8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10/06/2024, 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe
Size

3.9MB
MD5

2bb714fbf84ca158443dd603b4688470
SHA1

81d65b87d7ae36884eb77d11eb969ae899f81b44
SHA256

8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf
SHA512

e070a4fed1c22c047a30797ed950f0e4c941699dc2bcf8e47eeb45152a6c9c08ee18488034d79a384f2e3ebe04ea3731508ccd7a2a77df077fb89de5875c4566
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp8bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe

Executes dropped EXE 2 IoCs

pid	Process
2360	ecxopti.exe
2596	xdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1520	8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe
1520	8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesMF\\xdobsys.exe"	8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxZ7\\dobasys.exe"	8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1520	8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe
1520	8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe
2360	ecxopti.exe
2596	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 2360	1520	8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe	28
PID 1520 wrote to memory of 2360	1520	8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe	28
PID 1520 wrote to memory of 2360	1520	8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe	28
PID 1520 wrote to memory of 2360	1520	8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe	28
PID 1520 wrote to memory of 2596	1520	8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe	29
PID 1520 wrote to memory of 2596	1520	8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe	29
PID 1520 wrote to memory of 2596	1520	8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe	29
PID 1520 wrote to memory of 2596	1520	8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe	29

C:\Users\Admin\AppData\Local\Temp\8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe
"C:\Users\Admin\AppData\Local\Temp\8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2360
- C:\FilesMF\xdobsys.exe
  C:\FilesMF\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesMF\xdobsys.exe

Filesize
3.9MB

MD5
71be6c1ae7517bbac8d28462d3c94d44

SHA1
35916762bb5e0178a58341551db1c512e7975a46

SHA256
d105eab433fe6e90fc6cd31c91610b769563a25dfd77497afc3008a06f7936c5

SHA512
6dcb20c2d30fdb45af07b2004b0f67796264cf9d96a1a5a2283f475deeda4887c855093feb56431d50774163b1c9d4852755972d3b42a590ad355da9d2625767

Download Submit
C:\GalaxZ7\dobasys.exe

Filesize
3.4MB

MD5
b2cf741cf00ee7752fded1c13ca86e67

SHA1
5bf71ff4963d39009d2060f0fcc4b1bb30910889

SHA256
85b5ee870d6f25216dad4a9d556f4f04095978c45f31e875f7c63e9a0d067667

SHA512
f76007fb83f752328be44c38fcad6513611f03340c3bc8ad9f3bccfb13471ba47294624a2281199c40bfb8e69ddd7b28f50cae01b9ff429e2d91e72e3374b3b1

Download Submit
C:\GalaxZ7\dobasys.exe

Filesize
3.9MB

MD5
cafe264a6beddd483790a28e29b37455

SHA1
b37eeffb65749fe0edc19595b663ca9d1e79cd44

SHA256
561df5c4c7409362e4095b5f92ecc364829effc0d909911098adc0e775b96fc0

SHA512
56dc74ef1c04154cbac1aea0ea25350988e6abdd99c81fcd160f4add082b1a97f587eb60a0233ba2fb8b6e2f9c3bcea35296094a8dcee9e2ccb9fd5d8d7cfd28

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
e64de2eb6bdc4f2e815fe5931c117e79

SHA1
17ca06651d0035d6c882036c96d73153009ddb9c

SHA256
50fd787a7f2d0d0b5307c434df64a4e99b9f06e04cd906cd566a8ebde52b1a2c

SHA512
70cd1367844dd2d4b5fa7404cbd2ea39aed6434c8cf7d315620faf964495e38c3dcffa18505c7eff02b8a7d9acd19feb7377dbe92f8803ebd1591daa2dd7c453

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
f04c2e97575342cf8358f17320c92467

SHA1
1662b2f7c41ef7582c74afbabd342543c230f378

SHA256
5ba0fc5667e04fd886c74e410c7de88e944954ba1fe25578bf0d2073fcb72e4d

SHA512
d5627d41bbb576f5d63f000f9b3acdfc190dde98432efcec6ac949334da9b71eff7aa773d14a649bf7a4fbe8c04a3d4a894599ec02413b058fb92423e2791265

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
3.9MB

MD5
429dbf32f26f05f7eb8ca0ccf49f22c5

SHA1
5cd6a145761d326ee74d9cc12d01509b2d790a23

SHA256
78cfa110b23710153995ca642671eabe5fb1790c6614a2cf48ccc2c73333346f

SHA512
df811d42688147d30fbd7dd00680b622a9c7e796a5825a1ce37e7ca6c18d782cc68305c7ffc7ed78e214bc80a8066e6ebd999c14dcfd823b275955151f45a1f7

Download Submit