8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe
Size

3.6MB
MD5

5b14a42052f3e376c2f498cc11548d97
SHA1

051fbb7a841ce597da0470fce93f318c49c90961
SHA256

8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3
SHA512

0c0a9eb4a701710e1238652383bf409ba9f0226915d1f6a66fbe601b4bf90acc4d9c9baee77c7850ea60d520203ce0582e94910caf2e79c4522be464a886a615
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpJbVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe

Executes dropped EXE 2 IoCs

pid	Process
2252	ecadob.exe
2600	devdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2376	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe
2376	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocSK\\devdobsys.exe"	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZS9\\dobxec.exe"	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2376	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe
2376	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe
2252	ecadob.exe
2600	devdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2252	2376	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe	30
PID 2376 wrote to memory of 2252	2376	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe	30
PID 2376 wrote to memory of 2252	2376	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe	30
PID 2376 wrote to memory of 2252	2376	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe	30
PID 2376 wrote to memory of 2600	2376	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe	31
PID 2376 wrote to memory of 2600	2376	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe	31
PID 2376 wrote to memory of 2600	2376	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe	31
PID 2376 wrote to memory of 2600	2376	8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe	31

C:\Users\Admin\AppData\Local\Temp\8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe
"C:\Users\Admin\AppData\Local\Temp\8653259fc07b29c4755a60486ad76d624eed2a6a6d11a67655da4712527963d3.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2252
- C:\IntelprocSK\devdobsys.exe
  C:\IntelprocSK\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocSK\devdobsys.exe

Filesize
3.6MB

MD5
7861be40e99f90ec051370037e371eaf

SHA1
e1a9cd61c2f3aa5dc3650632fa85dfd1c5151ed7

SHA256
443bdbdab682b9621287ec5418ee543d0e87e1c6f3eda0f11a4d1134277091f4

SHA512
5c5104b1d8540f6a064b0134fff505a927d44a2a61cd3df3d0cdbece0966fff3fb71305c06e28dfa5dc10eda3306ce258ea3674599aad1c89e3a0c5f67744bad

Download Submit
C:\LabZS9\dobxec.exe

Filesize
3.6MB

MD5
cf1a533e0ae3081fdf724f73d51f2833

SHA1
1cdbaa7335208b037bad0da5abe8509361545e67

SHA256
2eb00deedf3fa40abafa252d8bb2cd156963f39b7f8a02c68d3841cb8b33b026

SHA512
ad051c105d234f5d7e0f30368b1d7688252ae2f17afccda028705183553a46f024de1da17ddce1f5528baa905a343c0bee65dfef3949e82a1279a5539f36e6d5

Download Submit
C:\LabZS9\dobxec.exe

Filesize
3.6MB

MD5
cdf056249acae28be804e0cfca52769c

SHA1
05fc9853b15013733c536bba485401cb83fc4cc2

SHA256
f7a94c5bbc2ee0dc97c24016dd0daf564cb7e06d63383aa9cb8d61eeca1f9267

SHA512
e21a5067809b52df80c2423a6b3337bb3014bee52bc1f0b7aeb1cd480e7c215abfdab491ef4cfc86a23312338ea869cc515ecb1af764f4487aec5362f8dc2e8d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
9c449e6dd252ec12557502545dc8a980

SHA1
e2d61a1cd20d373e3a2b70fa7347c93698d185eb

SHA256
5c68962302e37654ea9ab4ba7e172a2b57ef5c92eafc9a27e127fb74b26ad59d

SHA512
79c379cfdac6d668daed42533f7c7f9a629473d2f0e524266c8dba39eb75f4a5e1923929b0865191b36f4659bd611f1adf5b2842a6f3c7c3809c3d12d2a083ad

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
f14741a4f84ff83e6390d2c3ca4d663a

SHA1
368f51a0927eddace2bba941cf0d4fdeca202725

SHA256
c5533a2517abf3e318056756e14885bfa35cf7d03d499ad71fd7a63edd5142d3

SHA512
0701968b49079ec852495ef38ea990fe8887efa73150d97471972c221d01ddc66caa955f7754cea8adeeee60adfb63783563679a0b9e6c6a354148682f17e1f1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
3.6MB

MD5
1458a17195a506837979ac59ec218832

SHA1
08b7ef8721c676889fc89628443e77b86eb7c30c

SHA256
f662f5393b36992ea9efab4e9be4098d493bc5c7516f2501f748a37ecd20a093

SHA512
f7eea330f7a23cf84cd1417f0cd2a73e5a9ebb5eef4f8519955c58c03857620ae8be317b73fb69e485a27504890dd800051dfd8e00c3f5f70a982822ef32151e

Download Submit