8343bd388dfab8ac612ae9067a2f63e658aef3a91cc985ae8ae75ab8a3088b16

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d6b0e109146cb1927bb63b00c959570N.exe
Size

2.6MB
MD5

6d6b0e109146cb1927bb63b00c959570
SHA1

6f7109c0e09b1453676277caedbabda2536497ff
SHA256

8343bd388dfab8ac612ae9067a2f63e658aef3a91cc985ae8ae75ab8a3088b16
SHA512

57b6e959370552660a9c12bc338ab3bca41fa0651ee4ada13a5cee711f9faa09eb725cb7e22dadd94ecfe739be8ec01c87fc4218a5bf98a3cfbfe097f86f681a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBIB/bS:sxX7QnxrloE5dpUp3b

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	6d6b0e109146cb1927bb63b00c959570N.exe

Executes dropped EXE 2 IoCs

pid	Process
2124	ecxdob.exe
2936	abodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2116	6d6b0e109146cb1927bb63b00c959570N.exe
2116	6d6b0e109146cb1927bb63b00c959570N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeR5\\abodloc.exe"	6d6b0e109146cb1927bb63b00c959570N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxM8\\dobxsys.exe"	6d6b0e109146cb1927bb63b00c959570N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2116	6d6b0e109146cb1927bb63b00c959570N.exe
2116	6d6b0e109146cb1927bb63b00c959570N.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe
2124	ecxdob.exe
2936	abodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2124	2116	6d6b0e109146cb1927bb63b00c959570N.exe	31
PID 2116 wrote to memory of 2124	2116	6d6b0e109146cb1927bb63b00c959570N.exe	31
PID 2116 wrote to memory of 2124	2116	6d6b0e109146cb1927bb63b00c959570N.exe	31
PID 2116 wrote to memory of 2124	2116	6d6b0e109146cb1927bb63b00c959570N.exe	31
PID 2116 wrote to memory of 2936	2116	6d6b0e109146cb1927bb63b00c959570N.exe	32
PID 2116 wrote to memory of 2936	2116	6d6b0e109146cb1927bb63b00c959570N.exe	32
PID 2116 wrote to memory of 2936	2116	6d6b0e109146cb1927bb63b00c959570N.exe	32
PID 2116 wrote to memory of 2936	2116	6d6b0e109146cb1927bb63b00c959570N.exe	32

C:\Users\Admin\AppData\Local\Temp\6d6b0e109146cb1927bb63b00c959570N.exe
"C:\Users\Admin\AppData\Local\Temp\6d6b0e109146cb1927bb63b00c959570N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2124
- C:\AdobeR5\abodloc.exe
  C:\AdobeR5\abodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeR5\abodloc.exe

Filesize
2.6MB

MD5
076d982d0bff1ffc96889e11d2c5131d

SHA1
2a60f2b6b0cdf5d16fcd98a676fcee5b931254f8

SHA256
b204d8e609d23910665682bf591215c5cad2217317eb3757bd50f58c346ebd0a

SHA512
43a4d951eef3474c52ca2d85e2ab38f7ef2a59b3e9275ed74ce0e0460c1536307e214661de691aba49dedbd79cc5fa6d63701d10022010211b2df021e258eec7

Download Submit
C:\GalaxM8\dobxsys.exe

Filesize
1.8MB

MD5
a11f76255b9ca6234bfd6aa66474643d

SHA1
e3cc3fe2e8e1a624e3288e828320a33d91a8d733

SHA256
2a97025511d98dd7e5dd0d7449ac38752616c9d970792c41fea246edadffc1d6

SHA512
5b3ad563c733fb5554189481e067a3fcec5460f763afe6445d5eb45bde640f5543a6c59de55edeb77e6711b5792e8c3ee8001ab9a7d7f8f8fcdcc56932530c56

Download Submit
C:\GalaxM8\dobxsys.exe

Filesize
2.6MB

MD5
c5fbb81e520494705edcc00362200f14

SHA1
f7bbfa581bdd9f59c62bdbd8f18631c0d2edaaeb

SHA256
6c45ab42938671001771365cab9d6f9ba379266451076f6fc5dd4c793956471e

SHA512
cd86d7f221b98ea9056f32129b949f88e8cfb18d7c3811d487e4195e34f5fdf84333d38e244739d1532cd34be8c831e4ecfa2c61215b7f39291c5214082a389a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
d5c1f328ad416f17ce92c06ebf3c00c9

SHA1
b0827341f33d642bbb23ce5cdc419815055f23c7

SHA256
8123825ead8cc5bb7e9c2282331d9e0f3f3aa4462cd808e4ef79d532a072ce19

SHA512
a8b9a0ba9108df59d62cedfafb1314e8b3ff394a20aaedc3d9b9fb1a7b8456d98bc939e85decf1325fd6d5a1e1f2a5a70680bdb463556238fd0e88d2856c3af8

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
a3c86ee241da534c1fe0bbcf94bd2cb1

SHA1
dc19a130d000670634b702969a33f4d431079a67

SHA256
054a7b22f4653e328379b18e17c40451292831b5fa1708c8b34982ccbef43f32

SHA512
dc500e5c3e477cf123a75526a2c047c40edfe5d9ea0d5271595ce184c2c3babe2a34a10b6887a2f14cb8954a561043f191e7cf0247c0effe99ad4c07efc818af

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
2.6MB

MD5
acf2af4784effdbc07859c9cd107642f

SHA1
3c57add0c28422ec39f70763acd5c6960e620fd2

SHA256
9c7d07b935963e2a9c2faf06e924b8902ac99877a2922b2ce6fc18a313ab491d

SHA512
c0f867d3fbc1896a53301e743e2b9da96dd44382135d95f1dba94d88ffca6e350fd994fb9ac20f7fe92e5b894434c60e13762119811d8e4a08bba89bccafb993

Download Submit