434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10/06/2024, 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe
Size

3.2MB
MD5

4c8cb99a8004e60e900e4564dd8ab3fb
SHA1

02132229ff03029fbf20b2f4bc8d1e940855e1f0
SHA256

434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315
SHA512

c3e97e95bd6c405281527dfb3fc9fa7bbab51594d9db0cf0b95075e597a9df643181946bd52cc55006dffb322bcf3a513abb8253b6ba90f27b259411483b0dc1
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpIbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe

Executes dropped EXE 2 IoCs

pid	Process
2468	ecxbod.exe
2688	xdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2220	434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe
2220	434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeO7\\xdobec.exe"	434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint9U\\dobdevec.exe"	434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2220	434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe
2220	434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe
2468	ecxbod.exe
2688	xdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2468	2220	434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe	28
PID 2220 wrote to memory of 2468	2220	434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe	28
PID 2220 wrote to memory of 2468	2220	434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe	28
PID 2220 wrote to memory of 2468	2220	434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe	28
PID 2220 wrote to memory of 2688	2220	434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe	29
PID 2220 wrote to memory of 2688	2220	434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe	29
PID 2220 wrote to memory of 2688	2220	434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe	29
PID 2220 wrote to memory of 2688	2220	434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe	29

C:\Users\Admin\AppData\Local\Temp\434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe
"C:\Users\Admin\AppData\Local\Temp\434c86c4f90194725e1b6c2f3fb760edc14d4f8cfaa91333ea8102b785c1f315.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2468
- C:\AdobeO7\xdobec.exe
  C:\AdobeO7\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeO7\xdobec.exe

Filesize
1004KB

MD5
56d8d838932431c8f0fc7666c605e47e

SHA1
632663a9fe596205d3da641fb3e63d06a40f083c

SHA256
79e50406636f1168fad19cfaf20a80bb745f943c3234987261ef23ac9a14cd5b

SHA512
47e0d20a23db2165e4f5d9c6f7929d9bf18759fdf2bef3d14258239749b5614489be9369fecf9181223880a9ce6a3d3ca4e2202cfaa4390d311de108eaaf1226

Download Submit
C:\Mint9U\dobdevec.exe

Filesize
9KB

MD5
bceeb783568178019cfa9ce19da30a69

SHA1
3918c6d01f7a27b2a71133015ea935c5555085ff

SHA256
41737594ceef89e9d4d0389deb11f042ea5d02e903e1359b3110a565e7c0b1bd

SHA512
7f5f1ad508c1398430e588ab45f558d602b62af4ef7015ce011fe61ef27edee18de0252583558376c713ddc3fdba30604a1b0746cd79acd745c19075f7a1bbf0

Download Submit
C:\Mint9U\dobdevec.exe

Filesize
48KB

MD5
f0ce97479e626616a6d35d9b981068a3

SHA1
2359da0b9cd8e3b7d36e71c3b6776007cd1d1d99

SHA256
9860ad7c5673d9e73fd3eb2c92aa420e6c0917981995ded79ab875c24becbfd0

SHA512
e363e31e141a31b4e8490a88197ffd390c59d83f5da0fa757a1198787abfe9c1ed649d5ed053c9b6a3d1e5b98725a7c46a107383e5053262f2cc56d1e6e6a42d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
167B

MD5
ab5d650bc6a7d82c78bbfd20ba23cf77

SHA1
93dd433db59a420985171efe0bc8d13db9a6768c

SHA256
d64590aaed73873ba14829c12108cbe953824f2ce70b24d158ea00c32b722959

SHA512
6a0ae37832388ac303daa11cb04b0fe58392471f186b245be7386bf83a8ca507b16985a908df029977f512f73866e6bb0a05e64a8da0c1f287816c4c52d36103

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
199B

MD5
ef947e43f66debd28559aec009193f44

SHA1
6343dde1526d22de909e3c0b9c48aa09f555fe8b

SHA256
e7e16fffed0d735dacdb23c8b5d14cc47cf73a2cc46b14ce99388976295b0301

SHA512
676c6a82e57e39f18915f68ac4f4ce206e2c6ab80eb8fab33c3b1dd55a5743110ab7064a0423914864dd58886414da31d2a22fe6d4386555ed18dd18015587a0

Download Submit
\AdobeO7\xdobec.exe

Filesize
3.2MB

MD5
1f3c1b56c01d7e5726750d5539ae169a

SHA1
9dab235b0202e1a6925a9df7dd110e2fdad6736b

SHA256
7e1cf39847a1d995b635249dde2172d809c443ad132f63f26ed7f1f799df1954

SHA512
133452762b4b7dc0d796af71a5e6ed85a9c952cde0cade4b66ac413e7ba7f374507edb8f7d6abb72d622825cc8d3173259c6872f3a09030dc3e0b9a38c3a2ad0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
3.2MB

MD5
176c0fb1c8c70395e597ae89904ce740

SHA1
871dd900afdb593ccfe2a1cab53507008e3df66f

SHA256
329b664393623fcb696ba558312265b4529f704aa087c87dce43da0338d9bd8d

SHA512
40c3e45d710cbe5032142e0018992ff54d4aec12229183a489f38b0e8602d1d91811c70118608b5ed1a6b5547150a4c9c212488854a238a748f0d0711692b1f8

Download Submit