3921a5b4c1aae3b2eb55320b7185c39b74b6ebe5dba592371ceef25663261c73

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

046dcb90a380c0e5a918e0ddf76f5390N.exe
Size

3.6MB
MD5

046dcb90a380c0e5a918e0ddf76f5390
SHA1

5856c17a3a291d8e32beeba44963dc18fa8e680c
SHA256

3921a5b4c1aae3b2eb55320b7185c39b74b6ebe5dba592371ceef25663261c73
SHA512

90a4347270610501cc6713719d4b56123948f851b3165fc486244e45d3163be5d41221b6de94bcb3498d337763dba698b73f52944f8e36298e424bc36ff76976
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bSqz8:sxX7QnxrloE5dpUpdbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	046dcb90a380c0e5a918e0ddf76f5390N.exe

Executes dropped EXE 2 IoCs

pid	Process
2972	ecxdob.exe
2128	xdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2552	046dcb90a380c0e5a918e0ddf76f5390N.exe
2552	046dcb90a380c0e5a918e0ddf76f5390N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot78\\xdobloc.exe"	046dcb90a380c0e5a918e0ddf76f5390N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZH7\\bodaec.exe"	046dcb90a380c0e5a918e0ddf76f5390N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2552	046dcb90a380c0e5a918e0ddf76f5390N.exe
2552	046dcb90a380c0e5a918e0ddf76f5390N.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe
2972	ecxdob.exe
2128	xdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2972	2552	046dcb90a380c0e5a918e0ddf76f5390N.exe	30
PID 2552 wrote to memory of 2972	2552	046dcb90a380c0e5a918e0ddf76f5390N.exe	30
PID 2552 wrote to memory of 2972	2552	046dcb90a380c0e5a918e0ddf76f5390N.exe	30
PID 2552 wrote to memory of 2972	2552	046dcb90a380c0e5a918e0ddf76f5390N.exe	30
PID 2552 wrote to memory of 2128	2552	046dcb90a380c0e5a918e0ddf76f5390N.exe	32
PID 2552 wrote to memory of 2128	2552	046dcb90a380c0e5a918e0ddf76f5390N.exe	32
PID 2552 wrote to memory of 2128	2552	046dcb90a380c0e5a918e0ddf76f5390N.exe	32
PID 2552 wrote to memory of 2128	2552	046dcb90a380c0e5a918e0ddf76f5390N.exe	32

C:\Users\Admin\AppData\Local\Temp\046dcb90a380c0e5a918e0ddf76f5390N.exe
"C:\Users\Admin\AppData\Local\Temp\046dcb90a380c0e5a918e0ddf76f5390N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2972
- C:\UserDot78\xdobloc.exe
  C:\UserDot78\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZH7\bodaec.exe

Filesize
150KB

MD5
68bdee897bc835429529034c4323727b

SHA1
75019f6f34f9cc8bf1021406b31c22a671a62d99

SHA256
90959460ec88e8fdd5a108f338da2c04b461c27845a7bd2ed11f7b6cf08935c9

SHA512
5df8837e2decba510a4b2f39127fcf8fc18e2993d3e35fbe151c4193eaf1b43026b4b94fea387e9a5525ead9dc995f58e220273289665ef39b90ce572d146480

Download Submit
C:\LabZH7\bodaec.exe

Filesize
22KB

MD5
e4c3b64fcedd8e2be082125e0287c8c2

SHA1
e6b71826979f9d40981780fe8419f7c9b79bf83c

SHA256
ba35a7794c7b3437fa887553308604c897996dc320d4789f8ba4838d1db5da7c

SHA512
0e8954077f47610919e36491a6c0d672d0a7c041f7ae8269b389612195dfe659cdabcafdbea40afc4e1d1dbfce766724ee826f776efc650dafa0f52ae350288a

Download Submit
C:\UserDot78\xdobloc.exe

Filesize
58KB

MD5
201162a11288a213edf71b3b967f8b11

SHA1
2c78fcfb0435a8281aa7ce398539d3b46152a82b

SHA256
9526b711e1948567ab90740377bc0f9561c48a5911964267d7df593530fe9595

SHA512
a9bdabb35319096a185ce04a1e60b3e60d8a204fd15c0f049e090bab8d3ca7f15c96e0221dfc5af1a6f56cdfac3f0c3dcc1e0edf261afdf088e46931a3ee2322

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
19ccd27fc6269e65f574961a51c09e4c

SHA1
3e412a84b404c518d03a69384e8fb1e61d97dfe8

SHA256
b33141378425883dc083d08eec46ebc00f4e17680033cf91e944fcdd65991c39

SHA512
acfd51db38df284df84b14d71846e535485837ee4a1e696540bc4626852c206b15c636481596a88ba60cd2650edfda73f72f4bbafe23dc4b4d5a507dfe201a55

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
af00911237628da3dc3af188be5a7547

SHA1
a5aa44c3c1d4b556a9f9d61804870e1eb40edece

SHA256
98640c5b60bb2207784dc5447762025a3bde347742e3175c877988fd777a383e

SHA512
f1f91047bf8242f328551fc16ab04acad4ae10a464083943b0542645a4b8b203e8b1ee475bedf92be20676694585f9eed8b2e5f11ff357562438d59e57292747

Download Submit
\UserDot78\xdobloc.exe

Filesize
3.6MB

MD5
ff5365c355495e468f4ca77b578ef127

SHA1
a382af13f42c406a3362ba5c521bfdb7dba91bcb

SHA256
7369b06cc0dbf9a02513d3dc0b03db2b9bf03f47786edea0d59f7b0971703a1d

SHA512
b5b1367ee5c4bdb9cf03ee3d8a7c54443d1ef9945a5cb493ca63da567aef7bea97d5142f951533d1bcee633ab2cb11fececdb2520a6da672e24417b6ead88a4f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
3.6MB

MD5
d947fcaaae2feb6fbfce885b3b22e80b

SHA1
1002079b02ee08224145f6c8030f032225180160

SHA256
4e66ef9961fe6389d20824d16c4e2d840ff5aaedd964a4fe4bdb97c88a61230f

SHA512
ff157fb4fcbb20f3d89417b7afef0993844b68fdf5a38980673367f06917f87626180eec29b912888d3693fe8c05ae6f6e3209f7b6e43e3fa4ee43f310cac905

Download Submit