234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8d

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe
Size

2.6MB
MD5

158fe4ac75d099fe8b6d4b6cefaddda0
SHA1

9e6d3d9e787eb244763c21ac9401745f3c84c781
SHA256

234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8d
SHA512

dbeed827ad7846fd75a0266bc2f0df4b0a41808553584eb1fd44ab1d95ef5a561562e6f3c468ee58d97153ac0435debc85867b216c7b6d2102267f617bb288c7
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bS:sxX7QnxrloE5dpUpob

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe

Executes dropped EXE 2 IoCs

pid	Process
2800	sysabod.exe
2968	devdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2368	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe
2368	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files5H\\devdobsys.exe"	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintBM\\dobaloc.exe"	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2368	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe
2368	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe
2800	sysabod.exe
2968	devdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2800	2368	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe	30
PID 2368 wrote to memory of 2800	2368	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe	30
PID 2368 wrote to memory of 2800	2368	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe	30
PID 2368 wrote to memory of 2800	2368	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe	30
PID 2368 wrote to memory of 2968	2368	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe	31
PID 2368 wrote to memory of 2968	2368	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe	31
PID 2368 wrote to memory of 2968	2368	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe	31
PID 2368 wrote to memory of 2968	2368	234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe	31

C:\Users\Admin\AppData\Local\Temp\234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe
"C:\Users\Admin\AppData\Local\Temp\234eff30046424e1b1e8e07dbd076a055d2ec85bbe5a70d1cd162b0ee620cd8dN.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2800
- C:\Files5H\devdobsys.exe
  C:\Files5H\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files5H\devdobsys.exe

Filesize
2.6MB

MD5
9bbde322324a1be5e6015a7cb6ca4e50

SHA1
5b82f1fd0d21a5b5d4c240b4024b81cc075988e8

SHA256
29fdb09a400a66bb95292e9484dca8aba63a2ee3b6d2acad675bfe6b4f4d1210

SHA512
34cd8cb4fcd2dbf3a68da7b892b31add622a533d47498260b7523d087e4f9a8ef291db557f5590fec5151da91edf0651231aa9a42e5452061e98f69196e1beb4

Download Submit
C:\MintBM\dobaloc.exe

Filesize
2.6MB

MD5
dc27ab075d053751801cadc7c64f684f

SHA1
5d60bfd733515dc822978dcb0f629e9a679e87c9

SHA256
2cda74745b005e88781e18fc52a06f655c56ef1270fa0b656f443cd4d2c67bcd

SHA512
69dfb798e9088f83db3ed41e8e934a65e34dd375baa10197ec908f7bca7b68e7dfb21f488b7bbab20d737d9c39812d8d3910ff536caa8f46f99c19eb446257e7

Download Submit
C:\MintBM\dobaloc.exe

Filesize
2.6MB

MD5
3b432de006b8ad1e72045986847e7d6d

SHA1
f966f869ca0a95e3907707cfd988b566e67d4d72

SHA256
45019235808e8d3df468dce821213cdcb5cdccfc89a2514ede1f2e5521a04493

SHA512
c657bf8eda998aa6c2fc72e4bd0aa9a15788474f566895a7135a2d5e744e983c42f04c8bbe35efed8a54589951b6249df343387208fc4e63665460df124252c7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
c91954dc92364ea0bec2332498d74261

SHA1
fdbe949d7d631dc5d053d023864978d2d0e93fdd

SHA256
e1de7d889e7dec844393563e8533859bf5158bfffcd01722b7db7a273baf96e8

SHA512
ce15d1caabbc1d69ec2e7973beaf706aa6fa14a3e544555f6ce9f489817a929c4cc45f321fb86f268a28e258b793178356116ff648534e36f2bb635044518db3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
1b20d5959ae1dccc94dcae7b300337dc

SHA1
14000a412be0bab37eca2ee2f52ab000252fde47

SHA256
e3fe7d398ace45959b50e488b72ab32de12513352c2a4770ae30eea037864985

SHA512
7f7072c35dcd991b173c2c61d65c70891adb5e5fa95b274e3ae3763def2e6100ec3ad406603deee598fb48df614cfda75b2cd6c33a316a6770300a91c1a07759

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
2.6MB

MD5
ace5c6798609f4d53710713205af11fe

SHA1
ba066f6b92878bbbf333b7386a183f5f56843f73

SHA256
ae1b9afbbf9d9d298233a358c5e6f7606efe06a1a5813daa3aae439662e12257

SHA512
742af2cf39c5fa89807214b9cd5d655137c4b87f004058b7a5207b5770a9d6b64fa536a8d8bdb0055808d492cf1619b730ea83aa0f8effa764c0dbd8b8599ed4

Download Submit