0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961c

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/10/2024, 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe
Size

2.6MB
MD5

6d4eeedbed7e5e4075a296f34f997f70
SHA1

94f12e4e3ae25dab70aa07bd56cedd21f6e45924
SHA256

0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961c
SHA512

c1e1bb0dc8efdca473199f9d394249d747f85de1942b26fff8642b41833f8f9ec31c8b8572f4f0a12c08dd775560f791a91aa623cb051446eca3963b5bfe8fcd
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bS:sxX7QnxrloE5dpUpYb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe

Executes dropped EXE 2 IoCs

pid	Process
2188	locadob.exe
2728	devdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
1344	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe
1344	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotVT\\devdobec.exe"	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidIM\\dobdevsys.exe"	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1344	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe
1344	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe
2188	locadob.exe
2728	devdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 2188	1344	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe	28
PID 1344 wrote to memory of 2188	1344	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe	28
PID 1344 wrote to memory of 2188	1344	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe	28
PID 1344 wrote to memory of 2188	1344	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe	28
PID 1344 wrote to memory of 2728	1344	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe	29
PID 1344 wrote to memory of 2728	1344	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe	29
PID 1344 wrote to memory of 2728	1344	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe	29
PID 1344 wrote to memory of 2728	1344	0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe	29

C:\Users\Admin\AppData\Local\Temp\0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe
"C:\Users\Admin\AppData\Local\Temp\0c059b2d17a2b91212fa8c7ddfceda78fa9a5406bed05cdb6132f7818cb2961cN.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2188
- C:\UserDotVT\devdobec.exe
  C:\UserDotVT\devdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotVT\devdobec.exe

Filesize
2.6MB

MD5
6c901f9db17da0d1222c5afd2bc867e6

SHA1
1aef8ce6317802857d647540f1b95dc4e1979ed1

SHA256
e523fb135cc7837148dbb0fb45c351c8424417222e6055b58cc6fc47cf8944ed

SHA512
9160d144870ef4edc042a7da1da88e4a16f599b73360787aafb7dabe010f57d7636a5c3bb2b3752fce7cab7381e4c060c2da066ea9236fca9c4de2ed4f2c1eb3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
87827867de0aa4a70a80a6fda66b88dd

SHA1
e20de06007de08db4ddd0586fa86a36b91433583

SHA256
36694e39343ec1bffca86dc8dd4bb0bda582b038724d222a70b9fb015dd049aa

SHA512
2934ddf4bfd469767c77828051e3631098a41886afbd4e52dd672313350cc29c3a7180864bda8ad62c0160554e72cc27dd15c6b0a50ad384d77ceac58bb9544a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
6e22ec949a20f46043c6a35c403bb535

SHA1
7a8fa652331b69b531748e05d2f0dec3f381b2e0

SHA256
7979636102e939cb4444415b3da50982326b9d998df0c52830d4dd792b07cff4

SHA512
af790ebc3ff3cc8d6fb4c8d3ffea2c991f8234ec914fde0e289afa73ebdb006f0e52bcecb424fca7de5eb07a5ca4bc107dd61412b3f4134407c59dc0cbf19c7c

Download Submit
C:\VidIM\dobdevsys.exe

Filesize
2.6MB

MD5
f60ff7dec6d385a44c2e64e909e230f4

SHA1
a477d00b4b41e1697e9abd7264ac44219737fa25

SHA256
2aeeefe3eb4c04bf7d38152f0a9f85aa6029e46a624311d99364b67c4cdc36ea

SHA512
a3fb78f353c15355f2edb998205c0ffe7bf1df009c30e0a9089a876b5f733e13c2f20f2d942ea6392414f2f64f4222b7a8b89ef338bacb97100575c49bc2321b

Download Submit
C:\VidIM\dobdevsys.exe

Filesize
2.6MB

MD5
f6b13d56e562751ae6818b5a74374c6e

SHA1
e6c5753aa5199c97c398dacf99d0661099e0b917

SHA256
ced45d86670bac1d28bab1e0ed5a6da04f0392d840d8d9da61156b06cdddee96

SHA512
c392c09a4d4c354c7ab82b42337caf01431c5a409ead43699d6972ad0240bbe64e16b45971c450c1e64159c0bbcb9b4e74e99a871bdee22810f02218c1d2ff49

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
2.6MB

MD5
a90549e9f5a3b0b1eab78fd78171a3da

SHA1
2335449b9a105e1a2bd15ad955319aa42d9d167d

SHA256
3975e1f0b20e12f4ea459da9d231f07a5084d3ea0e50fd959028c20efa0b5c5f

SHA512
cc8bf3ec62fe938580147231da31bcfdfd94b5c8a1c8419604cefa0dc691b28d55e6d3cb2eba8c4ef5febf997f267bbf71e2803e332735b7e580e6dfe19145ed

Download Submit