7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe
Size

2.6MB
MD5

62345c79bb8aa0ae1fd3e4b3dae384ac
SHA1

2ce73c545e31712ebac38ddbabff1195bc7606c5
SHA256

7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed
SHA512

419007858c285c9af63a95ef6bad14506f58d16705343d73c795181cf7721b04cf613bc5a9cd2e9dbda4134021f54dcbabae3ff931727ca1f9c749724ade30e4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCB/bSqV:sxX7QnxrloE5dpUpdbVV

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe

Executes dropped EXE 2 IoCs

pid	Process
2720	sysdevopti.exe
2608	xdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1356	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe
1356	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesFI\\xdobloc.exe"	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBHN\\dobxloc.exe"	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1356	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe
1356	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe
2720	sysdevopti.exe
2608	xdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 2720	1356	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe	31
PID 1356 wrote to memory of 2720	1356	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe	31
PID 1356 wrote to memory of 2720	1356	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe	31
PID 1356 wrote to memory of 2720	1356	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe	31
PID 1356 wrote to memory of 2608	1356	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe	32
PID 1356 wrote to memory of 2608	1356	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe	32
PID 1356 wrote to memory of 2608	1356	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe	32
PID 1356 wrote to memory of 2608	1356	7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe	32

C:\Users\Admin\AppData\Local\Temp\7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe
"C:\Users\Admin\AppData\Local\Temp\7f5f92ae853c66db63f5329f4d476237e1ffa864bcbe12170fb516cfdcdd8fed.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2720
- C:\FilesFI\xdobloc.exe
  C:\FilesFI\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesFI\xdobloc.exe

Filesize
2.6MB

MD5
7a60ce358b33335471aa4c1915f21c43

SHA1
1652f3bb2136d8e142eb7e3b3ddc55aa8dc3a0b2

SHA256
a44ab64706c8ca638c633059ac426ae7e35f24038b923a4331b9f1dcef77603d

SHA512
d580a2b290459a0c16625132e7e280ffc76db36171f4ab62a2eb3e098414a08e5fc60bc24ad6bcadc692b5a18cbd632f28c62909b383e3674c74c1efda74d5bf

Download Submit
C:\KaVBHN\dobxloc.exe

Filesize
2.5MB

MD5
ed67a3fa9ddd37953b29e1d2fc2c652a

SHA1
eef9421ea87589b5fd527339c781357b11ae9531

SHA256
858fb8a68c239c97b81f5210bd19a9131fb7b30d512e722e8ad432a84771ccff

SHA512
823d9bee179a0650147cc885f00de8dcc1ab08bf60fa571cbea640d91f182111628c778fec4b3af3c8be4a05b71730b68111a27f76168576f6a15da920d0b6ac

Download Submit
C:\KaVBHN\dobxloc.exe

Filesize
2.6MB

MD5
ac6ec8631afaa53a6eeccf0c6fc9e465

SHA1
2d35a151b3a7ef436b1a96e7aa19a9870ff863f6

SHA256
55c5b8aaba02c0045eef521e96fb1f7578d78ff8b8d7b95af84c6e87579ed0f2

SHA512
826e0b1f86a2fc12b8553af4c4ade9f890f4c017b36c4852fc427fd0b0fc01b37c24e513d76e810812a867c1f462b77331d533c4c82d66fecaa826a9f1f20725

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
110be56adb75a336dc2407260bb0ca8e

SHA1
c9fe47efcb8c053265dd4c986c40c837e9124eb4

SHA256
d13c98cded951ea18f8d26a0a51c30ea4ec18142fc075cc4184da9166e567cf2

SHA512
6827c323304216affc27a514ced8710e8158909cc952feba68d82fada39bf7095d500a4e7053285af07ddeaaedb1aed337348f1bbe432aedb98d65783b0d2db2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
4933c9f30b3d458944d15af27ec0874c

SHA1
81c8bf4496aa1caea4ebbe6247c5a7210592fa04

SHA256
94b48615ab4c70b22214eebffaaf1971d6eeb5572ec9aaedef46d02059d627fa

SHA512
e59b883e7e27f5dcd2d0e868b29ede73aea6d79439354149765d00ac85c2619f20d7e5b5320209465082647d18f0bab13174ef302d311df8235ba6378022b824

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
2.6MB

MD5
bf68375ec61963f735920c15741ec8d1

SHA1
3b5fe914383fe3860b6f9683c3c0b512c6116cd3

SHA256
a07b998350dfa22a6725ec6168e0f2892ee67367b40d18dadecabc79a7debad7

SHA512
fe6e6f3a7596a257149a51bb4b58c8920b0cef16f6c2f07fa4722d6c2399d5eb8293a2831836902333372fce45be40e6045db4382c8dd0764d7259e07529732b

Download Submit