15b765faa8efcc2dac8c42f9126ba9ee3aacab335d6ac28391be0bceff3a6b8c

Analysis

max time kernel
120s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10b6e821e9a2b645f25c1ba0ce250f40N.exe
Size

4.1MB
MD5

10b6e821e9a2b645f25c1ba0ce250f40
SHA1

5888930755f20a01dcb04851018e246ae750816f
SHA256

15b765faa8efcc2dac8c42f9126ba9ee3aacab335d6ac28391be0bceff3a6b8c
SHA512

a59f3f13d5e3363fe6f1d3c7605e1c6cd427abe4a0727510c402733232d1a55637106cf1a87bd787060a86467feaf813d9fe5d721718c174f4acb96907b5b569
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpybVz8eLFcz

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	10b6e821e9a2b645f25c1ba0ce250f40N.exe

Executes dropped EXE 2 IoCs

pid	Process
2080	ecdevopti.exe
2752	xdobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotEL\\xdobloc.exe"	10b6e821e9a2b645f25c1ba0ce250f40N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid29\\dobxsys.exe"	10b6e821e9a2b645f25c1ba0ce250f40N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10b6e821e9a2b645f25c1ba0ce250f40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2748	10b6e821e9a2b645f25c1ba0ce250f40N.exe
2748	10b6e821e9a2b645f25c1ba0ce250f40N.exe
2748	10b6e821e9a2b645f25c1ba0ce250f40N.exe
2748	10b6e821e9a2b645f25c1ba0ce250f40N.exe
2080	ecdevopti.exe
2080	ecdevopti.exe
2752	xdobloc.exe
2752	xdobloc.exe
2080	ecdevopti.exe
2080	ecdevopti.exe
2752	xdobloc.exe
2752	xdobloc.exe
2080	ecdevopti.exe
2080	ecdevopti.exe
2752	xdobloc.exe
2752	xdobloc.exe
2080	ecdevopti.exe
2080	ecdevopti.exe
2752	xdobloc.exe
2752	xdobloc.exe
2080	ecdevopti.exe
2080	ecdevopti.exe
2752	xdobloc.exe
2752	xdobloc.exe
2080	ecdevopti.exe
2080	ecdevopti.exe
2752	xdobloc.exe
2752	xdobloc.exe
2080	ecdevopti.exe
2080	ecdevopti.exe
2752	xdobloc.exe
2752	xdobloc.exe
2080	ecdevopti.exe
2080	ecdevopti.exe
2752	xdobloc.exe
2752	xdobloc.exe
2080	ecdevopti.exe
2080	ecdevopti.exe
2752	xdobloc.exe
2752	xdobloc.exe
2080	ecdevopti.exe
2080	ecdevopti.exe
2752	xdobloc.exe
2752	xdobloc.exe
2080	ecdevopti.exe
2080	ecdevopti.exe
2752	xdobloc.exe
2752	xdobloc.exe
2080	ecdevopti.exe
2080	ecdevopti.exe
2752	xdobloc.exe
2752	xdobloc.exe
2080	ecdevopti.exe
2080	ecdevopti.exe
2752	xdobloc.exe
2752	xdobloc.exe
2080	ecdevopti.exe
2080	ecdevopti.exe
2752	xdobloc.exe
2752	xdobloc.exe
2080	ecdevopti.exe
2080	ecdevopti.exe
2752	xdobloc.exe
2752	xdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2080	2748	10b6e821e9a2b645f25c1ba0ce250f40N.exe	87
PID 2748 wrote to memory of 2080	2748	10b6e821e9a2b645f25c1ba0ce250f40N.exe	87
PID 2748 wrote to memory of 2080	2748	10b6e821e9a2b645f25c1ba0ce250f40N.exe	87
PID 2748 wrote to memory of 2752	2748	10b6e821e9a2b645f25c1ba0ce250f40N.exe	88
PID 2748 wrote to memory of 2752	2748	10b6e821e9a2b645f25c1ba0ce250f40N.exe	88
PID 2748 wrote to memory of 2752	2748	10b6e821e9a2b645f25c1ba0ce250f40N.exe	88

C:\Users\Admin\AppData\Local\Temp\10b6e821e9a2b645f25c1ba0ce250f40N.exe
"C:\Users\Admin\AppData\Local\Temp\10b6e821e9a2b645f25c1ba0ce250f40N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2080
- C:\UserDotEL\xdobloc.exe
  C:\UserDotEL\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotEL\xdobloc.exe

Filesize
4.1MB

MD5
b1389e5bde605c880ab56c787e32553c

SHA1
b4efd8fd520fcf45578a42fa5628367adb188c7c

SHA256
dcbbb7e63a04d41a68f628674663072deaed1ad41a39572abc66ccfa5a5766c2

SHA512
8ce855795b2596398d3a9e372e957fd307443014d6deaefc36285255401a3a6d7be94eddf396d8c4d21269a888cb48250823525fd206d6dae4482849bda59a29

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
f1feeac7cd711c819af751c3b9a6ccca

SHA1
daea65a669a10e57fd0d63d25b1360af40f2dc8e

SHA256
b84c4bbfe2488f41850cac7e370abf9e78499a77bab8e4057b31ae1e712093de

SHA512
23aefa7ef2ddc149beed3333df50663fb9c6b937e46406832d946b4def40ec88fd66e4f1051113696888a2760283a3e1aeabd2992bbd466f3701b7ae5378c0b7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
50ffe84acadddf7bd0188bb54036cd4c

SHA1
8bb9a24f03bd9d890fa4e136acb7656231e01736

SHA256
01a94194725a9bdc9542f8783d009ffe014a31172189f6966d7077967067cea9

SHA512
16a34ecc0765387dea79a27c14fe54d15963d2493ac67278804265611972fbd5736034729b5c1ff3472ee4cdf32828becba0af943540f6a1165d3b1f2272a8e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
4.1MB

MD5
58dad0be80378537d87f7a3bfa08389c

SHA1
83dd5a9f885286a6833c62d857873381918f413c

SHA256
dbc6425fbacbbccacfdf706f2af253c694cbec6003f8889bf065b15a16c96b77

SHA512
00cccdc249b8ac54d8eec56676283162fc7c63c8240b9d74fba4ca8250092bd6005e612db29792b323941f7266abbbf9b3ca8ba16f507ce12f5d4eba89653754

Download Submit
C:\Vid29\dobxsys.exe

Filesize
478KB

MD5
c63848866215c225285289a4cb925349

SHA1
bd26bbc7d160701fcf45dee8dc11b80cd9186713

SHA256
8992a1157d52cb4f87d8ee6b7998c43073ee7110f2f281aca02c7acc65079e56

SHA512
80389b91ac41fc1310549fb5d55adc501cfa75f518c4de240687cae09dacfec5fa590fdf2657c214a5b7bd3088754692240eb4e02d879a8b7ca748c486391f74

Download Submit
C:\Vid29\dobxsys.exe

Filesize
4.1MB

MD5
26134446f5b5cce2de8b1967240ec3a8

SHA1
11b7f6272f68153a441830501642c48d72dbfcbc

SHA256
17acb8dc7a669fc4d87334d6d6b0e36f52470b7412daaf591c86838a745d2070

SHA512
2a2e7dca8224a1ed9ea857cb783b6a173c0aa1ad51c4a2c4c2e5d8eab3627df7e5dbf4e6672bf1f0a4d629ec36b5ad701afe7df36b3f273aa4a028e19594aa7e

Download Submit