Analysis
-
max time kernel
119s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 23:02
Static task
static1
Behavioral task
behavioral1
Sample
dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe
Resource
win10v2004-20241007-en
General
-
Target
dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe
-
Size
2.6MB
-
MD5
2592424d2fc5fed0e389c9ef93d1ffc3
-
SHA1
cfa1a620ad2808318c8d4f282d474e0fbb4556e8
-
SHA256
9f162b3ad9ca4820511ca82de5d7b93bda80f37228bff0b996482b207e2c8260
-
SHA512
5d769a726a5c2f6e3f126682b97be67cca53fedded8bf313d85a858df3458001c78e2718c32772ca44c4594240e842253f254a6f867f7410b995025fb3f61f7e
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBpB/bSqi:sxX7QnxrloE5dpUpmbVi
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe -
Executes dropped EXE 2 IoCs
pid Process 212 sysdevdob.exe 2168 xdobec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocE6\\xdobec.exe" dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZQB\\bodxloc.exe" dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4904 dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe 4904 dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe 4904 dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe 4904 dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe 212 sysdevdob.exe 212 sysdevdob.exe 2168 xdobec.exe 2168 xdobec.exe 212 sysdevdob.exe 212 sysdevdob.exe 2168 xdobec.exe 2168 xdobec.exe 212 sysdevdob.exe 212 sysdevdob.exe 2168 xdobec.exe 2168 xdobec.exe 212 sysdevdob.exe 212 sysdevdob.exe 2168 xdobec.exe 2168 xdobec.exe 212 sysdevdob.exe 212 sysdevdob.exe 2168 xdobec.exe 2168 xdobec.exe 212 sysdevdob.exe 212 sysdevdob.exe 2168 xdobec.exe 2168 xdobec.exe 212 sysdevdob.exe 212 sysdevdob.exe 2168 xdobec.exe 2168 xdobec.exe 212 sysdevdob.exe 212 sysdevdob.exe 2168 xdobec.exe 2168 xdobec.exe 212 sysdevdob.exe 212 sysdevdob.exe 2168 xdobec.exe 2168 xdobec.exe 212 sysdevdob.exe 212 sysdevdob.exe 2168 xdobec.exe 2168 xdobec.exe 212 sysdevdob.exe 212 sysdevdob.exe 2168 xdobec.exe 2168 xdobec.exe 212 sysdevdob.exe 212 sysdevdob.exe 2168 xdobec.exe 2168 xdobec.exe 212 sysdevdob.exe 212 sysdevdob.exe 2168 xdobec.exe 2168 xdobec.exe 212 sysdevdob.exe 212 sysdevdob.exe 2168 xdobec.exe 2168 xdobec.exe 212 sysdevdob.exe 212 sysdevdob.exe 2168 xdobec.exe 2168 xdobec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4904 wrote to memory of 212 4904 dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe 87 PID 4904 wrote to memory of 212 4904 dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe 87 PID 4904 wrote to memory of 212 4904 dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe 87 PID 4904 wrote to memory of 2168 4904 dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe 90 PID 4904 wrote to memory of 2168 4904 dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe 90 PID 4904 wrote to memory of 2168 4904 dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe"C:\Users\Admin\AppData\Local\Temp\dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:212
-
-
C:\IntelprocE6\xdobec.exeC:\IntelprocE6\xdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2168
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD597a00bb265163bd1f186415674706d9f
SHA1fa4f8c1025252b11c18ec0e826e893d9faa4a4ba
SHA25612cccd825c92967d8f488c97cd4cb555586873317400553f165afe07903b8860
SHA512ddb809f3ad6f33bf6e0964a133a2bd793915582dabd8ed3e76ff470b3e824a2cc5d713a49936ac05faf2226b803f1e22867be10bbffe91ad16c4e68380fd810b
-
Filesize
2.6MB
MD521cd422ae2a59f109ed92f0e34ba6fab
SHA1868ed47a2d5e31f9e0bb4cf6c6fc7b849d72fdbb
SHA256684378f6987ed8be87d5568e40c5b111e3d6ba10c24c36bc7c1e7eadba398caa
SHA512b650c64718462ae31dab8387c44e54f4825c688c5bbcbe7cb947469889508615f56ce2eb5d0cff3069f68d4ba60e6cce7d1623d36e8b7a0835d0a000a5ed137a
-
Filesize
2.6MB
MD5be144084ffe3fa00ec6455b5ebf48e64
SHA11dc36a5f3f80d4a75a5d008282cae06cd09155ec
SHA25610e07599163ad10f7afd64d1fccc2929360457898f72795dc0d9af98c27922f3
SHA51252359480af1b6d7e0046f179b4289c6cd56e495e6da7d680f095db2bb8e0cf0ece6f2bb172bde590fb188e4c0631e41c017bd7a67bab74732b4173ac8010a1de
-
Filesize
205B
MD5b0c2889f4af3df2755ae627aac2905fc
SHA167e893b26cce1be707d15a1ca7ae5bf1ea6fd8a8
SHA256662295bb5eda94fdb0a1e0db99832d902ae864b46f78058bdd0a2f1bebd5e269
SHA512bd35f5f8b203004893c948f4a749c02e76891b3514c7ecf7c45099616cf68a2fd43cc15ea489a597f7656c9218087953f308bccac2a8a99efb4a8078ad349597
-
Filesize
173B
MD53c41735be421f0031c173266fcab47a6
SHA1fa2d12e75806e73c57ac769b074275e416ab1457
SHA2562550ece781fe1249c86c2d4ceb36f5de964c49d6b648eb64a01e428809a2c0f1
SHA5129d6de2239d5389a7e49a747a48b4ffec3fd1ceff5fcab47a25f9b2f243870164ca1a2b16ea30cab2a16e4805c4d1f5875866fdb57838c8816f9c8e31a0a5ad6e
-
Filesize
2.6MB
MD57c939a6d3980cca2f1b0d21d9c900fe2
SHA1c30f5d50bc4a4d897d7af552ed2b26bd800b06ed
SHA2560989bfbcc0274bbf53324ffa6d9fe130cd34ef86b62bd09bdf9aa6ad5fe4a429
SHA512c55f07809658bd829f84220f5513309d2ae2134df7a3e6c90f471097870e5fb2e7747828d2bf7b30d45cba97b2b36d4b960609e8bfa030e9fe0e9e0a4ba48a51