5160cd352a0f25b6236f1e2b99854f80dfdd564e31a5da366121017407af5c65

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 13:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2c6c10483ac744eca0c4050a82ab08f0N.exe
Size

3.0MB
MD5

2c6c10483ac744eca0c4050a82ab08f0
SHA1

bb3d8687ea94d60e52ef1b58c429ed39d17f342d
SHA256

5160cd352a0f25b6236f1e2b99854f80dfdd564e31a5da366121017407af5c65
SHA512

fefda4e996ca1fd4beff65b48c90c5640bf52982674a4a7be8f688cd0d990e237994028ff2ded3e65e3c37d0447729f54a00ce5015701a1d20a20264c8012972
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bSqz8b6LNX:sxX7QnxrloE5dpUpCbVz8eLF

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	2c6c10483ac744eca0c4050a82ab08f0N.exe

Executes dropped EXE 2 IoCs

pid	Process
3016	ecxdob.exe
2804	xdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
712	2c6c10483ac744eca0c4050a82ab08f0N.exe
712	2c6c10483ac744eca0c4050a82ab08f0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotGU\\xdobsys.exe"	2c6c10483ac744eca0c4050a82ab08f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintP4\\dobxloc.exe"	2c6c10483ac744eca0c4050a82ab08f0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c6c10483ac744eca0c4050a82ab08f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
712	2c6c10483ac744eca0c4050a82ab08f0N.exe
712	2c6c10483ac744eca0c4050a82ab08f0N.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe
3016	ecxdob.exe
2804	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 712 wrote to memory of 3016	712	2c6c10483ac744eca0c4050a82ab08f0N.exe	30
PID 712 wrote to memory of 3016	712	2c6c10483ac744eca0c4050a82ab08f0N.exe	30
PID 712 wrote to memory of 3016	712	2c6c10483ac744eca0c4050a82ab08f0N.exe	30
PID 712 wrote to memory of 3016	712	2c6c10483ac744eca0c4050a82ab08f0N.exe	30
PID 712 wrote to memory of 2804	712	2c6c10483ac744eca0c4050a82ab08f0N.exe	31
PID 712 wrote to memory of 2804	712	2c6c10483ac744eca0c4050a82ab08f0N.exe	31
PID 712 wrote to memory of 2804	712	2c6c10483ac744eca0c4050a82ab08f0N.exe	31
PID 712 wrote to memory of 2804	712	2c6c10483ac744eca0c4050a82ab08f0N.exe	31

C:\Users\Admin\AppData\Local\Temp\2c6c10483ac744eca0c4050a82ab08f0N.exe
"C:\Users\Admin\AppData\Local\Temp\2c6c10483ac744eca0c4050a82ab08f0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:712
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3016
- C:\UserDotGU\xdobsys.exe
  C:\UserDotGU\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintP4\dobxloc.exe

Filesize
118KB

MD5
7600ee9fdbab39235bec021de1a3f95b

SHA1
565f35fc08e71f6cd028e6bf4d7303f0c8bb9781

SHA256
60de1a80c70a3c20c7afdbb4a503bcac8c348a77fa86456bea06518757c525ba

SHA512
eca857d978dab34f3be27ec800becdb18e2368f0a02b997a258131b703c641710f8ee712a086919bb8b2989e58041082e5134d7af4bc423aefd16c9344865a42

Download Submit
C:\MintP4\dobxloc.exe

Filesize
3.0MB

MD5
7f1623dac7bec6bf785e0cb4a5d8796d

SHA1
f3b3a6e173465b95fba6ae69956d414be5646928

SHA256
cb4e711b5c7a84d34c7476317aa80939e0f2258ac6883849ca6997e5cdcd49db

SHA512
48eb449def8ae6f7e67a2c3d26b5eb0a729421cb81300511d87a323526a463ced05c6e6a0222a3cecda94e028960c3f5b314bb3d6eae14dc86fce4f0eecc41bb

Download Submit
C:\UserDotGU\xdobsys.exe

Filesize
953KB

MD5
1209d81129f61fd0c49307dbc67cc3a0

SHA1
474e2664b3de5b656974d4afcbe0aee0f8734600

SHA256
a55cea75c094889bf1a2d4766c16316a16aa375467c304884813d7922330eb1b

SHA512
6f59aebdc66c9bc44d543b171ca194483ca7b6e96d3a0681ccc45ba01167aa9317d46a98bc1d8edbeb3ecaa6caf9a9eac3841eb675245fde8ebbd1c8dc7bf8a9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
541c6d29c3057d6b875908156ce45e40

SHA1
02e9101f72cfd3a9d0fb5f97a3f378546b2b1a61

SHA256
f236d1c2302a3ab625232dd5124a0ae8d94d9af84dc2069da92535f7d8cc7d12

SHA512
6486d771d738ecc5e13fa83ad4dba883c779dd7101ac9c36d46f192201fab88591cf5104ba8149f89330a4f2f493d290311bda70cbc0a1642e447166529c008f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
1082f4bf36edd425aae2ea8a94bf7f4d

SHA1
029af29d1547524591a257ca433e7e47eae89d53

SHA256
3c5460c27e4640e59282a378f5a4a7203d45ec2128ae7f7886493f7fa9c8edc2

SHA512
d61b5e5dc14b6a8e9a746b56908da73824f2aea300b294983571290636d06a08cde5b1221ec8c20d3e0a53fee458d891e42c6d144ca28dbfb29e3988794f1096

Download Submit
\UserDotGU\xdobsys.exe

Filesize
3.0MB

MD5
ce3d0c3850af0889b88477d04536789d

SHA1
841d168690a9ca85a0f89135589fa7d1771ac02a

SHA256
e01291e876eef08c818759647fc1fcd9ac155b48801926181e675bf790277210

SHA512
25e6e2cc824ecf5a0aca17e84f67a355ad233c266df2f37dad5b00e95a5e64f04817fde07aae75871190a652e3eee25ba7390ee24336cc946759b1cdab7701b8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
3.0MB

MD5
6b8898f9fcbcec39ea87f9cffe30d296

SHA1
72388800ff0edfee5ea50817426470f35e51339a

SHA256
1b8c34338a434a191c4d2ae9e4efc5e9ffb4a3be659951dd3b92fd3735e93e2a

SHA512
cebb6b6ba2047ca25252dcdf6d5880bc838d61b0bf067e3f8a3d658f636f36dd8695f8f5154a9670c223e18cd5966e2c119e37bbded9c3758615673ff93ce6ca

Download Submit