30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe
Size

3.6MB
MD5

478470e86bbc59e4ccf21351ba71edcd
SHA1

2b59f1646b99787b79a649ef4f4bca818fd122f0
SHA256

30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb
SHA512

24f049176b4d178a18acf3d4bc8929e07972f2445c8b8830dfbe19792739ea45e319a5987e0075b641763bbf4ef5dd62e0c805864408da077c398b2a68151c08
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpkbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe

Executes dropped EXE 2 IoCs

pid	Process
1064	ecxopti.exe
1720	xdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1328	30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe
1328	30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesMF\\xdobsys.exe"	30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxZ7\\dobasys.exe"	30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1328	30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe
1328	30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe
1064	ecxopti.exe
1720	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 1064	1328	30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe	28
PID 1328 wrote to memory of 1064	1328	30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe	28
PID 1328 wrote to memory of 1064	1328	30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe	28
PID 1328 wrote to memory of 1064	1328	30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe	28
PID 1328 wrote to memory of 1720	1328	30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe	29
PID 1328 wrote to memory of 1720	1328	30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe	29
PID 1328 wrote to memory of 1720	1328	30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe	29
PID 1328 wrote to memory of 1720	1328	30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe	29

C:\Users\Admin\AppData\Local\Temp\30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe
"C:\Users\Admin\AppData\Local\Temp\30f7bf6a2d3173008a9fcdeaa8bdfc5fdf5ae3992ae26577c27cb7f393521beb.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1064
- C:\FilesMF\xdobsys.exe
  C:\FilesMF\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesMF\xdobsys.exe

Filesize
3.6MB

MD5
dc8fe5b55cf26296c3f59aeec0d09e18

SHA1
b80054be0aa7a81d7b6f56b1f90cbbe1735dff09

SHA256
a76921ab0b9f2fae98ad56a4f8d1c79215310e081b5bb5b99d91faa76433154b

SHA512
a1c4e44ee44f66df347105de82bde7d2edd6aa6e87adb08ef26c3d9c285ce393b0ad5862c598165af8ee61f1894296e2f6d5990621bc5a0e2db5a90d59bbdce6

Download Submit
C:\GalaxZ7\dobasys.exe

Filesize
1.9MB

MD5
1915fdd937da72ae64b0e4efabb29568

SHA1
e306db7d90fae6039909a04ae7e257fd803536a7

SHA256
fbcd6d33e24252269fd806045921bf489428be0ba8d67c853a2104e25ec156c9

SHA512
fe533c42e713f5f3e443a1b480d83c005acc09bf41b0eeb26bbb5ec1a1766acff272f58264d99d53c4a5a76f4309158c70f1859de80f94d71174b956dceee86c

Download Submit
C:\GalaxZ7\dobasys.exe

Filesize
3.6MB

MD5
471f9c657259aaa76e1745f725aa1beb

SHA1
85744dc358735f1f6193bc92808847dfa391be5f

SHA256
1d965ce8b258a6ebd52b06c7eb60169a2e8b9d67dc9e2a91f858a5b63543b95f

SHA512
312f32fa826ae819ef9b7382ec437c0a6e235b1b56ce458b8fbbdea29ceeef087a8c39e5622ef2e392fc2598eff609544cf6b05f68e69cfb55258c16fba179f1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
e64de2eb6bdc4f2e815fe5931c117e79

SHA1
17ca06651d0035d6c882036c96d73153009ddb9c

SHA256
50fd787a7f2d0d0b5307c434df64a4e99b9f06e04cd906cd566a8ebde52b1a2c

SHA512
70cd1367844dd2d4b5fa7404cbd2ea39aed6434c8cf7d315620faf964495e38c3dcffa18505c7eff02b8a7d9acd19feb7377dbe92f8803ebd1591daa2dd7c453

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
f04c2e97575342cf8358f17320c92467

SHA1
1662b2f7c41ef7582c74afbabd342543c230f378

SHA256
5ba0fc5667e04fd886c74e410c7de88e944954ba1fe25578bf0d2073fcb72e4d

SHA512
d5627d41bbb576f5d63f000f9b3acdfc190dde98432efcec6ac949334da9b71eff7aa773d14a649bf7a4fbe8c04a3d4a894599ec02413b058fb92423e2791265

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
3.6MB

MD5
e67cd3d4ec011fd18b43996b8cb70175

SHA1
0be90ba095aff6b390759a1735632566fbb8d05e

SHA256
4ba7674c996eb1f50e4e0dc3ffd6b8aec823254427b8fdcabad3a35b2ebcf734

SHA512
5402efb74794a2b174a5b441a4d6393f75d6a874ad33f54dbb9a5a5c2a0caeca76693b01004afce315e0865f9b9804c752e70994a8752b89d49fc30351d8f63a

Download Submit