e40686ca24a07a9dc2dd785a031df1d41587f8d021478811b11c276eeeff33e6

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e40686ca24a07a9dc2dd785a031df1d41587f8d021478811b11c276eeeff33e6.exe
Size

3.1MB
MD5

45d2a13e7a2b3e6b4f6da1d0d42fb617
SHA1

c8e87c8ba8a8f900594e466e316a1174429e5f95
SHA256

e40686ca24a07a9dc2dd785a031df1d41587f8d021478811b11c276eeeff33e6
SHA512

30aa10872d0da4c7f7871075ec8bbbf2b42a359f7444d592564a34e930a10cd8fa7b6ab7d0361a205dff757f375d7e1b3a8d4231febffa3e88e327e7587d97fa
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBgB/bSqz8b6LNXJqIk:sxX7QnxrloE5dpUpvbVz8eLFcl

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	e40686ca24a07a9dc2dd785a031df1d41587f8d021478811b11c276eeeff33e6.exe

Executes dropped EXE 2 IoCs

pid	Process
2488	locdevdob.exe
2552	xdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2676	e40686ca24a07a9dc2dd785a031df1d41587f8d021478811b11c276eeeff33e6.exe
2676	e40686ca24a07a9dc2dd785a031df1d41587f8d021478811b11c276eeeff33e6.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesW2\\xdobec.exe"	e40686ca24a07a9dc2dd785a031df1d41587f8d021478811b11c276eeeff33e6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidQ5\\optixec.exe"	e40686ca24a07a9dc2dd785a031df1d41587f8d021478811b11c276eeeff33e6.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e40686ca24a07a9dc2dd785a031df1d41587f8d021478811b11c276eeeff33e6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locdevdob.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2676	e40686ca24a07a9dc2dd785a031df1d41587f8d021478811b11c276eeeff33e6.exe
2676	e40686ca24a07a9dc2dd785a031df1d41587f8d021478811b11c276eeeff33e6.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe
2488	locdevdob.exe
2552	xdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2488	2676	e40686ca24a07a9dc2dd785a031df1d41587f8d021478811b11c276eeeff33e6.exe	30
PID 2676 wrote to memory of 2488	2676	e40686ca24a07a9dc2dd785a031df1d41587f8d021478811b11c276eeeff33e6.exe	30
PID 2676 wrote to memory of 2488	2676	e40686ca24a07a9dc2dd785a031df1d41587f8d021478811b11c276eeeff33e6.exe	30
PID 2676 wrote to memory of 2488	2676	e40686ca24a07a9dc2dd785a031df1d41587f8d021478811b11c276eeeff33e6.exe	30
PID 2676 wrote to memory of 2552	2676	e40686ca24a07a9dc2dd785a031df1d41587f8d021478811b11c276eeeff33e6.exe	31
PID 2676 wrote to memory of 2552	2676	e40686ca24a07a9dc2dd785a031df1d41587f8d021478811b11c276eeeff33e6.exe	31
PID 2676 wrote to memory of 2552	2676	e40686ca24a07a9dc2dd785a031df1d41587f8d021478811b11c276eeeff33e6.exe	31
PID 2676 wrote to memory of 2552	2676	e40686ca24a07a9dc2dd785a031df1d41587f8d021478811b11c276eeeff33e6.exe	31

C:\Users\Admin\AppData\Local\Temp\e40686ca24a07a9dc2dd785a031df1d41587f8d021478811b11c276eeeff33e6.exe
"C:\Users\Admin\AppData\Local\Temp\e40686ca24a07a9dc2dd785a031df1d41587f8d021478811b11c276eeeff33e6.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2488
- C:\FilesW2\xdobec.exe
  C:\FilesW2\xdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesW2\xdobec.exe

Filesize
3.1MB

MD5
9b3897e0fc3c7cb3f673480e1f352a75

SHA1
d87b31fb62999b1417ca043d954532be87ad763e

SHA256
427ac211b414e08ed7143dd098b696115cc858bd193f257935076190f085f6af

SHA512
bfc8550127766a71b38ff32720866fdf84260cb8ed3be9e8cbf73ecd9ad819ae30211b8ba7e95b4580699361faf89d4850f3c038adfc5074f653eea52e6a63bd

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
b6c4d7124b9fd462c54764f7cdba9320

SHA1
7bcb8e8d0d9a0ec7f5f0d15157d4e38b141f8808

SHA256
6edd08c9b89a959217e40e650c36aff8d0358ec0da76002680f2fe183598b1de

SHA512
bc7efdefa1035d5fe786a695bb869607d3e13667df37753e6f1770f6848307ed9b8d361aba3b6adb055ca4d015ffd0e6d638ff1ff7077d604c76355b2a183c0a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
f3bbe36ea73979868f99cc6cf229e1bf

SHA1
bbc2dba2ded6b87695657d5e652a9c1da1fa4e96

SHA256
2b7a8090b180f92c3a5e6e99f7121807773961d1bce734b4fa0ca294e9405e19

SHA512
18a9764a9c906c36654da0270c32c1284d6fc8c4acaa3a827121cc8207542f201dc49eafa676d99a1610d7c5bb55bc1451393b956e581b24edb4a0484df4bc72

Download Submit
C:\VidQ5\optixec.exe

Filesize
3.1MB

MD5
acc6d4245be82a628e499ec27a2d82dc

SHA1
2f9e51065da100791253fe6f54c48f253cd573dc

SHA256
71bb6959a499316a075129982ca5242ba230577df95138c1bab53ffe43b8b3d2

SHA512
b3e693c61a5c56075613b88a41ee1f8ff84bafbca7d1cee4454bf77e0f286f05e31e4227e4dc0e3a4e3c21215e578001c5184be751b25d1fcd4900c2f30d9e59

Download Submit
C:\VidQ5\optixec.exe

Filesize
3.1MB

MD5
852de27e059ec42d5658b166ae9b772c

SHA1
0ec7250735b85dc738186c764fd61ade03a39050

SHA256
e8466cd61d06d203a2b46351d82c7c16be5f7c888a8a10aec3b87a6ab546bcaa

SHA512
61c92bca315928e57c4f60f6cd6b263173d61061ce516acd4360ea44990de6f177e90d4648e6f4c097ffe659fafee3abc4e61b08f6af21c1da911af3adc29499

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
3.1MB

MD5
7859f41d8e889939c09e0e42c07ae6bf

SHA1
103a184c4a2be9c2b4f07c9fa6f3e2cc22be9fdd

SHA256
aea6e12d23fbe0ec7291e59d333b4c99050b1b81d5c4b7de134b6018584e016a

SHA512
1d0f96b2ad0bd53276141b374e7dc88139afb8c69c7345251d6ca1925b709d59f087c7bf2574cbb660bc4101d928a58c8284f5dd304bd1a15cd116164a97fe3a

Download Submit