.exe
792	sysdevdob.exe
4444	devdobsys.exe
4444	devdobsys.exe
792	sysdevdob.exe
792	sysdevdob.exe
4444	devdobsys.exe
4444	devdobsys.exe
792	sysdevdob.exe
792	sysdevdob.exe
4444	devdobsys.exe
4444	devdobsys.exe
792	sysdevdob.exe
792	sysdevdob.exe
4444	devdobsys.exe
4444	devdobsys.exe
792	sysdevdob.exe
792	sysdevdob.exe
4444	devdobsys.exe
4444	devdobsys.exe
792	sysdevdob.exe
792	sysdevdob.exe
4444	devdobsys.exe
4444	devdobsys.exe
792	sysdevdob.exe
792	sysdevdob.exe
4444	devdobsys.exe
4444	devdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 792	4796	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe	82
PID 4796 wrote to memory of 792	4796	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe	82
PID 4796 wrote to memory of 792	4796	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe	82
PID 4796 wrote to memory of 4444	4796	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe	83
PID 4796 wrote to memory of 4444	4796	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe	83
PID 4796 wrote to memory of 4444	4796	69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe	83

C:\Users\Admin\AppData\Local\Temp\69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe
"C:\Users\Admin\AppData\Local\Temp\69808a6e8264a065c3361aa45f62af1d23a8f8a61a19c366ddf30661ccacdb0b.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:792
- C:\Adobe95\devdobsys.exe
  C:\Adobe95\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe95\devdobsys.exe

Filesize
2.6MB

MD5
1ee548d9f4982a332c29bae6f1b74107

SHA1
37e5537a85cdce0337b252a18641c92b67d7aaee

SHA256
fbb7035cd8b249342e03469cb181a267765f50324f90adb9830a2e95e9351bd9

SHA512
82c5414c54d7ca93fdb8fb8e6d2fed438ccc959ced08d9ab7c2eea213b067df7f361631bd94e07eeeae5b0f60da42e9cc0990390118cef7077f5ffcfca1290ec

Download Submit
C:\KaVB53\dobxloc.exe

Filesize
1.3MB

MD5
7949c0629c25a72a12d3865576eb04cc

SHA1
1c007fd7cdc095db238029afd3130a6d8aa9ecbb

SHA256
43ef24f0edaaef3b9a39ac61880314c07b3ca7c7aec273927b5ce4c720135ff8

SHA512
ce194f64ea9749f7fee8e65729002f8b729e723b29a1d0c9b51e2cf5d7279abaf9333e141fc63757d5c79cf72cd69e10f742dcc1a8e8121e675774a2f705df15

Download Submit
C:\KaVB53\dobxloc.exe

Filesize
2.6MB

MD5
e673ca07e5a1a9d99f4815ffd12e88e5

SHA1
f8aab6017ff3fbba8220906e62aeee3c1f662def

SHA256
9a6391e8517875d84aa47de1918343e43cf1da86071cc76035be06670ce2d6a0

SHA512
d0205cbf8663c1616e69f14e1cd9f8df9271f7fb8c32a248fd8ec8d74290f4ca73c0d91fe5263e41e796106d0be0c76b1549efa3b56c510b50d145e0f9a00fd1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
0ec7e5d86d9327ddcc4ceffea222932e

SHA1
e7f2f0660c6fd8f4af677486e5f1b1d61326eb5e

SHA256
c649d043a20e4fd3d2e1060aa36e2790181aaf887d7ed97f442ee11713db8a14

SHA512
10745e158e4fde3ab9b7843065a507536551db1e18640e14240e24da1d88a0ead5c97b31dd2f5ed1c0058c17c55346cb04c4bd310ee52fb70b3c31222ca3a30e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
6a83fa32a3fb777ce7b16d2c93e98565

SHA1
d2ee7f76cf557a5535e5244430e84348856f5d29

SHA256
8c3d5b386445fd049229555b92aa2467e3028b93b805149845c1df6493453bc8

SHA512
0ca3741d25395fea111bf857e04ef178388846d4601144b693be9f842e16787448374a832f0a4f85d65c479c14057e16ebf8751f61479a75abc999fdde2c6c0c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
2.6MB

MD5
0c9181cc2864685d8ee1e39672f83dff

SHA1
cb3f31cdde902469adb33e90dbfc69535e86b04f

SHA256
0c19f0e66006f9640836952e817dd7d886218ddb26886f1c2333f15150b85754

SHA512
8c97dfa73ad79c62cb9ff2e7135e44dbe99fbdad9eb5f3748d304e3cfe58aebc19898d8ff32f509ea772bda9b099aef30d7d94966c97371178354f3ea69ed20c

Download Submit