063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05f

Analysis

max time kernel
119s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe
Size

2.6MB
MD5

1f26bccdd30ec8c624318e3c1427e480
SHA1

b9b59d0257e3d499b4d78b5dcfe0e7765f13edff
SHA256

063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05f
SHA512

7589b98728a52a6c52c20d915d4fcfbc7b416e9fd20a8c1c04f2e05eecc109a4f6af089f1f2e485070128e2b4aa2cd6df2cb5193031fafc4f26ecbcac3b39c50
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bS:sxX7QnxrloE5dpUp1b

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe

Executes dropped EXE 2 IoCs

pid	Process
3684	locdevbod.exe
4592	xdobsys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotM7\\xdobsys.exe"	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintN7\\optixsys.exe"	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2276	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe
2276	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe
2276	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe
2276	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe
3684	locdevbod.exe
3684	locdevbod.exe
4592	xdobsys.exe
4592	xdobsys.exe
3684	locdevbod.exe
3684	locdevbod.exe
4592	xdobsys.exe
4592	xdobsys.exe
3684	locdevbod.exe
3684	locdevbod.exe
4592	xdobsys.exe
4592	xdobsys.exe
3684	locdevbod.exe
3684	locdevbod.exe
4592	xdobsys.exe
4592	xdobsys.exe
3684	locdevbod.exe
3684	locdevbod.exe
4592	xdobsys.exe
4592	xdobsys.exe
3684	locdevbod.exe
3684	locdevbod.exe
4592	xdobsys.exe
4592	xdobsys.exe
3684	locdevbod.exe
3684	locdevbod.exe
4592	xdobsys.exe
4592	xdobsys.exe
3684	locdevbod.exe
3684	locdevbod.exe
4592	xdobsys.exe
4592	xdobsys.exe
3684	locdevbod.exe
3684	locdevbod.exe
4592	xdobsys.exe
4592	xdobsys.exe
3684	locdevbod.exe
3684	locdevbod.exe
4592	xdobsys.exe
4592	xdobsys.exe
3684	locdevbod.exe
3684	locdevbod.exe
4592	xdobsys.exe
4592	xdobsys.exe
3684	locdevbod.exe
3684	locdevbod.exe
4592	xdobsys.exe
4592	xdobsys.exe
3684	locdevbod.exe
3684	locdevbod.exe
4592	xdobsys.exe
4592	xdobsys.exe
3684	locdevbod.exe
3684	locdevbod.exe
4592	xdobsys.exe
4592	xdobsys.exe
3684	locdevbod.exe
3684	locdevbod.exe
4592	xdobsys.exe
4592	xdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 3684	2276	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe	84
PID 2276 wrote to memory of 3684	2276	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe	84
PID 2276 wrote to memory of 3684	2276	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe	84
PID 2276 wrote to memory of 4592	2276	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe	85
PID 2276 wrote to memory of 4592	2276	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe	85
PID 2276 wrote to memory of 4592	2276	063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe	85

C:\Users\Admin\AppData\Local\Temp\063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe
"C:\Users\Admin\AppData\Local\Temp\063441ba9be53ad70516ba40bd5ddfc9903930ef0de882d042047bc982e9c05fN.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3684
- C:\UserDotM7\xdobsys.exe
  C:\UserDotM7\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintN7\optixsys.exe

Filesize
494KB

MD5
c8c17a9c5a05b964b205aeaefe8d7ec0

SHA1
9079e94bd8a1822fc4d9bffb96716f1fb65974b0

SHA256
8dfc3532fb265b1329370de959046c0f8ba85ac61f51f05eeacaddf62d2acbcc

SHA512
5df829a469251a995994830b9949243b8d07597bac7fd52efbe621f179e922d25c255fe79aeeb4954dac4dd00b6009882688f460cadb2c8f68152c9a8df8b342

Download Submit
C:\MintN7\optixsys.exe

Filesize
7KB

MD5
20ec6effd447fb35f7db816f8c616148

SHA1
c8c9edd9f30b93dc161fc035c69b57e7af305dce

SHA256
43b6a06c6d792569dc3a4b802a1882bcef34d458cb6c626267bf303fc8dc3fa7

SHA512
6a01a317698e30eec8ab65c628488a1e6108d6eb9dd6bdef9a769d497807ace3b68a23452d40d010b95f19759903bb9bc1910e8d7e46fa618aaa3fbf6a80fecf

Download Submit
C:\UserDotM7\xdobsys.exe

Filesize
798KB

MD5
58d1a21768626d8a12690f3b906b71c6

SHA1
2d86e7864814004fe20bd61e0d2550939808572c

SHA256
f9a345935ea1033fcdbc832213ac9d1f65deec1fa8adf1eec227ab3b6ea4959e

SHA512
226b2baeaf3a25408ae0874a5692628c02099164b34d66ea2fc5450e35ea649f23d012b7ebd09d27a9c70d2157c3ce90db15021265d61d9b2058d019ec5976c8

Download Submit
C:\UserDotM7\xdobsys.exe

Filesize
2.6MB

MD5
d13784da1380dd9aa89a6cffd99c7bcf

SHA1
04d3a9e82e6a57b4f188cd394fcc1ae6f05450f3

SHA256
4d676016f90a33d81c76345fd7f71a63ea01717a5477a4b717c8a749a31b08ed

SHA512
2af8b0016003a682375c14fa075e19bd961e8d282d55b4912e535f9268f96b9e841bdcc96419c37b6cf53d73fbeaca6fbd31626deae050767abd0721b3fa9b58

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
312bcacb726fc85d926ccbabec6d9baa

SHA1
1356a5503d0d446b9401fbc2865af3060f23f58d

SHA256
49cec914ee2c0b2809e38ffe0871f9c6d7bd25c86e96d89c185ad4d9096e3e99

SHA512
c5bc67755dc8b062a48f57004cc6c3fa6181d511540c621f30a0db108777a80e893d60afc14c701770c003bb6fbc794548a473032c87070cb4df19f397316d96

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
d093539a40336b72ce0d1a93376f35dd

SHA1
f540850fb4f51f49f8af20bce4d9a8bd21417366

SHA256
7f66b5012f7eb057b47b91170b1d3579a599c4beab8241d690952ada93432fb2

SHA512
2465345c2e36eb01634a13898c54791d93bed79d66b323770bf42ae927b081ac675a5c2743be34099e344d76ef329fe44825aa5f30f1739d5746026c5d4497f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
2.6MB

MD5
857fb773eea42970b0bc74158d45c118

SHA1
480dd31e73a3f20db49b7463f636f799f4d8c47d

SHA256
650f1ace00c73cc895b30cb1283357231241126caba84f3be0ada87d926815d1

SHA512
5b2213c92541dddc84f0d8ec615516df282edd8df3e223040b0fb1fea9f5482e0f3fb82c9d47a86e9eaef9f1584d171c6213c2ba6afd5e87b0abd89da7101f18

Download Submit