Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    10/06/2024, 14:07

General

  • Target

    8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe

  • Size

    3.9MB

  • MD5

    2bb714fbf84ca158443dd603b4688470

  • SHA1

    81d65b87d7ae36884eb77d11eb969ae899f81b44

  • SHA256

    8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf

  • SHA512

    e070a4fed1c22c047a30797ed950f0e4c941699dc2bcf8e47eeb45152a6c9c08ee18488034d79a384f2e3ebe04ea3731508ccd7a2a77df077fb89de5875c4566

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp8bVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe
    "C:\Users\Admin\AppData\Local\Temp\8092b58dee25b65228771735bc2d3ffc0982daad80c65ead7204fb734d55c1cf.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2360
    • C:\FilesMF\xdobsys.exe
      C:\FilesMF\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2596

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesMF\xdobsys.exe

    Filesize

    3.9MB

    MD5

    71be6c1ae7517bbac8d28462d3c94d44

    SHA1

    35916762bb5e0178a58341551db1c512e7975a46

    SHA256

    d105eab433fe6e90fc6cd31c91610b769563a25dfd77497afc3008a06f7936c5

    SHA512

    6dcb20c2d30fdb45af07b2004b0f67796264cf9d96a1a5a2283f475deeda4887c855093feb56431d50774163b1c9d4852755972d3b42a590ad355da9d2625767

  • C:\GalaxZ7\dobasys.exe

    Filesize

    3.4MB

    MD5

    b2cf741cf00ee7752fded1c13ca86e67

    SHA1

    5bf71ff4963d39009d2060f0fcc4b1bb30910889

    SHA256

    85b5ee870d6f25216dad4a9d556f4f04095978c45f31e875f7c63e9a0d067667

    SHA512

    f76007fb83f752328be44c38fcad6513611f03340c3bc8ad9f3bccfb13471ba47294624a2281199c40bfb8e69ddd7b28f50cae01b9ff429e2d91e72e3374b3b1

  • C:\GalaxZ7\dobasys.exe

    Filesize

    3.9MB

    MD5

    cafe264a6beddd483790a28e29b37455

    SHA1

    b37eeffb65749fe0edc19595b663ca9d1e79cd44

    SHA256

    561df5c4c7409362e4095b5f92ecc364829effc0d909911098adc0e775b96fc0

    SHA512

    56dc74ef1c04154cbac1aea0ea25350988e6abdd99c81fcd160f4add082b1a97f587eb60a0233ba2fb8b6e2f9c3bcea35296094a8dcee9e2ccb9fd5d8d7cfd28

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    169B

    MD5

    e64de2eb6bdc4f2e815fe5931c117e79

    SHA1

    17ca06651d0035d6c882036c96d73153009ddb9c

    SHA256

    50fd787a7f2d0d0b5307c434df64a4e99b9f06e04cd906cd566a8ebde52b1a2c

    SHA512

    70cd1367844dd2d4b5fa7404cbd2ea39aed6434c8cf7d315620faf964495e38c3dcffa18505c7eff02b8a7d9acd19feb7377dbe92f8803ebd1591daa2dd7c453

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    201B

    MD5

    f04c2e97575342cf8358f17320c92467

    SHA1

    1662b2f7c41ef7582c74afbabd342543c230f378

    SHA256

    5ba0fc5667e04fd886c74e410c7de88e944954ba1fe25578bf0d2073fcb72e4d

    SHA512

    d5627d41bbb576f5d63f000f9b3acdfc190dde98432efcec6ac949334da9b71eff7aa773d14a649bf7a4fbe8c04a3d4a894599ec02413b058fb92423e2791265

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

    Filesize

    3.9MB

    MD5

    429dbf32f26f05f7eb8ca0ccf49f22c5

    SHA1

    5cd6a145761d326ee74d9cc12d01509b2d790a23

    SHA256

    78cfa110b23710153995ca642671eabe5fb1790c6614a2cf48ccc2c73333346f

    SHA512

    df811d42688147d30fbd7dd00680b622a9c7e796a5825a1ce37e7ca6c18d782cc68305c7ffc7ed78e214bc80a8066e6ebd999c14dcfd823b275955151f45a1f7