b06069d17be792cfccc29b203a11338ec4e66098888fbdc4845ebe05fd5b1c9d

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 03:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b06069d17be792cfccc29b203a11338ec4e66098888fbdc4845ebe05fd5b1c9d.exe
Size

3.9MB
MD5

28208a52f99c4ec8b01e46751b2bff9e
SHA1

f018b04ab0c6785c83de361818d0827eb100727c
SHA256

b06069d17be792cfccc29b203a11338ec4e66098888fbdc4845ebe05fd5b1c9d
SHA512

db8d259ddc839749e4e928c22d29114d1bce23fd7b7a5d3fe0917f21286267808834a82a535e77771524ab3cbc7763aaf2689c8846ae6721afa3eea1421b872f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bSqz8:sxX7QnxrloE5dpUpTbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	b06069d17be792cfccc29b203a11338ec4e66098888fbdc4845ebe05fd5b1c9d.exe

Executes dropped EXE 2 IoCs

pid	Process
2660	ecabod.exe
2656	xdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
3036	b06069d17be792cfccc29b203a11338ec4e66098888fbdc4845ebe05fd5b1c9d.exe
3036	b06069d17be792cfccc29b203a11338ec4e66098888fbdc4845ebe05fd5b1c9d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesK5\\xdobsys.exe"	b06069d17be792cfccc29b203a11338ec4e66098888fbdc4845ebe05fd5b1c9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax6S\\optixloc.exe"	b06069d17be792cfccc29b203a11338ec4e66098888fbdc4845ebe05fd5b1c9d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3036	b06069d17be792cfccc29b203a11338ec4e66098888fbdc4845ebe05fd5b1c9d.exe
3036	b06069d17be792cfccc29b203a11338ec4e66098888fbdc4845ebe05fd5b1c9d.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe
2660	ecabod.exe
2656	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2660	3036	b06069d17be792cfccc29b203a11338ec4e66098888fbdc4845ebe05fd5b1c9d.exe	30
PID 3036 wrote to memory of 2660	3036	b06069d17be792cfccc29b203a11338ec4e66098888fbdc4845ebe05fd5b1c9d.exe	30
PID 3036 wrote to memory of 2660	3036	b06069d17be792cfccc29b203a11338ec4e66098888fbdc4845ebe05fd5b1c9d.exe	30
PID 3036 wrote to memory of 2660	3036	b06069d17be792cfccc29b203a11338ec4e66098888fbdc4845ebe05fd5b1c9d.exe	30
PID 3036 wrote to memory of 2656	3036	b06069d17be792cfccc29b203a11338ec4e66098888fbdc4845ebe05fd5b1c9d.exe	31
PID 3036 wrote to memory of 2656	3036	b06069d17be792cfccc29b203a11338ec4e66098888fbdc4845ebe05fd5b1c9d.exe	31
PID 3036 wrote to memory of 2656	3036	b06069d17be792cfccc29b203a11338ec4e66098888fbdc4845ebe05fd5b1c9d.exe	31
PID 3036 wrote to memory of 2656	3036	b06069d17be792cfccc29b203a11338ec4e66098888fbdc4845ebe05fd5b1c9d.exe	31

C:\Users\Admin\AppData\Local\Temp\b06069d17be792cfccc29b203a11338ec4e66098888fbdc4845ebe05fd5b1c9d.exe
"C:\Users\Admin\AppData\Local\Temp\b06069d17be792cfccc29b203a11338ec4e66098888fbdc4845ebe05fd5b1c9d.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2660
- C:\FilesK5\xdobsys.exe
  C:\FilesK5\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesK5\xdobsys.exe

Filesize
3.9MB

MD5
963fb074fea51fd9e8c437b1329bd1ee

SHA1
e3c2e4aea0728b77b149d4d05d7c91947ac0bd25

SHA256
3621a30e17092671f5b702c71018a0e09392a41e2755061ea36f50baa30beb7b

SHA512
e174b2bb91d33fa8e2cfa0fb633807db0a958ef75f50eea5237032c0938bc71042fc5c9039d586e8cae077d7f6d674490d3b02de83193628d272e99ebbf76f82

Download Submit
C:\Galax6S\optixloc.exe

Filesize
3.9MB

MD5
4655e08c898d7c712865712a55b4eb24

SHA1
4fce7559aa77f23567fb5634b47234886596ff54

SHA256
328e22d49966353989cb5858ca5370893dd0ad5a7387821e33f18175f7834997

SHA512
1290bf8ee1df10db5b099ea53b475ce4317b7c08589e74cc23b6cede7b40923f18affb7125cbf42f9d8060b486d1cb7489998b8f73e2283b8dc6c87e82591882

Download Submit
C:\Galax6S\optixloc.exe

Filesize
3.9MB

MD5
81a0db7c038999c20b51848b7739e868

SHA1
7f1f86ac1a37cac4163e96bfd65f1bb1517335ab

SHA256
35f14037992e0e02b1eb42f01fb7d34bde0030e277069c6263325e2092904cd3

SHA512
57b5255daa6939a60e3d66d8d2390f5d96b5c66db68343be5863c29ad29fce443eef9d837665f9c34d2af148ce6ef2b5c936911173398b2bfebf7546a8ec8b64

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
55bbaab5dab219ebb5829ce7550baa6c

SHA1
5162e3eae9b8a56f19d327eec8d2677a414dcc99

SHA256
67979a5253c0862ef7af7972e4e7e15dd7fd45c452ffda5b8d6e4614599197fd

SHA512
dd47823f3e723ac06e13e2c1fd0afb1e9fc0b2b6e9a0519c90599715dd0c981d7f0c85fbcfd70e54ae6bee7c8b04de8504ca6ee8f7ad35350bc069a1c82c6a20

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
25dd9b7b7cabcee138d5d7d4427845af

SHA1
b562017b2836072191a24235a48d723c24dd8adb

SHA256
7611ba941038218c2efed39a98d02826e6591206e078f84f913e7249ef94acb6

SHA512
8a5ecb9866d5eee21d621d59d6aa9f54a8e9b5819df151fb76ee0f5f54073ea318a354e95dde3889103d73d3821cc9e416e072a741df7a39b56d4b64034b7317

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
3.9MB

MD5
48c64a64f642837be2d9845251f8a6c4

SHA1
1f7948bdd12be4df0f931cd8e811d4e38e9e53ff

SHA256
64eea17fa462a25878af72c9820948d62949ed83dada635a4e6e321a57389509

SHA512
da6f5e26bc9c1284d42721be45fca419e249e1a3e0a48807e9943a44ecc2d24036f4850aff01932e02ebe498e53a84264b2b60c91d9da5c0e1bc4b43a9f3e269

Download Submit