Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 03:02

General

  • Target

    b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe

  • Size

    3.9MB

  • MD5

    5348da2c63a0193d370a7da78fc3a8b9

  • SHA1

    69a1ebda52b6fdd73cff4b646c336410dcb6ee3a

  • SHA256

    b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a

  • SHA512

    88230ab1ec96238f6321c5b2a6a4f5166be9da183ba4d075c5113a9187d24c685f91f8571cf0ab66f751104e36a73cb6284a6dd9b3c676316d91f4fe392d79a4

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpfbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe
    "C:\Users\Admin\AppData\Local\Temp\b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2172
    • C:\IntelprocF8\xdobloc.exe
      C:\IntelprocF8\xdobloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocF8\xdobloc.exe

    Filesize

    3.9MB

    MD5

    268e3a8ea03287cc7519a0fc60327041

    SHA1

    fd97ab6c6a34afae79be113b65d0cb2b759a7fbb

    SHA256

    a7c764aef2089180982c3e8cb355bd584a4a48aa23756178f587686d76c8069f

    SHA512

    7e0759d4ed7faa89fd3cb514687a0e940866f1bcc4a260e9308ee7c3486d631e4cbb0c03b78e54d04df50721ef4119e25a43e2393e70643634947036dd4e3a8c

  • C:\MintZC\dobdevloc.exe

    Filesize

    2.4MB

    MD5

    424003c69f4fc0796d25305b5f9a63cd

    SHA1

    3593266b389b107756031ca1014c0c2626df28b8

    SHA256

    401f5eb1cf75bb9f0b6e875f2ca49beef8814b090bd8bc20e49288795e52f92f

    SHA512

    225dca45bf16a74c13493efd5e6f18f5f804c03f7cfcb0db258b0054f71b5015ba68fca9aa7beb8b77e838542226abbaf1cfd0a54dff88f6e5a97f196dcb7c39

  • C:\MintZC\dobdevloc.exe

    Filesize

    3.9MB

    MD5

    cb1208bbb917de445bb915dc77b92cd0

    SHA1

    c43fd95221fd5eb8de97510a36e89c4b18a2969e

    SHA256

    63071af24c13178e280d5895f4ee7f734053a6f3bd5e9d579d0d96c30036eb7f

    SHA512

    93f84e7778ad8294e8d12ec39dd8672323b82a8788a139ed7fdcfe3e9a5ac48bc5718384907bc0bfed944a9a2903fbf284a7aaeb2c951c2e1158036763a68482

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    173B

    MD5

    bfbb8c9960c21bb08a00c0f55d16abd5

    SHA1

    16e0971c4dbef3843d0221c3d096c81ed48a68d5

    SHA256

    ac783fe12aca03853871e3ac883a5a9c601ee4e3456a9e37ab23e3c8ec72919d

    SHA512

    b87c1b3240f738722cd1093579ba029ddec6941ce1c691eef58308d78156a61879c89675b4a6bad5a4bbd1ce42bc1644c0c5ed5fa164e2d42738653269835a8a

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    205B

    MD5

    a2e6faa03a599daf73c7ab57f7149a57

    SHA1

    c66ad9a45cbc257a60f687b04766388ca0e95c10

    SHA256

    0af66223fe33e1e32d2990aa644e0dbc4d0a7c1f1855bd1a99d0fc2b303860e9

    SHA512

    88fb207c58f4ac1ab18b00fd05f20b1e527b24c81c74a36a636ff4b5210b6a3542ce2bd9344d5bdc3aacc48d6b64bbd3a78089de6699aaf0a806d3745a81b9eb

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

    Filesize

    3.9MB

    MD5

    4488b978aa7bf6050d07b0c1300baf12

    SHA1

    4b50049088faf7df3c01417ecaf7544be356c8ef

    SHA256

    1f5c9920b1f4188cfeaa165237918081c434a9f817452e6ed58d25bd6c639995

    SHA512

    fbfc4cf713c7b1c57fe5d6bfd0b62b06f58d313db82d05ad755761c8877f2d0be321256cfe13e934507bfd22b215cde1b29fc6d1faca26013d337ea8ac7089fa