Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 05:48
Static task
static1
Behavioral task
behavioral1
Sample
fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe
Resource
win10v2004-20240508-en
General
-
Target
fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe
-
Size
3.6MB
-
MD5
56981af27179a55421ace1b07a50962e
-
SHA1
f7fd6767bb14e2859411f06755c022c0fca8627b
-
SHA256
fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777
-
SHA512
b4396b9fd47157522bcc846ae688a1a197f5b31ab23ca1d5ff34febaf7bb066a11520237255863e98e66febef6a6ba9556ec5ecc4f69f9e2a2c9b79197817825
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpHbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe -
Executes dropped EXE 2 IoCs
Processes:
ecxopti.exexdobloc.exepid Process 2548 ecxopti.exe 2712 xdobloc.exe -
Loads dropped DLL 2 IoCs
Processes:
fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exepid Process 1904 fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe 1904 fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotEG\\xdobloc.exe" fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZH4\\boddevloc.exe" fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exeecxopti.exexdobloc.exepid Process 1904 fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe 1904 fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe 2548 ecxopti.exe 2712 xdobloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exedescription pid Process procid_target PID 1904 wrote to memory of 2548 1904 fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe 28 PID 1904 wrote to memory of 2548 1904 fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe 28 PID 1904 wrote to memory of 2548 1904 fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe 28 PID 1904 wrote to memory of 2548 1904 fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe 28 PID 1904 wrote to memory of 2712 1904 fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe 29 PID 1904 wrote to memory of 2712 1904 fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe 29 PID 1904 wrote to memory of 2712 1904 fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe 29 PID 1904 wrote to memory of 2712 1904 fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe"C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2548
-
-
C:\UserDotEG\xdobloc.exeC:\UserDotEG\xdobloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2712
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD51c5ca0f427c0991d13699ebfbcccf79e
SHA1579ffcb5804e4df36968c4ad790cb570348d5c13
SHA2560fc34c0bbd0dad0e41a7581ff3d36d42bba51af91244158c9310ceccdb1ed980
SHA512c5bae5f1b5affcac55927e9601c7a9f38a72992217f7b603e68e877704e065b1b9252e48dc2365a859f8d8b41f7a9fa181bb969bfc42acd0cf7f8d3f0418c908
-
Filesize
3.6MB
MD54c026ae806777f73d5b2448b1ece46fe
SHA18fcf647fcefd602bd4c8a742d51fa94febf2a66e
SHA256219aaf32ddb938ab0eb922d3cf1cf5ce054dd928b3f34633000f039645e6f746
SHA512e0312b459b91d9ecf9a3d94f66547367b6bbaa65237f053b8639035c0ba2d6fedb17cef6480ae65c3240a6d2d5c87a7512d57f95f1f40eb0ed6b0b379552dc15
-
Filesize
3.6MB
MD5f1eba410de9ae20a71164337c3f0ed62
SHA1f5bb3c4624d89ad2de6f8314abdbf6debb1efd2e
SHA2568fb2731c4591287a0c8deafcf0f49ea4a457c0d4e668809d39638fe9d8e8ce49
SHA512a4bce017e4be40ae7ffdb69f2d31e8549dd0ea866c5c0a225179d190863659ac3d021576c35bea38141ecaf728685f9bd55c19b0aebddfea776d65f3284d2368
-
Filesize
172B
MD5ee129eb44fb023bd52fccd204aed6852
SHA1d7ceca78b36bcd23012401c7837e8d33f2b15652
SHA2567894460e593d9cd5521ce1f3740e395553e73b038296cd288210b363dd6e95a8
SHA512800f4f0c5b26df12d2d90e2768161bfe501b074405ad3a124e1337d80d54b30d2610e1a6ff1202e8da53d465ad19d573557039e3ca9d352d519269c5277d8f4e
-
Filesize
204B
MD58c3ab458e6ac60419fb362853981a58a
SHA13f51913ce0be3080cbc323384e077ff2dfb0b3d7
SHA25603c251a9b8f9751059d5a9e5e66981e34692340907e542bc8d3328e416ea48b7
SHA51291de8b2ebaa8aab0c39ba812699d2f3b6327cff360b01c3562b57a83dc8cd77687e637ccc604145446370028bab7188f38479f92ea2567103d5bb8808bff88d8
-
Filesize
3.6MB
MD5b7ce3d96ed2eae43fbff12fabfddea61
SHA1cca20e563680278312288e4837b1f133befe6855
SHA256349aabb46d08255ef1edbb49ac73c4b4aea179407619b8ded91baf90cf26b259
SHA512be4252467038d0febb383b924cc367d103b4e420cadecdc60a065833a7133ba64a4b6482946811d980b7b62d73168caa77b58c31364bac359b662942acc49ee9