2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8e

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe
Size

2.6MB
MD5

8a2de1a619b66fb9813a0e8f2a310a60
SHA1

5822dfc297539ff9f2f6ed305167296cac803000
SHA256

2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8e
SHA512

52964fc7ff81c1fa2b3143b9effb09e62c66b36265ecbdd5a71643c1882164859549341bfcf88e91d0713d656a38e668908ae6437675e3290355fd33b08e0f68
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bSq:sxX7QnxrloE5dpUpJbV

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe

Executes dropped EXE 2 IoCs

pid	Process
4144	locxbod.exe
2076	devdobloc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeDB\\devdobloc.exe"	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBZZ\\dobaec.exe"	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2316	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe
2316	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe
2316	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe
2316	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe
4144	locxbod.exe
4144	locxbod.exe
2076	devdobloc.exe
2076	devdobloc.exe
4144	locxbod.exe
4144	locxbod.exe
2076	devdobloc.exe
2076	devdobloc.exe
4144	locxbod.exe
4144	locxbod.exe
2076	devdobloc.exe
2076	devdobloc.exe
4144	locxbod.exe
4144	locxbod.exe
2076	devdobloc.exe
2076	devdobloc.exe
4144	locxbod.exe
4144	locxbod.exe
2076	devdobloc.exe
2076	devdobloc.exe
4144	locxbod.exe
4144	locxbod.exe
2076	devdobloc.exe
2076	devdobloc.exe
4144	locxbod.exe
4144	locxbod.exe
2076	devdobloc.exe
2076	devdobloc.exe
4144	locxbod.exe
4144	locxbod.exe
2076	devdobloc.exe
2076	devdobloc.exe
4144	locxbod.exe
4144	locxbod.exe
2076	devdobloc.exe
2076	devdobloc.exe
4144	locxbod.exe
4144	locxbod.exe
2076	devdobloc.exe
2076	devdobloc.exe
4144	locxbod.exe
4144	locxbod.exe
2076	devdobloc.exe
2076	devdobloc.exe
4144	locxbod.exe
4144	locxbod.exe
2076	devdobloc.exe
2076	devdobloc.exe
4144	locxbod.exe
4144	locxbod.exe
2076	devdobloc.exe
2076	devdobloc.exe
4144	locxbod.exe
4144	locxbod.exe
2076	devdobloc.exe
2076	devdobloc.exe
4144	locxbod.exe
4144	locxbod.exe
2076	devdobloc.exe
2076	devdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 4144	2316	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe	88
PID 2316 wrote to memory of 4144	2316	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe	88
PID 2316 wrote to memory of 4144	2316	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe	88
PID 2316 wrote to memory of 2076	2316	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe	91
PID 2316 wrote to memory of 2076	2316	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe	91
PID 2316 wrote to memory of 2076	2316	2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe	91

C:\Users\Admin\AppData\Local\Temp\2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe
"C:\Users\Admin\AppData\Local\Temp\2ff4d396642fe645f20092ed01bd952a13de311a85635f535a7ae1fd21fa5e8eN.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4144
- C:\AdobeDB\devdobloc.exe
  C:\AdobeDB\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeDB\devdobloc.exe

Filesize
533KB

MD5
1c1f1a5c80a9429b8081e408cd558c63

SHA1
fcd3cdef04d31bdb442e51d95d7a6de6bd6203a0

SHA256
dc30020dddc3fc2ad012d9d1f106d44e5bb3216e9e7c575b4a67a2ef9e982359

SHA512
6160174bf0b8639684391f35791deec0057d6162061fc67fe466047bf671906ad88ab96e014604e17d0cb8352506ba405d9fac2c14c95bd8a048e1ccc9c9563f

Download Submit
C:\AdobeDB\devdobloc.exe

Filesize
2.6MB

MD5
65bd28b14375294811936da27a310790

SHA1
1ad6ea997081c15c02c650c94d13542f4cb3d1e7

SHA256
9dfb5c84ee4b1eeac431e84ac35ae07cbf3ebad2ce9dbd3c1384a8bfcd12f909

SHA512
86fd4840250cded6459a8dcc1a8a5579f654fb222fa1d3ef9ce8d03800afa516f511ec41fc9869656cc9def4206d73af96cfba04a4f6dcce2fb3a4f886fb60c1

Download Submit
C:\KaVBZZ\dobaec.exe

Filesize
2.6MB

MD5
10ab591ac4cfa7a239795ea2cea71f19

SHA1
2a86fa3949f96db03b0a91ad26721f393fe8bced

SHA256
f46e99ccfa605b8730c059fe4d1f588e1867987950f2dc205b1e73c10a4c7079

SHA512
c3e7d5770ce7418b9b6c3596e3d3876d2fc0f49838cf144f258e9b783cd0ddd8001cc3deebc922c831a0becd5feb067d399bbb14772ffcec9a3e801b4146a0e4

Download Submit
C:\KaVBZZ\dobaec.exe

Filesize
2.6MB

MD5
77e354589737d3b24119b3c954beeced

SHA1
126fd6e32223ede0ee421fd2f8d55080ddc12604

SHA256
cff85a48cf54d6788e5f1f9c5b9dbdc2f948406292f0cde94f9d2600f1e1d25c

SHA512
0529979ac211fe66df83424a0767b8ce0124006ee179077ee70fee2499c6d9dbd714ee109e394903173ad030e4fee0ed2cb0fcb15b1888e3a9afad607086c292

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
cfd8991690d9af1e5a49b69e1ad1f8f7

SHA1
87cab5edac1448fa461240b0018407b2824bfa34

SHA256
c434adf3e63e573781c59589e54efc73e0e558786b2162a724503902f27cd781

SHA512
f95c8a33ff9b5fe28d3d366a2ec3943d2881d52175416528b8397cdfa07947943a0d7c7dde59503ab8d0d71ef1c809f3abca267defd9c579a84498c234ae306d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
6ede1cf4f9f7092678442dc26c247ec4

SHA1
80b22025fe17304db5cb99856e1a27e6a4a6302d

SHA256
8d9af09f8e09e22b953fa99816f8a2a0f50b4ef4204a5224909eae71e20e156a

SHA512
64b4e70096a3317819de85e55342fdb96333850e1ab6a1a50cc14ea2b3b04f026380b0bbb1f8b998009bc659e2a3e9ac8209c19ecb8389b795b50c6cae28f60d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
2.6MB

MD5
b455c9fd4cffce1189b5def65fd6da90

SHA1
769b1673d8d9c2ba8e84c7823817d5854b6ae784

SHA256
4f5db2621fc7b7569e289e3aa1d7a296396b1016d13cc689217a6a210415e7d7

SHA512
2912b05199e6fa9afb8aff9a94f3494f9b7d9d8f5234cb2fbed8b6832bf58d2e14670b95fa53e13efc988959d3cf3ff7697aa3480f995f3883093d979d2052c3

Download Submit