0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe
Size

2.6MB
MD5

bd49b46ba24fc504eaa1d96739c009e0
SHA1

701764bbec0e3cd74b1c025fd497c3476077f382
SHA256

0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1
SHA512

5f70f5ba4d83149211c0e670720707e841c6ef9a91957d65173e05e1e812758c4e7debb9d166eebc2cd94ed8a5a169bff8091c06dfa403a6a0f11d9dd2ba9e44
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bS:sxX7QnxrloE5dpUprb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe

Executes dropped EXE 2 IoCs

pid	Process
2764	sysdevbod.exe
2932	xdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1388	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe
1388	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeIY\\xdobloc.exe"	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidB6\\dobdevec.exe"	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1388	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe
1388	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe
2764	sysdevbod.exe
2932	xdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 2764	1388	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe	31
PID 1388 wrote to memory of 2764	1388	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe	31
PID 1388 wrote to memory of 2764	1388	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe	31
PID 1388 wrote to memory of 2764	1388	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe	31
PID 1388 wrote to memory of 2932	1388	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe	32
PID 1388 wrote to memory of 2932	1388	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe	32
PID 1388 wrote to memory of 2932	1388	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe	32
PID 1388 wrote to memory of 2932	1388	0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe	32

C:\Users\Admin\AppData\Local\Temp\0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe
"C:\Users\Admin\AppData\Local\Temp\0855307d1224897cdb87dcf835d19ea0fd7cc09caa8ed2a8ab0c770faef633b1N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2764
- C:\AdobeIY\xdobloc.exe
  C:\AdobeIY\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeIY\xdobloc.exe

Filesize
24KB

MD5
3ec2a465b54d769a7f3d66e20b3c7f81

SHA1
7b85b7c06cbef1c6ae009f4bb29c7b0fe15f820b

SHA256
e9ad19bbef39ef632da099566665f963ff6fc962bd436ccc46580e705d366ee2

SHA512
a8692013f95ae74ea35930a505d2357385b1d7ae1447a3135b9d24df39ef741e2b6c5951c6a138cf6ea148926caaccf6d3cc429d97b17e512570c7b8590c157d

Download Submit
C:\AdobeIY\xdobloc.exe

Filesize
2.6MB

MD5
f06ea91a04f26835ecde6ba933b15d22

SHA1
933f7290055f3bb41b9a702f28b078bdb38c7bbe

SHA256
75dcd6deebe0f30776110bc2e0ca73cc4c35485a353e03a6f4907db455e537ad

SHA512
21beed4b6e74a831497ebc176af5daf8035656fa0bb5999333709d963501f83cbb886928d7cbf395c4fb3f4020a4fa2807ebad7dffa4552cee59fe1f9a15c14d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
999ce609fde94bb2efd5f6d9e1693f79

SHA1
e1a04d847dd61b1a83db53576a0b48f6fd939936

SHA256
94e772c4f97de97b7b2ad5b4252b6c395c4ffc37b25575476fd35135948349f2

SHA512
71833998eb873bb9b598867efdf9a759e147d5ca43f8d72cb956bea67029298845dce1cd50dc34593e920bb1ec8e25bf34e085b99b3ef1e24989710f14f455b0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
4cdf67f59f2b62baa651ab398702b4ff

SHA1
fe59a925b8a9b59932e9fc42496572bfa4a0c94b

SHA256
1a17b53fe7d2f77cc6059480e219765916e66e04602cac11873170a9301854d8

SHA512
17130e76d52e232c0d70ed3d5bf028b9c59f82a7d463d0fdaf9b5cab14c26a1caa0d8ab2be823425fe6cd940ed93a393537f35cb2af131afeff8ffcf3714f146

Download Submit
C:\VidB6\dobdevec.exe

Filesize
14KB

MD5
5ffab038d17d47771c031d3b701e0cc5

SHA1
74d331d26e5210e7e523c750b0080e1641bb61f5

SHA256
1b2bb8b0c13c9e1418b1e48501e2a62606e0e890934e027d746c196943068982

SHA512
fad3e0cee5656b4fb350050395b6d8039f870087a145394dfc2eab77587a10e53b2e421be937a90a9a80244cbd3096e07f785a35d7df3b5efb0e258ca75678ec

Download Submit
C:\VidB6\dobdevec.exe

Filesize
2.6MB

MD5
bd6947d7793cb119eee0e5ecc7c6f7eb

SHA1
474cd33c70357399bbbb0cd116310e30f5809828

SHA256
7e063cbb3f7517f83ed3ee24fb1c2f9bd2677b62920825a0e65f8e866bf41efa

SHA512
bc639ff6e972beb5b3b5d4fe1fc8c900fd643344bb3be2cc2e337d8d2f7630ac479f98bd1185f50e1ef3ef1813807057a3d1ae0aa262080821024ed791bae678

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
2.6MB

MD5
5fa86de204be01fcdb8ce4fb9e43213d

SHA1
b828c48776c822802433a6b805c4ff9a5879abed

SHA256
673ff185889d5a71ab3446431eb7a30ebf801ff6985a6219613e279c58937338

SHA512
710c842dc8b24cb3e71eae0c0c6930cf4399d74ed6377c05e8eded3892d875f7c8fbded67da4267e83866cae54163379f02143ff4af30d8dca62b776eb03d2d8

Download Submit