2cce370417f46447718fc98fd95161299b5a624451bb02c94529f3e97bbc5e48

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/05/2024, 20:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2cce370417f46447718fc98fd95161299b5a624451bb02c94529f3e97bbc5e48.exe
Size

3.9MB
MD5

b20f506db35e2cf36bb625d44bf74ffa
SHA1

9cd00d3004aca175d9e2e39f14bf6a7917a0242c
SHA256

2cce370417f46447718fc98fd95161299b5a624451bb02c94529f3e97bbc5e48
SHA512

4c1d061fc9e6089336359f789077f4656dc0dc18a8dc1313652bb507b91dd198a43a386dfc38e41f0b1bf03f2ed23c810bbe8bbbfa5b3415a4ff4b811ac6d621
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpHbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	2cce370417f46447718fc98fd95161299b5a624451bb02c94529f3e97bbc5e48.exe

Executes dropped EXE 2 IoCs

pid	Process
2696	ecdevdob.exe
2556	xdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2380	2cce370417f46447718fc98fd95161299b5a624451bb02c94529f3e97bbc5e48.exe
2380	2cce370417f46447718fc98fd95161299b5a624451bb02c94529f3e97bbc5e48.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocVT\\xdobsys.exe"	2cce370417f46447718fc98fd95161299b5a624451bb02c94529f3e97bbc5e48.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ47\\dobaec.exe"	2cce370417f46447718fc98fd95161299b5a624451bb02c94529f3e97bbc5e48.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2380	2cce370417f46447718fc98fd95161299b5a624451bb02c94529f3e97bbc5e48.exe
2380	2cce370417f46447718fc98fd95161299b5a624451bb02c94529f3e97bbc5e48.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe
2696	ecdevdob.exe
2556	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2696	2380	2cce370417f46447718fc98fd95161299b5a624451bb02c94529f3e97bbc5e48.exe	28
PID 2380 wrote to memory of 2696	2380	2cce370417f46447718fc98fd95161299b5a624451bb02c94529f3e97bbc5e48.exe	28
PID 2380 wrote to memory of 2696	2380	2cce370417f46447718fc98fd95161299b5a624451bb02c94529f3e97bbc5e48.exe	28
PID 2380 wrote to memory of 2696	2380	2cce370417f46447718fc98fd95161299b5a624451bb02c94529f3e97bbc5e48.exe	28
PID 2380 wrote to memory of 2556	2380	2cce370417f46447718fc98fd95161299b5a624451bb02c94529f3e97bbc5e48.exe	29
PID 2380 wrote to memory of 2556	2380	2cce370417f46447718fc98fd95161299b5a624451bb02c94529f3e97bbc5e48.exe	29
PID 2380 wrote to memory of 2556	2380	2cce370417f46447718fc98fd95161299b5a624451bb02c94529f3e97bbc5e48.exe	29
PID 2380 wrote to memory of 2556	2380	2cce370417f46447718fc98fd95161299b5a624451bb02c94529f3e97bbc5e48.exe	29

C:\Users\Admin\AppData\Local\Temp\2cce370417f46447718fc98fd95161299b5a624451bb02c94529f3e97bbc5e48.exe
"C:\Users\Admin\AppData\Local\Temp\2cce370417f46447718fc98fd95161299b5a624451bb02c94529f3e97bbc5e48.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2696
- C:\IntelprocVT\xdobsys.exe
  C:\IntelprocVT\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocVT\xdobsys.exe

Filesize
3.9MB

MD5
a263a96be27ca6825d54017296d78568

SHA1
1a7319e0c734b1fea6538fa38206161010fb0e4a

SHA256
ca00560b1f4fad732d2522608b12e9a121b866376ad811791d0651a162901371

SHA512
cd844cf801c1d23f59c1f4f558e23775986ac8ea1a8ecf4fb819238f621a9b0dc7707aa3bb14f444d64ae5a13971a8cbf2ca4f3fbed9e6cad9a866063f28f644

Download Submit
C:\LabZ47\dobaec.exe

Filesize
3.9MB

MD5
c188ca649a122b30d3bb1486db941714

SHA1
b2ba122bf2cc99cb9ae137b6e6bd60883c4a2fbe

SHA256
3e19ce23ca3b707be2f9e9becef53dec8a937884bc9ab79878e52e5c71f293a1

SHA512
c6063638ede02b8e7a61be021511ff38970a59c9c1abf2ca61e326780995b97520708bd75dadc83264b25a1723f3650fad8c5ce5d2243724fcc7afe0edc872b5

Download Submit
C:\LabZ47\dobaec.exe

Filesize
3.9MB

MD5
e6d259605f212e98edb3f3f208f10a4e

SHA1
2bea51b3d749135f82023fcd120d745d29782309

SHA256
30fceda8cd90bf267ab0fe9cdb700690eb9e337376b25fdf6b0531cca38f1938

SHA512
fcca67ba9bb54374145b30f33157c75fb19f5d7133c27adadf04ebf0cf9355f76183f56661089922cfe4065397e9f91831393af985327355705429f3189d36ac

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
09f4ff49cde2dc9b2cc86ec5159436c7

SHA1
9caa1001a36c57fc5f1ce0e820f1dd46d9c07ca5

SHA256
79e0812b83e0da333ea5bfd704aa435ca2eba8ad8e3217ef276d1048981eca2b

SHA512
8a66abaa5942dd78c2fd217f3c889b05d3ae54190ff5f2c1e3e7b9838f6c4a8b5c30eaa6859e0298ba009e490d40893ba9d2660fbfc59df5cada32c13d352ef8

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
709fb076c259343bd63541e93a081446

SHA1
ab1262f3f43dadd091409e0e0d953120629638aa

SHA256
2d7274dd2728671e4f279fc1b907069710f35a8ec9faaf1c0915b93caf710dfa

SHA512
c596f1e01f87e2ffddf29ba2085c920adeae80c825c26d519612c428eb675f7ba0387345c3216879bc393c7d853c5cf7cc6eb2407c00edc1e506d7236552a248

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
3.9MB

MD5
f8491bdc5fb8396f9727c25bf4a983c5

SHA1
fae1adb5f89a888df395e1965013a26aeed2d15c

SHA256
cfb8238e302ae87caa454a950fc9f7749ea496a2068af04a1171cb0ffccc568e

SHA512
24a8a3f56e69c9d0f796b104a1bba88bfd34ccbff711bc5d2ef5abac5bffe62abce60d3fafc0f449bf8ca59c47a778c8dbfead57060aeeed09ac677eaad61037

Download Submit