Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24-07-2024 00:04
Static task
static1
Behavioral task
behavioral1
Sample
24ed8eb8352d31a52be76d42821556b0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
24ed8eb8352d31a52be76d42821556b0N.exe
Resource
win10v2004-20240709-en
General
-
Target
24ed8eb8352d31a52be76d42821556b0N.exe
-
Size
2.6MB
-
MD5
24ed8eb8352d31a52be76d42821556b0
-
SHA1
b9e83430d9c10feb4b46fb07b6c1e6c79f098dd3
-
SHA256
69535d4ca68b20c7272bf160c26af1662ccd637de2e83003b6c1b8c07971ec2e
-
SHA512
7dd2460841c7b1a6b7c61609024fed21c48ff9f684cd4f85528e3c437256c382e47284c69574cf542e5ab0b9bd55170dbf9d7ef1579b844c7f92808d9ba4b847
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bS:sxX7QnxrloE5dpUpvb
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe 24ed8eb8352d31a52be76d42821556b0N.exe -
Executes dropped EXE 2 IoCs
pid Process 3060 ecxopti.exe 2108 xdobec.exe -
Loads dropped DLL 2 IoCs
pid Process 1772 24ed8eb8352d31a52be76d42821556b0N.exe 1772 24ed8eb8352d31a52be76d42821556b0N.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvMU\\xdobec.exe" 24ed8eb8352d31a52be76d42821556b0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintUN\\dobasys.exe" 24ed8eb8352d31a52be76d42821556b0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24ed8eb8352d31a52be76d42821556b0N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1772 24ed8eb8352d31a52be76d42821556b0N.exe 1772 24ed8eb8352d31a52be76d42821556b0N.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe 3060 ecxopti.exe 2108 xdobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1772 wrote to memory of 3060 1772 24ed8eb8352d31a52be76d42821556b0N.exe 30 PID 1772 wrote to memory of 3060 1772 24ed8eb8352d31a52be76d42821556b0N.exe 30 PID 1772 wrote to memory of 3060 1772 24ed8eb8352d31a52be76d42821556b0N.exe 30 PID 1772 wrote to memory of 3060 1772 24ed8eb8352d31a52be76d42821556b0N.exe 30 PID 1772 wrote to memory of 2108 1772 24ed8eb8352d31a52be76d42821556b0N.exe 31 PID 1772 wrote to memory of 2108 1772 24ed8eb8352d31a52be76d42821556b0N.exe 31 PID 1772 wrote to memory of 2108 1772 24ed8eb8352d31a52be76d42821556b0N.exe 31 PID 1772 wrote to memory of 2108 1772 24ed8eb8352d31a52be76d42821556b0N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\24ed8eb8352d31a52be76d42821556b0N.exe"C:\Users\Admin\AppData\Local\Temp\24ed8eb8352d31a52be76d42821556b0N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3060
-
-
C:\SysDrvMU\xdobec.exeC:\SysDrvMU\xdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2108
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD543dbff4adcd46c61e97a98e892d97dbb
SHA1b89fefd247da95f5cf6e86c8e0925ac3120611e8
SHA2569d2c125d81b254c919159457e66d35ce792fb88f7a8c7ae3ee574e5861f49b85
SHA51251ad06f919e4435aa325e09d60fe977d6c0ab9cd74044cb40eb9969525d9f75782b36154029a99eb02a0018a521552cbeadc747c1761fbf8dee4c4ea13a7b8cb
-
Filesize
2.6MB
MD5e79f6c9dd526034aaa41b643d1b23ee6
SHA10d793d0a2dd4320d550002d7b9d2863b38aa9435
SHA256afa66aa6b08364825504dd7483777c97a10d3051fa5285c7bb95da63e21a541b
SHA512be7148231d04796f551f81dbf9400df1b34a397e3b285100948f3dd0f20493cec63f5326a073136080b3653da354b5a723060280b2dea8da88c16f92425ce587
-
Filesize
168B
MD5312873c8fc2c27b790ddcfd319d01913
SHA156849d0ff790dfc2830244875f5f8f97c41bce25
SHA2562f90200f83cc530b1034976baf42ae3e7984332c5553a37dbf0f1ba43c02b80b
SHA5123852be5d65e95b17cfba1ae1201a142ee5d81861dac642c32ff33d2c0511dd30781e79af07fddb0b42e7acb4714dc5d681593794d5189199badc37819696dd39
-
Filesize
200B
MD592978045022c6e89b69c61f1fd9f36df
SHA1591e30921c6655f2e0bcb2d792e1bdb01be5c232
SHA256a60ff9cba40587cc8839c6d81b56518e4681c74028671865c8388c1935b1fd28
SHA5120656d8c24285488493bd773937280c1e2a6b4560273b635f638ebac26ddf4b64ec7472d053213a2c333c5b7fb2c77ac5e2414ee4fca88496be079b603cc4b5e4
-
Filesize
2.6MB
MD5ec34cefd09547e4f1437657843b8f9a1
SHA1a7be5f07c251abfc2070e05e5e2788b62c5edaa8
SHA256f84b38e3258fa5b968bfcc0d72a88e5a4781d5a052eb0a2d00a397ff357fdd1c
SHA51227b40a7e738dc3b22adf56f36f4c7249b9060ecfcc60c6f0c748a3eb43be56403cecbd56094f7cd533e28a597dc42d614d6c463ee3722d04a1081ed3cd33ebd3