36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec

General

Target

36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe
Size

3.9MB
MD5

23e90af209709ce8901a4dd3433cf4b3
SHA1

6d59513c6a2601214cfe5dc0c144d52486b087c7
SHA256

36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec
SHA512

9582c5e5ff76f17431dcb5e672b97fb1e661c6d10172a12cb88647253411e2ab3a974704b5e8977efabe9d1ad6f358095a4c9d5c4273874f27b77bcbff52e558
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8:sxX7QnxrloE5dpUpPbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe

Executes dropped EXE 2 IoCs

Processes:

ecxdob.exexdobloc.exe

pid process

1800 ecxdob.exe
2168 xdobloc.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1800	ecxdob.exe
2168	xdobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeIQ\\xdobloc.exe"	36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZJC\\dobdevloc.exe"	36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exeecxdob.exexdobloc.exe

pid	process
4580	36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe
4580	36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe
4580	36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe
4580	36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe
1800	ecxdob.exe
1800	ecxdob.exe
2168	xdobloc.exe
2168	xdobloc.exe
1800	ecxdob.exe
1800	ecxdob.exe
2168	xdobloc.exe
2168	xdobloc.exe
1800	ecxdob.exe
1800	ecxdob.exe
2168	xdobloc.exe
2168	xdobloc.exe
1800	ecxdob.exe
1800	ecxdob.exe
2168	xdobloc.exe
2168	xdobloc.exe
1800	ecxdob.exe
1800	ecxdob.exe
2168	xdobloc.exe
2168	xdobloc.exe
1800	ecxdob.exe
1800	ecxdob.exe
2168	xdobloc.exe
2168	xdobloc.exe
1800	ecxdob.exe
1800	ecxdob.exe
2168	xdobloc.exe
2168	xdobloc.exe
1800	ecxdob.exe
1800	ecxdob.exe
2168	xdobloc.exe
2168	xdobloc.exe
1800	ecxdob.exe
1800	ecxdob.exe
2168	xdobloc.exe
2168	xdobloc.exe
1800	ecxdob.exe
1800	ecxdob.exe
2168	xdobloc.exe
2168	xdobloc.exe
1800	ecxdob.exe
1800	ecxdob.exe
2168	xdobloc.exe
2168	xdobloc.exe
1800	ecxdob.exe
1800	ecxdob.exe
2168	xdobloc.exe
2168	xdobloc.exe
1800	ecxdob.exe
1800	ecxdob.exe
2168	xdobloc.exe
2168	xdobloc.exe
1800	ecxdob.exe
1800	ecxdob.exe
2168	xdobloc.exe
2168	xdobloc.exe
1800	ecxdob.exe
1800	ecxdob.exe
2168	xdobloc.exe
2168	xdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe

description	pid	process	target process
PID 4580 wrote to memory of 1800	4580	36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe	ecxdob.exe
PID 4580 wrote to memory of 1800	4580	36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe	ecxdob.exe
PID 4580 wrote to memory of 1800	4580	36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe	ecxdob.exe
PID 4580 wrote to memory of 2168	4580	36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe	xdobloc.exe
PID 4580 wrote to memory of 2168	4580	36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe	xdobloc.exe
PID 4580 wrote to memory of 2168	4580	36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe	xdobloc.exe

C:\Users\Admin\AppData\Local\Temp\36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe
"C:\Users\Admin\AppData\Local\Temp\36fb695ec0b3e86da0d98d913b7d62974b449c4a9e060005170c6371ff3b79ec.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4580

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1800

C:\AdobeIQ\xdobloc.exe
C:\AdobeIQ\xdobloc.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2168

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeIQ\xdobloc.exe
Filesize
6KB

MD5
c8190a91500bb1d9caa61e3b11eaf128

SHA1
ab7eb6ce00d2fb8ec932dee7fe6f72551ada8684

SHA256
6396e1bd18ed0ea864d8f56b7885ef5813fe836854b68c3ebafb7d49b8580b1e

SHA512
bc143ae225ca8cceb9e90f7dc6f36a8608eafed2d7e67396657444f3a004832c0c51921fe8c0487de4ca21430686dbc62c6a304de00cbbfb8c0e8dc538f5492b

Download Submit
C:\AdobeIQ\xdobloc.exe
Filesize
3.9MB

MD5
bec7b4fde0736a8183e1f49cecbe7fcd

SHA1
d7510d59438f3c150eb0257ee209943a37746b38

SHA256
fe1beaa19cc0d46eaca3b9857097605f6d216cbb95ff17caae66b5acacae6011

SHA512
febd679e3d4647a3b8932a7a5c9fcabbcc475f4ab69674c4c4f86ac13fa574472028d93da617ed3381b86ab7cdbac36b3122eafa361c7cafddfef9a877d91331

Download Submit
C:\LabZJC\dobdevloc.exe
Filesize
3.9MB

MD5
bc83a594cc81ad3fc18e215263e13194

SHA1
2d64a4f37b3c7c87e3f7526fccbdbbc5d9c21bbf

SHA256
eea4e9e0d83a2aaa626e58328bf48b05a0bcbbaeeb08ea5b270c4fca967356b6

SHA512
c9ada93ac08a09be6eb68a2a554806c5a7bfc6affc579cf4163810ffae4a723ea3d4aa2e01b690015afadb4e61704f88bc352f6e38f344cba2b553fdea2b1078

Download Submit
C:\LabZJC\dobdevloc.exe
Filesize
1.9MB

MD5
7904380b5b543e186a0dfa78bba6a483

SHA1
7a02199b2b05224b8074f3150ce531fe38cb92ff

SHA256
bbea7dcfd939ee4a2fc200786c29081a9d1f112c75bfc86917d6c321815dd7d9

SHA512
e4247abe00286426c2de32ccc36190f21e5e7bec00d2e60658d436eff807ef217e028c80d6aea7414adeea61392e18530c92c58cc7e77fb3d961eda595d40e0b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
201B

MD5
48ef2fc82e5f4b273f07006544965edc

SHA1
15ea8dc031c50b4bed3dfb219427d208536f6ade

SHA256
2012f31672643fa797d7ae356768367a25fcbf70fe252d80d0d71002fcc97f1c

SHA512
fe48a4842a89c54d7e033c91eb5eac687a68ca83fdc5669811b4dcbbbd417a1fa9b50f2f828516ccdd821022c31fe8d1c48c672ec18c39b1c9cce43cdd4b71d0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
169B

MD5
ae1693dee29ea9f76258eb51ff7773d1

SHA1
6920559e2092c108110d40bb14f4adaa6bad50ad

SHA256
da5d5e7c7c898393d2bc352d42d29d31e4d540b922b038ab53b569d3a6ae2462

SHA512
b8d64f330fd21b51a488b7c17892c0282efa9bb3d6f706095802318d13438b0ef04cf9ff9b1b177466d538a4047477025b3f627a06afa9e74f7d942dd26d8435

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
Filesize
3.9MB

MD5
57da67c57f25fe5a1cf54e40ca9e968d

SHA1
7942a5edea3b362e3438da23d42c08e13bcac638

SHA256
cd0494d0fdf2d1e3803709d0ad179170787a1c7350e4d123c9f700f854d36233

SHA512
6ccdb16b82c97f3d34606d8e697fd950f285f3a8bc24c4d0fc6774c48e57ddac23a80408731d7e604f6ef9dd650ec1cbcb8a2496a9caffbfa60b1f891bafb5c8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads