463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07

Analysis

max time kernel
120s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe
Size

2.6MB
MD5

4bf8998655e04dc685c19baef7702420
SHA1

53b15a56d24bbe44c9d395916666fb328cf562ca
SHA256

463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07
SHA512

b57a20acb3affb07f9c70f4b6c6fee762e588b87f6745ca2c18806969bc9b493b5ae199244311f39b11e300f9f42de95ddab00bbdb057ee1c12b77eb48206348
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bSq:sxX7QnxrloE5dpUpNbV

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe

Executes dropped EXE 2 IoCs

pid	Process
2776	locxopti.exe
3284	devdobec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files69\\devdobec.exe"	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid10\\dobxsys.exe"	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4804	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe
4804	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe
4804	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe
4804	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe
2776	locxopti.exe
2776	locxopti.exe
3284	devdobec.exe
3284	devdobec.exe
2776	locxopti.exe
2776	locxopti.exe
3284	devdobec.exe
3284	devdobec.exe
2776	locxopti.exe
2776	locxopti.exe
3284	devdobec.exe
3284	devdobec.exe
2776	locxopti.exe
2776	locxopti.exe
3284	devdobec.exe
3284	devdobec.exe
2776	locxopti.exe
2776	locxopti.exe
3284	devdobec.exe
3284	devdobec.exe
2776	locxopti.exe
2776	locxopti.exe
3284	devdobec.exe
3284	devdobec.exe
2776	locxopti.exe
2776	locxopti.exe
3284	devdobec.exe
3284	devdobec.exe
2776	locxopti.exe
2776	locxopti.exe
3284	devdobec.exe
3284	devdobec.exe
2776	locxopti.exe
2776	locxopti.exe
3284	devdobec.exe
3284	devdobec.exe
2776	locxopti.exe
2776	locxopti.exe
3284	devdobec.exe
3284	devdobec.exe
2776	locxopti.exe
2776	locxopti.exe
3284	devdobec.exe
3284	devdobec.exe
2776	locxopti.exe
2776	locxopti.exe
3284	devdobec.exe
3284	devdobec.exe
2776	locxopti.exe
2776	locxopti.exe
3284	devdobec.exe
3284	devdobec.exe
2776	locxopti.exe
2776	locxopti.exe
3284	devdobec.exe
3284	devdobec.exe
2776	locxopti.exe
2776	locxopti.exe
3284	devdobec.exe
3284	devdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 2776	4804	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe	83
PID 4804 wrote to memory of 2776	4804	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe	83
PID 4804 wrote to memory of 2776	4804	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe	83
PID 4804 wrote to memory of 3284	4804	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe	86
PID 4804 wrote to memory of 3284	4804	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe	86
PID 4804 wrote to memory of 3284	4804	463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe	86

C:\Users\Admin\AppData\Local\Temp\463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe
"C:\Users\Admin\AppData\Local\Temp\463dd82be6dcfa6ee2d86c9997b0f9bfc2b984fbcd8c58f3848f5d309ee64f07N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2776
- C:\Files69\devdobec.exe
  C:\Files69\devdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files69\devdobec.exe

Filesize
1.5MB

MD5
7d0b2e8907a6ba321455c9e60f7d349a

SHA1
959f323085aad4ab5dffb906298668fcc155b4b6

SHA256
ead4b3332010f73c51249e439ac79fa9062f060d1aa941729c0155a2a804896d

SHA512
5740d848ea834132c08c6893dbbb8611fe451572509da5bf8484ad0c88e649df60a7d1de310ab7b5cd0eded467c821031098a22cb819855e309956b4c14a1276

Download Submit
C:\Files69\devdobec.exe

Filesize
2.6MB

MD5
83484ddfa4d75b9b6e9da38b88df6983

SHA1
ec7d4caefbb361274af9e137814c8b34b555a2b2

SHA256
3edc22030aa37eafd9b36470110185a6926e53518fe5637044c8d791cd01d3df

SHA512
912e1b99bfaf77bcaea20efe20a047f8d0831813166f0042c83b8b464e4e476bda7c344a017c69bfcc0bf46a2d2cce72f718995a5c2ff47699282ac63303128f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
87807a820867c4f740cab6cad7aab8db

SHA1
8fad75631882cd1b997a32dbcf603a2b71925f69

SHA256
5649d2c2e5d392601dc98dee2945b36d5519696608712bce84fc55c8861ab14c

SHA512
e25c142afb09511b3552f41303e05ef2f0cbbf70342f102af81a399aba5710dbde8b0b2721575b17c57d006f91b0449494fbaa0518b38005b571b84678b84e23

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
d8208f0c43902c85264c53611b8814f3

SHA1
0bfe6f947b75b128497b72f6c1cea11579ae1178

SHA256
4b39ce606e137a962cf07fe852cdb9cf82e410e8d5c4f57961f1dde56f9cc9fc

SHA512
26469471e2d5d94073a3b65cc5151d285ff52ab9092304a70cfd6aaea8cbb3263512ccb57143b9fd042e0bad4ac899af9bf11cea686ca76370a7c45d6eb863ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
2.6MB

MD5
793e0387798fdf75096f7a3a414cbf66

SHA1
febe3554fc68b4239a131c67663ca838e3778e17

SHA256
5f2e4f77c661c345708e8a23a350eca8f4f7550baa56e6ddac3125a761565af5

SHA512
eb3a9509647b8734ebc9ee3fac5866ef1d8f7588971ed613fa31789695d45881df765d64be063ec386669e65e90cadb70ad66767b20a39f299caf4aa63543064

Download Submit
C:\Vid10\dobxsys.exe

Filesize
2.6MB

MD5
889e0823498f92430981328800d6cb38

SHA1
e5e5e89a40f2b9c2d8ee2e908eefac437e7e4c0b

SHA256
460c14eca0ffec2041a51cda18b66bc091ba06d11727871bbbe52b854c956b18

SHA512
73c5f911390a04b29ac221dc3a3f0977e8f8de82e5521f2709fc22b0133a8542369e8b922842f9e0df26ad4da02ea487bb4a57cf5fa35a54eb6488d0c0169b82

Download Submit
C:\Vid10\dobxsys.exe

Filesize
11KB

MD5
3193f6732970f64ca3094d85171d7380

SHA1
0d2f450337cb69eafa727d6d6de40feb0750ba1d

SHA256
e09faa78045b943266c903ad6e7b69a1069ca062bfda7c5f794f8e9e7eb9ad9b

SHA512
b23afd97dc8f9fe6ddb53b3a780345bde4ea50f989055db34d69d243649f4b7cb2c2c4429e9fa318a396fe363aaa923f2c261ba475390673664ac4fda7c5b3f8

Download Submit