Analysis

  • max time kernel
    120s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2024 00:04

General

  • Target

    24ed8eb8352d31a52be76d42821556b0N.exe

  • Size

    2.6MB

  • MD5

    24ed8eb8352d31a52be76d42821556b0

  • SHA1

    b9e83430d9c10feb4b46fb07b6c1e6c79f098dd3

  • SHA256

    69535d4ca68b20c7272bf160c26af1662ccd637de2e83003b6c1b8c07971ec2e

  • SHA512

    7dd2460841c7b1a6b7c61609024fed21c48ff9f684cd4f85528e3c437256c382e47284c69574cf542e5ab0b9bd55170dbf9d7ef1579b844c7f92808d9ba4b847

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bS:sxX7QnxrloE5dpUpvb

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24ed8eb8352d31a52be76d42821556b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\24ed8eb8352d31a52be76d42821556b0N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1772
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3060
    • C:\SysDrvMU\xdobec.exe
      C:\SysDrvMU\xdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2108

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintUN\dobasys.exe

    Filesize

    2.6MB

    MD5

    43dbff4adcd46c61e97a98e892d97dbb

    SHA1

    b89fefd247da95f5cf6e86c8e0925ac3120611e8

    SHA256

    9d2c125d81b254c919159457e66d35ce792fb88f7a8c7ae3ee574e5861f49b85

    SHA512

    51ad06f919e4435aa325e09d60fe977d6c0ab9cd74044cb40eb9969525d9f75782b36154029a99eb02a0018a521552cbeadc747c1761fbf8dee4c4ea13a7b8cb

  • C:\SysDrvMU\xdobec.exe

    Filesize

    2.6MB

    MD5

    e79f6c9dd526034aaa41b643d1b23ee6

    SHA1

    0d793d0a2dd4320d550002d7b9d2863b38aa9435

    SHA256

    afa66aa6b08364825504dd7483777c97a10d3051fa5285c7bb95da63e21a541b

    SHA512

    be7148231d04796f551f81dbf9400df1b34a397e3b285100948f3dd0f20493cec63f5326a073136080b3653da354b5a723060280b2dea8da88c16f92425ce587

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    168B

    MD5

    312873c8fc2c27b790ddcfd319d01913

    SHA1

    56849d0ff790dfc2830244875f5f8f97c41bce25

    SHA256

    2f90200f83cc530b1034976baf42ae3e7984332c5553a37dbf0f1ba43c02b80b

    SHA512

    3852be5d65e95b17cfba1ae1201a142ee5d81861dac642c32ff33d2c0511dd30781e79af07fddb0b42e7acb4714dc5d681593794d5189199badc37819696dd39

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    200B

    MD5

    92978045022c6e89b69c61f1fd9f36df

    SHA1

    591e30921c6655f2e0bcb2d792e1bdb01be5c232

    SHA256

    a60ff9cba40587cc8839c6d81b56518e4681c74028671865c8388c1935b1fd28

    SHA512

    0656d8c24285488493bd773937280c1e2a6b4560273b635f638ebac26ddf4b64ec7472d053213a2c333c5b7fb2c77ac5e2414ee4fca88496be079b603cc4b5e4

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

    Filesize

    2.6MB

    MD5

    ec34cefd09547e4f1437657843b8f9a1

    SHA1

    a7be5f07c251abfc2070e05e5e2788b62c5edaa8

    SHA256

    f84b38e3258fa5b968bfcc0d72a88e5a4781d5a052eb0a2d00a397ff357fdd1c

    SHA512

    27b40a7e738dc3b22adf56f36f4c7249b9060ecfcc60c6f0c748a3eb43be56403cecbd56094f7cd533e28a597dc42d614d6c463ee3722d04a1081ed3cd33ebd3