9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe
Size

2.6MB
MD5

154103da74afa24dc7e5f11cb36ad409
SHA1

650301da740464fec9cd7904c1e4d9c54be5b472
SHA256

9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c
SHA512

945fe0877cfa90ad9a745911d195c35eb86269ee556af5dccfdf30bdfdc41f53f435761d0c013f8c47ae5935dc66cd309870a33cb313124c9379c79aad98b570
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bS:sxX7QnxrloE5dpUp5b

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe

Executes dropped EXE 2 IoCs

pid	Process
3696	ecxdob.exe
2072	xbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvTF\\xbodec.exe"	9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax98\\dobaloc.exe"	9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2132	9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe
2132	9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe
2132	9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe
2132	9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe
3696	ecxdob.exe
3696	ecxdob.exe
2072	xbodec.exe
2072	xbodec.exe
3696	ecxdob.exe
3696	ecxdob.exe
2072	xbodec.exe
2072	xbodec.exe
3696	ecxdob.exe
3696	ecxdob.exe
2072	xbodec.exe
2072	xbodec.exe
3696	ecxdob.exe
3696	ecxdob.exe
2072	xbodec.exe
2072	xbodec.exe
3696	ecxdob.exe
3696	ecxdob.exe
2072	xbodec.exe
2072	xbodec.exe
3696	ecxdob.exe
3696	ecxdob.exe
2072	xbodec.exe
2072	xbodec.exe
3696	ecxdob.exe
3696	ecxdob.exe
2072	xbodec.exe
2072	xbodec.exe
3696	ecxdob.exe
3696	ecxdob.exe
2072	xbodec.exe
2072	xbodec.exe
3696	ecxdob.exe
3696	ecxdob.exe
2072	xbodec.exe
2072	xbodec.exe
3696	ecxdob.exe
3696	ecxdob.exe
2072	xbodec.exe
2072	xbodec.exe
3696	ecxdob.exe
3696	ecxdob.exe
2072	xbodec.exe
2072	xbodec.exe
3696	ecxdob.exe
3696	ecxdob.exe
2072	xbodec.exe
2072	xbodec.exe
3696	ecxdob.exe
3696	ecxdob.exe
2072	xbodec.exe
2072	xbodec.exe
3696	ecxdob.exe
3696	ecxdob.exe
2072	xbodec.exe
2072	xbodec.exe
3696	ecxdob.exe
3696	ecxdob.exe
2072	xbodec.exe
2072	xbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 3696	2132	9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe	93
PID 2132 wrote to memory of 3696	2132	9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe	93
PID 2132 wrote to memory of 3696	2132	9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe	93
PID 2132 wrote to memory of 2072	2132	9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe	95
PID 2132 wrote to memory of 2072	2132	9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe	95
PID 2132 wrote to memory of 2072	2132	9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe	95

C:\Users\Admin\AppData\Local\Temp\9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe
"C:\Users\Admin\AppData\Local\Temp\9b08b68b0c129fb647926bf903b864441dfbda2c7812646efea4695293608d7c.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3696
- C:\SysDrvTF\xbodec.exe
  C:\SysDrvTF\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax98\dobaloc.exe

Filesize
2.6MB

MD5
cb55450d471f362e6dd07f9dd14886aa

SHA1
582881da53f6f25ce156ca3f9cfcaee22728f77d

SHA256
38d1068ec289c65b36badc77d5f9708f7705bae0c49305c643d094af5765c5b9

SHA512
df66ea05d8863e5fd2b21febd3910c6b46bb86dedd301a277cde01bd3e0d1a7e51a56b3162134f10246e81b39d4596020d48a0ed504bd12f4f79a015c60b5a70

Download Submit
C:\Galax98\dobaloc.exe

Filesize
2.6MB

MD5
8767d24ce009dc35c7c5af1ffe6b7f89

SHA1
ea8cdde4f53794fbb479c42a0338d9c7cdad59a5

SHA256
e8c97eba1de3ab86819323c0fdab74cacf3fd5203e0d9f7ccf96aeb48754e3f7

SHA512
2dab5e9bf5094c784d1907915ea313895b782a1acce7c50fc9fc7527b09731dffe46576e7e4062b333d9673b6836aef5995b2546eac341028bf03513f7d31039

Download Submit
C:\SysDrvTF\xbodec.exe

Filesize
2.6MB

MD5
cd357b60d7e43c49a1b8dd04a8b7641f

SHA1
f8a622b0616dc6c57539d5802c99301996440c04

SHA256
8680a168644af5bd44f4816b06d3810095cad06c048eb778b2b58e891cedb539

SHA512
878397f1d65a6f480f479ad0ea9c14738b2ec10cb2dc110658d4e1a312ceb73cb29dcdb2ca55be484e80796a186ec05d53308162b53c4301556f7b77512ebb13

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
ef5d1cf2ad141afd3f0dd419e258d75e

SHA1
0281d438059e88309e924a829d741b50e98a0a97

SHA256
1ce14d8da355de1ad40a7d40e185eb8a548b57133a4f5dd5e6f521453a192191

SHA512
3114b070f178b3006105d8a0eaf1fb091081a596f992b1e9584ec81922e011365513435ea8990c86874e3813aef52f3ba9f44881fbc7f4dc836417054dbf4224

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
c17453c1a38bbb695708f447d26b9460

SHA1
dd1bda2000f83aa97322595f3a33d3397aaa92e6

SHA256
a6bd89bc64c297f8750c7733f16b7949ee79fd414f19d60c2db5c17ab6e578d1

SHA512
83998c3790a07b200c311341575d5780d4eaed187f1c87e4bbe5518bad4049c168017d19055d4148f98a2fb966aef911a8cf1b1e151072d15739f574b07cba5d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
2.6MB

MD5
c8f8a9ef50322a055d7acc1b566bfce3

SHA1
8aeefe9df242a91382d75cbb5f4b86107927c05a

SHA256
b5067e72a3d5cfcdb6751e9729e3ffa632b6e276e7e7eed1d77f46f0a76cc7a3

SHA512
eb88b76bb7dd635ecd5668555d535c1aa090935cccd517cc6d8d13c67a73649c8864e67cfefd58a635ff3f7db64a92cd6c0de87ced36124b9eb0631f715ba356

Download Submit