265adc7906c86911945cd891ed8688098bbc157b8aa2a326776426e71ee3c0d6

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

265adc7906c86911945cd891ed8688098bbc157b8aa2a326776426e71ee3c0d6N.exe
Size

2.6MB
MD5

80cb880b7638b1f14b68b5b776209a90
SHA1

80a8d553738e50ed728333cc366949e2091693ae
SHA256

265adc7906c86911945cd891ed8688098bbc157b8aa2a326776426e71ee3c0d6
SHA512

33541daa4bd184316b8eb3a175a0c129fbed19256d3ee109c3b77bbc4ad23cff57c2b6f4c82b4745821f3390c8ae1ae0e0b6af0603a0bf27d426b1b15754f3d9
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bSq:sxX7QnxrloE5dpUpzbV

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	265adc7906c86911945cd891ed8688098bbc157b8aa2a326776426e71ee3c0d6N.exe

Executes dropped EXE 2 IoCs

pid	Process
2360	sysdevopti.exe
2416	xdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2380	265adc7906c86911945cd891ed8688098bbc157b8aa2a326776426e71ee3c0d6N.exe
2380	265adc7906c86911945cd891ed8688098bbc157b8aa2a326776426e71ee3c0d6N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesFI\\xdobloc.exe"	265adc7906c86911945cd891ed8688098bbc157b8aa2a326776426e71ee3c0d6N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBHN\\dobxloc.exe"	265adc7906c86911945cd891ed8688098bbc157b8aa2a326776426e71ee3c0d6N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	265adc7906c86911945cd891ed8688098bbc157b8aa2a326776426e71ee3c0d6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2380	265adc7906c86911945cd891ed8688098bbc157b8aa2a326776426e71ee3c0d6N.exe
2380	265adc7906c86911945cd891ed8688098bbc157b8aa2a326776426e71ee3c0d6N.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe
2360	sysdevopti.exe
2416	xdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2360	2380	265adc7906c86911945cd891ed8688098bbc157b8aa2a326776426e71ee3c0d6N.exe	31
PID 2380 wrote to memory of 2360	2380	265adc7906c86911945cd891ed8688098bbc157b8aa2a326776426e71ee3c0d6N.exe	31
PID 2380 wrote to memory of 2360	2380	265adc7906c86911945cd891ed8688098bbc157b8aa2a326776426e71ee3c0d6N.exe	31
PID 2380 wrote to memory of 2360	2380	265adc7906c86911945cd891ed8688098bbc157b8aa2a326776426e71ee3c0d6N.exe	31
PID 2380 wrote to memory of 2416	2380	265adc7906c86911945cd891ed8688098bbc157b8aa2a326776426e71ee3c0d6N.exe	32
PID 2380 wrote to memory of 2416	2380	265adc7906c86911945cd891ed8688098bbc157b8aa2a326776426e71ee3c0d6N.exe	32
PID 2380 wrote to memory of 2416	2380	265adc7906c86911945cd891ed8688098bbc157b8aa2a326776426e71ee3c0d6N.exe	32
PID 2380 wrote to memory of 2416	2380	265adc7906c86911945cd891ed8688098bbc157b8aa2a326776426e71ee3c0d6N.exe	32

C:\Users\Admin\AppData\Local\Temp\265adc7906c86911945cd891ed8688098bbc157b8aa2a326776426e71ee3c0d6N.exe
"C:\Users\Admin\AppData\Local\Temp\265adc7906c86911945cd891ed8688098bbc157b8aa2a326776426e71ee3c0d6N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2360
- C:\FilesFI\xdobloc.exe
  C:\FilesFI\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesFI\xdobloc.exe

Filesize
2.6MB

MD5
8e3fda54768d35c4f9932e90f7b6271b

SHA1
b6213fb0cd4198ccb00fb2f6c7feef7b743d1496

SHA256
e84f85499018354631f419cca31446cd69295ac5521fae6864838ca499fcb537

SHA512
ce3af9dd46f1e35ac38819622ae0e43e612f4f83f92924048ef656671aba1f2d934426caa2bd4390b2384cce21adaee880a4f07f356f9abe94e71ddf7c967263

Download Submit
C:\KaVBHN\dobxloc.exe

Filesize
2.6MB

MD5
cd7641bcde0a90131c911a6bb4803f60

SHA1
0ae7f462a0a74e1145e903b68aac03ff8bb09bcf

SHA256
a86d823327c870a188aeb4da3554f0b80c5dc59d1bcecb16a291ee116c4bbb32

SHA512
aed8d3b98d2d4f4a9dcbea67a1125b763be6c116e7f5a0e4de9b795da90ca9fe1c7f3bc798f4009d22e799028d8533a6b9b2a64b84a706795050c7817b23885a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
110be56adb75a336dc2407260bb0ca8e

SHA1
c9fe47efcb8c053265dd4c986c40c837e9124eb4

SHA256
d13c98cded951ea18f8d26a0a51c30ea4ec18142fc075cc4184da9166e567cf2

SHA512
6827c323304216affc27a514ced8710e8158909cc952feba68d82fada39bf7095d500a4e7053285af07ddeaaedb1aed337348f1bbe432aedb98d65783b0d2db2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
4933c9f30b3d458944d15af27ec0874c

SHA1
81c8bf4496aa1caea4ebbe6247c5a7210592fa04

SHA256
94b48615ab4c70b22214eebffaaf1971d6eeb5572ec9aaedef46d02059d627fa

SHA512
e59b883e7e27f5dcd2d0e868b29ede73aea6d79439354149765d00ac85c2619f20d7e5b5320209465082647d18f0bab13174ef302d311df8235ba6378022b824

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
2.6MB

MD5
c8f1da5b1a59a84c6852faee59664a04

SHA1
87fddeeb76e4dc9b5d15965e25313f3860fbccb7

SHA256
a3b40d99b92c4ea7239796d0eb748d2a86b6fa0503a20e42896966342a123997

SHA512
c50a0404f71911d652999a247e9cfec3e414df653ebd0918e73845f2c44d7d3a30456310992d71970730f5c96ae32380751f844af330333367dc1832c0b76df3

Download Submit