03a60069bff80a4afd07d393a339c33c4358ce6ce02ece641764813471f6656a

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01-05-2024 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03a60069bff80a4afd07d393a339c33c4358ce6ce02ece641764813471f6656a.exe
Size

2.6MB
MD5

9c7ed5f2aa325792de47e4ec60234fd6
SHA1

6fe579101b08e5a061b32c9ef223cc6ea3f2e6b3
SHA256

03a60069bff80a4afd07d393a339c33c4358ce6ce02ece641764813471f6656a
SHA512

ff2736404e35f30f09a4990fcb03c33bb99e8970f52766166c6122587cce5628332f4f0b67117745ec9f30025893172a1b45d1f54d109a0f1927b7076ad08b1f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCB/bS:sxX7QnxrloE5dpUp9b

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	03a60069bff80a4afd07d393a339c33c4358ce6ce02ece641764813471f6656a.exe

Executes dropped EXE 2 IoCs

pid	Process
1720	ecxbod.exe
2672	adobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2084	03a60069bff80a4afd07d393a339c33c4358ce6ce02ece641764813471f6656a.exe
2084	03a60069bff80a4afd07d393a339c33c4358ce6ce02ece641764813471f6656a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocME\\adobloc.exe"	03a60069bff80a4afd07d393a339c33c4358ce6ce02ece641764813471f6656a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidUP\\dobxloc.exe"	03a60069bff80a4afd07d393a339c33c4358ce6ce02ece641764813471f6656a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2084	03a60069bff80a4afd07d393a339c33c4358ce6ce02ece641764813471f6656a.exe
2084	03a60069bff80a4afd07d393a339c33c4358ce6ce02ece641764813471f6656a.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe
1720	ecxbod.exe
2672	adobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 1720	2084	03a60069bff80a4afd07d393a339c33c4358ce6ce02ece641764813471f6656a.exe	28
PID 2084 wrote to memory of 1720	2084	03a60069bff80a4afd07d393a339c33c4358ce6ce02ece641764813471f6656a.exe	28
PID 2084 wrote to memory of 1720	2084	03a60069bff80a4afd07d393a339c33c4358ce6ce02ece641764813471f6656a.exe	28
PID 2084 wrote to memory of 1720	2084	03a60069bff80a4afd07d393a339c33c4358ce6ce02ece641764813471f6656a.exe	28
PID 2084 wrote to memory of 2672	2084	03a60069bff80a4afd07d393a339c33c4358ce6ce02ece641764813471f6656a.exe	29
PID 2084 wrote to memory of 2672	2084	03a60069bff80a4afd07d393a339c33c4358ce6ce02ece641764813471f6656a.exe	29
PID 2084 wrote to memory of 2672	2084	03a60069bff80a4afd07d393a339c33c4358ce6ce02ece641764813471f6656a.exe	29
PID 2084 wrote to memory of 2672	2084	03a60069bff80a4afd07d393a339c33c4358ce6ce02ece641764813471f6656a.exe	29

C:\Users\Admin\AppData\Local\Temp\03a60069bff80a4afd07d393a339c33c4358ce6ce02ece641764813471f6656a.exe
"C:\Users\Admin\AppData\Local\Temp\03a60069bff80a4afd07d393a339c33c4358ce6ce02ece641764813471f6656a.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1720
- C:\IntelprocME\adobloc.exe
  C:\IntelprocME\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocME\adobloc.exe

Filesize
2.6MB

MD5
8b32d80133d741db2901051f7d656f7c

SHA1
6a1a41b22f491c4f0cadf899934b50641fa08d97

SHA256
3cc1499e0b600a0689f5d03bd1f6beb272472e74e46740d30a7364d63092fc46

SHA512
f10021ca208a55983d81507973b3e83e95eefa7f14f826b74f912d4c23a247631c7c1604d1de43230c1c8a25e630c185f6e750b40bc0ad5dc56baa1bd4270d73

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
9895ffa4b9aa3197270c8dc986bd9068

SHA1
4030151b75fc345b9404e442d1c504bda0f28a16

SHA256
7300cf6bf92b5ed25576196f08cf51d18ee7fbd7dcecd5d01d951fcb5b7d13ec

SHA512
258fe231d0ed7eaf3cab21fb5d8d41b3bb1f989074dfbeacca57b999b0527d69b80ffc74dc3119a388869fa7d136675724c43153931b3a1417bfcd4bfe16400c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
eac59749f17d48f4e887ac17f503b917

SHA1
f6bfdf718d61f2372550aa9394848cd393e66647

SHA256
9a12c68af0506a4115b19b00634245a7f26bf8f1b4203a2f52be520b54a7dfb7

SHA512
621fe140185396346a7b82ee9a15f1afbd31878e9fd189ee3ed10741b85f979765a643f48ced1981f9bca461105861163ae03f0e9a0da138d284642a27b95bfe

Download Submit
C:\VidUP\dobxloc.exe

Filesize
2.6MB

MD5
813c47699d7e30b896bfea18d2dd4e78

SHA1
5bb9c11f6d2a9a1fbeec95397258d983174080c8

SHA256
c231c3f6ecaf623330c2861799895feaa8451c726edae0ae2d9267f24ecdd259

SHA512
ef9d334034f016a1a6722926dcd8986b4b0bbd3ab2addd42702d06a6ef79a16d0c739d27ddbbd8d45679d67f16fa9782c2a8a5cb970580ec6d74d06ffa8886bb

Download Submit
C:\VidUP\dobxloc.exe

Filesize
2.6MB

MD5
071036bbccd5beb4b9d5f5c1727e6c83

SHA1
c7a3d156ded3797b9c75705571d2a8a3e2d56606

SHA256
2db817f7c4f68bf421bf208421a322c58bb5cb28a5297e7a6b130cad1fd0a184

SHA512
2d99532f430f9ba3ea81902fd3524e0152836032d32739d8450c72aba6c6f19a6a3c2e5bb498421acaa12d2feb4dea469e79b700d82198c70085176347627c97

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
2.6MB

MD5
e1b8739258661094670aace8b2997da7

SHA1
62685f7611d4d89d398783a2e332107ee12ef935

SHA256
2672454f2f57f3c180c8a9b91d1b45bb7ca53fcfbf5bdcc559dc5387b2a43d29

SHA512
827482a39c1fae9d753049ddf336dbbe4424811d855d36d74b0e12f10c84342e4be298b6661de4d80956dbee4817f83b112a5c11fdc1c3af5017f7ce5eed8db0

Download Submit