ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe
Size

2.6MB
MD5

a8997dc1a098d34b1a5275cdca2fcfe0
SHA1

777296c1801c7cc4ba11064833bd2750db28840e
SHA256

ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050
SHA512

92a5481c6137b6ae553abae078a757fca9ca8178507d4c197814cd6e1cda0b8a48343bd66919656376892ad2ca4d950577a69f77fcb9d0c08ccfb33d66ed34d2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bS:sxX7QnxrloE5dpUpNb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe

Executes dropped EXE 2 IoCs

pid	Process
3696	sysdevdob.exe
64	xdobec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files7Z\\xdobec.exe"	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintH7\\dobdevloc.exe"	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3548	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe
3548	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe
3548	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe
3548	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe
3696	sysdevdob.exe
3696	sysdevdob.exe
64	xdobec.exe
64	xdobec.exe
3696	sysdevdob.exe
3696	sysdevdob.exe
64	xdobec.exe
64	xdobec.exe
3696	sysdevdob.exe
3696	sysdevdob.exe
64	xdobec.exe
64	xdobec.exe
3696	sysdevdob.exe
3696	sysdevdob.exe
64	xdobec.exe
64	xdobec.exe
3696	sysdevdob.exe
3696	sysdevdob.exe
64	xdobec.exe
64	xdobec.exe
3696	sysdevdob.exe
3696	sysdevdob.exe
64	xdobec.exe
64	xdobec.exe
3696	sysdevdob.exe
3696	sysdevdob.exe
64	xdobec.exe
64	xdobec.exe
3696	sysdevdob.exe
3696	sysdevdob.exe
64	xdobec.exe
64	xdobec.exe
3696	sysdevdob.exe
3696	sysdevdob.exe
64	xdobec.exe
64	xdobec.exe
3696	sysdevdob.exe
3696	sysdevdob.exe
64	xdobec.exe
64	xdobec.exe
3696	sysdevdob.exe
3696	sysdevdob.exe
64	xdobec.exe
64	xdobec.exe
3696	sysdevdob.exe
3696	sysdevdob.exe
64	xdobec.exe
64	xdobec.exe
3696	sysdevdob.exe
3696	sysdevdob.exe
64	xdobec.exe
64	xdobec.exe
3696	sysdevdob.exe
3696	sysdevdob.exe
64	xdobec.exe
64	xdobec.exe
3696	sysdevdob.exe
3696	sysdevdob.exe
64	xdobec.exe
64	xdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3548 wrote to memory of 3696	3548	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe	82
PID 3548 wrote to memory of 3696	3548	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe	82
PID 3548 wrote to memory of 3696	3548	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe	82
PID 3548 wrote to memory of 64	3548	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe	83
PID 3548 wrote to memory of 64	3548	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe	83
PID 3548 wrote to memory of 64	3548	ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe	83

C:\Users\Admin\AppData\Local\Temp\ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe
"C:\Users\Admin\AppData\Local\Temp\ddba367d4cd0456850f5a9bf0cae2a5273ef67b9f091787fff26ed5e6d58e050N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3696
- C:\Files7Z\xdobec.exe
  C:\Files7Z\xdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:64

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files7Z\xdobec.exe

Filesize
2.6MB

MD5
5258c2d06799cb6694798cbf525028c2

SHA1
331f1bd1176ce456e90d3640eba3fe39e7a99f5c

SHA256
c68820c6f761ad890202b9cf13a9ed9cd9d06787537a60c4f4dccbe508ab92d3

SHA512
3820a7fb81d0eccb0f144c1998998e0e70910eda1718a777525b1d13c9bec66af172801f7e197dae4d377b1f907b454bdeab370c490e70aaba744616944639ce

Download Submit
C:\MintH7\dobdevloc.exe

Filesize
68KB

MD5
3dd99fd52fa2b28eaeeaf7183018f9be

SHA1
3290381f779c52840fbbe1fff2551e88a8daafec

SHA256
03461e4286d94a40ed75a05b56e97beb53246b66f71d08fb5824a2bd4b4075af

SHA512
de65c0b6ed45fbe40a6f5a9173cd7ffda44d60e8e86d6358d8cfa3d9fbf7c2bc316aac8d1a7af8d8cecc3193437414f1f08e46b5c06d17472ca155173b8e0640

Download Submit
C:\MintH7\dobdevloc.exe

Filesize
2.6MB

MD5
0df44e936ed811e6a62913af85b8d737

SHA1
f1b39d21c1cae9a6ddc033407018691cd317a529

SHA256
887da07ed397115415adb7b2f1ee7599315e026499b8f171ef61d5191a42b14d

SHA512
2a86322e834e37a8ea58a68dfd726cd26fcdb37d5ee19216a1254b69167a9adc33006bbd7b167a5064f6b4f86eb2eaccd709b1a876b4a8d0867ab4fc76e0586b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
32e6c69e81afdf01a49096e0e57a1d87

SHA1
4fdd0268a2187ac2ee6eb148a861e683bf2debf7

SHA256
cea93f294fa8e597ae86f9e2db6e9c3e0a2740bc379b1a1d1e850bc60c50ad29

SHA512
13e308ddad2ee4e0636922cfeb0b121e16072dc51bc7f7e8206006cca9477b5a466e5d14e2b3ac8ee62df2869f76bcae5e3dd69cd068357ff3892293d72c2ac7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
9cdc975f9ca832c132d840df0eb31bc2

SHA1
c49b179b3813dcb01ae4e34f21a4e07d51812e3d

SHA256
1fa26910bcd025053d1d9d4fcb0402b0cc67dccc8c16a90f917891d5d2f0ee4e

SHA512
a368c2cba5c72eca17a3ab9b636d691bf78408d193ea558299aae5ebdb6928a3b2ef758fd73dbbca49aeff0b7377e80cfb7db22a53e1d93b14631cd1e1c4e7da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
2.6MB

MD5
498d91e591c6b4eead0fc7913f0cb6aa

SHA1
a0552f9d5b2a3f4c612126521e9378507f265b5d

SHA256
77b9f5a23f0cb57bee1fa8dd4d24dc92b887b352a04838a7a1bb04fd7c0aee0c

SHA512
27564d6d6435edc95e95a794f901e9e67f94654f0187f22bb3725adf6ebd5d1fa40ea5a0f1b312ba61c26384f5d44fa9466679dd4880c6e40867fed19f8db078

Download Submit