Analysis
-
max time kernel
149s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:16
Static task
static1
Behavioral task
behavioral1
Sample
1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe
Resource
win10v2004-20241007-en
General
-
Target
1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe
-
Size
2.6MB
-
MD5
7204795903d90d323e85f5187f2728a1
-
SHA1
10dd0752e9ed7959ed28b992fdf71df7a0412beb
-
SHA256
1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0
-
SHA512
87179bc47902db598fef83161acfe2bf56841bd0586f05c04df683928c2a33fb1d1ddbcc9db48fe498b55d07645e83263ac0fdbcb233f624e484af535a1a89f5
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUpSb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe -
Executes dropped EXE 2 IoCs
pid Process 3108 sysxdob.exe 756 devdobsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocI9\\devdobsys.exe" 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid10\\dobaloc.exe" 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3004 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe 3004 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe 3004 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe 3004 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe 3108 sysxdob.exe 3108 sysxdob.exe 756 devdobsys.exe 756 devdobsys.exe 3108 sysxdob.exe 3108 sysxdob.exe 756 devdobsys.exe 756 devdobsys.exe 3108 sysxdob.exe 3108 sysxdob.exe 756 devdobsys.exe 756 devdobsys.exe 3108 sysxdob.exe 3108 sysxdob.exe 756 devdobsys.exe 756 devdobsys.exe 3108 sysxdob.exe 3108 sysxdob.exe 756 devdobsys.exe 756 devdobsys.exe 3108 sysxdob.exe 3108 sysxdob.exe 756 devdobsys.exe 756 devdobsys.exe 3108 sysxdob.exe 3108 sysxdob.exe 756 devdobsys.exe 756 devdobsys.exe 3108 sysxdob.exe 3108 sysxdob.exe 756 devdobsys.exe 756 devdobsys.exe 3108 sysxdob.exe 3108 sysxdob.exe 756 devdobsys.exe 756 devdobsys.exe 3108 sysxdob.exe 3108 sysxdob.exe 756 devdobsys.exe 756 devdobsys.exe 3108 sysxdob.exe 3108 sysxdob.exe 756 devdobsys.exe 756 devdobsys.exe 3108 sysxdob.exe 3108 sysxdob.exe 756 devdobsys.exe 756 devdobsys.exe 3108 sysxdob.exe 3108 sysxdob.exe 756 devdobsys.exe 756 devdobsys.exe 3108 sysxdob.exe 3108 sysxdob.exe 756 devdobsys.exe 756 devdobsys.exe 3108 sysxdob.exe 3108 sysxdob.exe 756 devdobsys.exe 756 devdobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3004 wrote to memory of 3108 3004 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe 89 PID 3004 wrote to memory of 3108 3004 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe 89 PID 3004 wrote to memory of 3108 3004 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe 89 PID 3004 wrote to memory of 756 3004 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe 92 PID 3004 wrote to memory of 756 3004 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe 92 PID 3004 wrote to memory of 756 3004 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe"C:\Users\Admin\AppData\Local\Temp\1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3108
-
-
C:\IntelprocI9\devdobsys.exeC:\IntelprocI9\devdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD538302d484aa5e8ed101dfbecff7e95f9
SHA10cb065a03f3c4f7e595a1bffcde921279593405e
SHA256697def89a6179c2df9f4bfe3e54d37d612101e7c69c3f8edaeba2935915bfe3d
SHA51265e47f6289c8f3e7faa8cf7aeb978eec1d3008bd785490961e55be61dacf2990b78e4a446f5496c1173b1ed9002ef20c9de40b672f2396f1264360a7fe5e1d64
-
Filesize
205B
MD58cfa684fd7d4f5801a02a41ca7708de0
SHA14129299dd9e3d7bd62f3cd0a938b27696dc921e2
SHA2562ec8f58303ff32473324584d5d8ce6bed57e5f92354f4a46c9b8cee0bd65e970
SHA51251054e79c371edf8c884f8d393214a0fd90baa02f8c6bda1b6b733b4560eb2bf44c75045cf8c08b511c019cca14de5c393bb1eb55fd9e244192f6ef04ba4e331
-
Filesize
173B
MD572d37e07bb35476f2262d300f7168966
SHA162a1e037f2fec7b36119ab50b61229ad234faec2
SHA256f1d0cab30eb47d6e63e982ff0c4976806ad6132899b820e06303f7ee6f5380c5
SHA51289bff6e1ead0cb41edfc8e1ac52726724807627b47b2b3e2f22ebdd545af0c77d7bbc4e9d06d5643ff23de02adf0a7989df5581b2644881db6d7b985a6760f5b
-
Filesize
2.6MB
MD54cb6ee0fefb1afdc96e34c2c288bd63e
SHA1a204c2ed68c762d556bfe5519139ac9806c1d65a
SHA25639765c570b74c9adc3e9396c4d6033763b0ad57ff7706881a6d2e3d8ac29d5b4
SHA512ba6451669f472ad36e9d20dfe8fe42002522620d5a684ae0133c119f6c25c6e30b72d13de2a0d53c5454445e949ef21ee1b6845308647dd8c494ffee8d00f4fa
-
Filesize
2.6MB
MD56e994e046575c87249ce971bf644b0e2
SHA102f69a3bb942ffd12081609c5e0a6d2b85bdf7e9
SHA256ab74584e9f3723de382a5c1e9833e4dad300084896c358de457890003bed5c46
SHA5126d4ff5a44ba5d047c5338522866cb615874c79a16e196196b58f9162a0b6433df2e9dd98c5266797b9a7f8c1616bff29aaddf99cbdb1f1e5cf8c181bfe6d8944
-
Filesize
11KB
MD56e48912c750d2a4af218228dfe476e8a
SHA18f0359cb3b03fc05f8d0ae4252aa2f0f938f5489
SHA2566b8e8492afa8a73802220d65a0081445b52649c7adb41c2a83e8b252554e2e40
SHA51294858d91585a291b7d07057ddfab384639fda1d9cd40f60502ac2f6de5e4385ada01e9a1a17288f7fa3c69de4f3c0817e5f1fa0a63251ef7975ea060e3ee05f5