28a21b8d4d1d93478860f76cc9360d76497870757f9137528b2345ab4bf57f9f

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28a21b8d4d1d93478860f76cc9360d76497870757f9137528b2345ab4bf57f9f.exe
Size

2.6MB
MD5

f209c846e1a1b20508b5fe51356ec156
SHA1

7bca8a1428780dd829507ed882072dd4476cb802
SHA256

28a21b8d4d1d93478860f76cc9360d76497870757f9137528b2345ab4bf57f9f
SHA512

7f6cb697759e3da1e7843f547d6fc1fad50cd4a9a912123239ef20984e93a10a4e2179ae220defb7e9169a7f6ab4bd5b3404633e9b9bdda5a81452d3fa6a42fb
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBpB/bS2:sxX7QnxrloE5dpUp+bP

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	28a21b8d4d1d93478860f76cc9360d76497870757f9137528b2345ab4bf57f9f.exe

Executes dropped EXE 2 IoCs

pid	Process
1044	sysdevdob.exe
2780	xdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2408	28a21b8d4d1d93478860f76cc9360d76497870757f9137528b2345ab4bf57f9f.exe
2408	28a21b8d4d1d93478860f76cc9360d76497870757f9137528b2345ab4bf57f9f.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvS3\\xdobec.exe"	28a21b8d4d1d93478860f76cc9360d76497870757f9137528b2345ab4bf57f9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidQV\\dobasys.exe"	28a21b8d4d1d93478860f76cc9360d76497870757f9137528b2345ab4bf57f9f.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	28a21b8d4d1d93478860f76cc9360d76497870757f9137528b2345ab4bf57f9f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevdob.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2408	28a21b8d4d1d93478860f76cc9360d76497870757f9137528b2345ab4bf57f9f.exe
2408	28a21b8d4d1d93478860f76cc9360d76497870757f9137528b2345ab4bf57f9f.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe
1044	sysdevdob.exe
2780	xdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 1044	2408	28a21b8d4d1d93478860f76cc9360d76497870757f9137528b2345ab4bf57f9f.exe	28
PID 2408 wrote to memory of 1044	2408	28a21b8d4d1d93478860f76cc9360d76497870757f9137528b2345ab4bf57f9f.exe	28
PID 2408 wrote to memory of 1044	2408	28a21b8d4d1d93478860f76cc9360d76497870757f9137528b2345ab4bf57f9f.exe	28
PID 2408 wrote to memory of 1044	2408	28a21b8d4d1d93478860f76cc9360d76497870757f9137528b2345ab4bf57f9f.exe	28
PID 2408 wrote to memory of 2780	2408	28a21b8d4d1d93478860f76cc9360d76497870757f9137528b2345ab4bf57f9f.exe	29
PID 2408 wrote to memory of 2780	2408	28a21b8d4d1d93478860f76cc9360d76497870757f9137528b2345ab4bf57f9f.exe	29
PID 2408 wrote to memory of 2780	2408	28a21b8d4d1d93478860f76cc9360d76497870757f9137528b2345ab4bf57f9f.exe	29
PID 2408 wrote to memory of 2780	2408	28a21b8d4d1d93478860f76cc9360d76497870757f9137528b2345ab4bf57f9f.exe	29

C:\Users\Admin\AppData\Local\Temp\28a21b8d4d1d93478860f76cc9360d76497870757f9137528b2345ab4bf57f9f.exe
"C:\Users\Admin\AppData\Local\Temp\28a21b8d4d1d93478860f76cc9360d76497870757f9137528b2345ab4bf57f9f.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1044
- C:\SysDrvS3\xdobec.exe
  C:\SysDrvS3\xdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvS3\xdobec.exe

Filesize
2.6MB

MD5
0d44cb81271dbd9977165d1138ed8471

SHA1
f3342586a25e368b1eef6de559d0c26e36dd815c

SHA256
2616617aa6d9425f2c613059f3153d18b2c88a87b5f00569347fa839f92240b1

SHA512
bc56cc86c28eeeab18c8b7a5dc698a7a88f150241206cadd5a4a6d741f4335c801e83159d586dcb949e9e15453b1aa18e87380cf274d60268cb52b0febeeb4d6

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
1aedf10f34bde73258ed408379229c3f

SHA1
0f5aac71c638c1523fc2f6859a73280369418f8e

SHA256
ca8c2b30d91093edad7cec9ddad81ea500964dffefb3783f8f9a045919cf148b

SHA512
ca209b6311ac371a0a28807f88f274faab13b232b0f740b61ffddd8332ffd1f07ca7324c1fea221a9f3ecb78bceb0f2743f3febac1eddf0bc57235d44aaa985b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
43c889237e2a8ef0bc9c4e185f6b5039

SHA1
fe4df18a9b4d6078011981b51863e8569ebb5b69

SHA256
1d76926a96b93f5fdddc13daf2d5226a6b1f76335ce8717450171ff03af0686b

SHA512
9eec46c12d7007709fa7d10943e37d1fc34f5b89cdd0042d6c0a1726f98cc46cc2c81cf40a30829c223f45dbb3611290fe2464a2ef695ed80f6f33949a311a8b

Download Submit
C:\VidQV\dobasys.exe

Filesize
2.6MB

MD5
b776cd5cbc056da47de4e153a43de610

SHA1
e3f09080137dacfb4be1447d4eee7b8f770bee85

SHA256
4a530a5e3095e179a245e366363e16fe61ec7718df913a3cada8bcc9126c912f

SHA512
5ccf47b19782b99731fcb53f53cb4a557e3f06f55c56333e2c5a651efa57eeac7774921fb3f4e702a4d7590591020ba6f3d46c91bd92b4f856d5bf5bd177e881

Download Submit
C:\VidQV\dobasys.exe

Filesize
2.6MB

MD5
a2821fd92fa2edafdc64b00559addec5

SHA1
9f80835e1b82debe2119db22dd374f632b5f4a57

SHA256
9a7938a88da9914e49839264028be41cc079ccd46f4edd6d417751b684671368

SHA512
e099f871e92e40a3e10f74716707c1c14d8ddfb78d3f78943863c2a16c6d83ba8f208a8150a4533ea2e44991793bbb8e01755ff5de023565967cae35ec357da9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
2.6MB

MD5
b2cea3c5ad640c160f182f68b1b3ed61

SHA1
f25b84bc0cf03cfc64ab2d658b4487c574d4d8f7

SHA256
ed3b60b0251748c33a6e7d50655e98768042dfdb305f2adfbb57b300a9c308dc

SHA512
bc9f872a5821678543323ccb8968855b89862e1e92b4085d769ba483696ec84c94ed5680a2762b7aea6409163727409d54ff93abb418a47beeb93eee54237c1a

Download Submit