ad2468cbb0a4d201420679240092d46d8c9b58c7cac4666d892d5cf7698f7a0d

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad2468cbb0a4d201420679240092d46d8c9b58c7cac4666d892d5cf7698f7a0d.exe
Size

2.6MB
MD5

481024bcac7ce4ee44228fd3cdb266bb
SHA1

9a4c3849760f361aa13c5abd2473a3647d968e53
SHA256

ad2468cbb0a4d201420679240092d46d8c9b58c7cac4666d892d5cf7698f7a0d
SHA512

b975c302416c8581e380956c95a513595627d8bf185e088baad321dcf28612bd1de38d1956408e745425e5749c7efbe100bbf2cc3a0aeea0cf4938d4803c8d33
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bSq:sxX7QnxrloE5dpUpZbV

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	ad2468cbb0a4d201420679240092d46d8c9b58c7cac4666d892d5cf7698f7a0d.exe

Executes dropped EXE 2 IoCs

pid	Process
2900	ecdevbod.exe
2912	xdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2708	ad2468cbb0a4d201420679240092d46d8c9b58c7cac4666d892d5cf7698f7a0d.exe
2708	ad2468cbb0a4d201420679240092d46d8c9b58c7cac4666d892d5cf7698f7a0d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot09\\xdobsys.exe"	ad2468cbb0a4d201420679240092d46d8c9b58c7cac4666d892d5cf7698f7a0d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintFI\\dobxec.exe"	ad2468cbb0a4d201420679240092d46d8c9b58c7cac4666d892d5cf7698f7a0d.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad2468cbb0a4d201420679240092d46d8c9b58c7cac4666d892d5cf7698f7a0d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevbod.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2708	ad2468cbb0a4d201420679240092d46d8c9b58c7cac4666d892d5cf7698f7a0d.exe
2708	ad2468cbb0a4d201420679240092d46d8c9b58c7cac4666d892d5cf7698f7a0d.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe
2900	ecdevbod.exe
2912	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2900	2708	ad2468cbb0a4d201420679240092d46d8c9b58c7cac4666d892d5cf7698f7a0d.exe	31
PID 2708 wrote to memory of 2900	2708	ad2468cbb0a4d201420679240092d46d8c9b58c7cac4666d892d5cf7698f7a0d.exe	31
PID 2708 wrote to memory of 2900	2708	ad2468cbb0a4d201420679240092d46d8c9b58c7cac4666d892d5cf7698f7a0d.exe	31
PID 2708 wrote to memory of 2900	2708	ad2468cbb0a4d201420679240092d46d8c9b58c7cac4666d892d5cf7698f7a0d.exe	31
PID 2708 wrote to memory of 2912	2708	ad2468cbb0a4d201420679240092d46d8c9b58c7cac4666d892d5cf7698f7a0d.exe	32
PID 2708 wrote to memory of 2912	2708	ad2468cbb0a4d201420679240092d46d8c9b58c7cac4666d892d5cf7698f7a0d.exe	32
PID 2708 wrote to memory of 2912	2708	ad2468cbb0a4d201420679240092d46d8c9b58c7cac4666d892d5cf7698f7a0d.exe	32
PID 2708 wrote to memory of 2912	2708	ad2468cbb0a4d201420679240092d46d8c9b58c7cac4666d892d5cf7698f7a0d.exe	32

C:\Users\Admin\AppData\Local\Temp\ad2468cbb0a4d201420679240092d46d8c9b58c7cac4666d892d5cf7698f7a0d.exe
"C:\Users\Admin\AppData\Local\Temp\ad2468cbb0a4d201420679240092d46d8c9b58c7cac4666d892d5cf7698f7a0d.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2900
- C:\UserDot09\xdobsys.exe
  C:\UserDot09\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintFI\dobxec.exe

Filesize
2.6MB

MD5
80dbe8f8ef1d4d4186c0f64be8c2a4c9

SHA1
906be7c8591522070907bf35021fcda5fa3ebaeb

SHA256
d64a79553bec0599375b9919721a397ee17884efd4a959a848e2b4273f6c254e

SHA512
2b12de6add864acb627e8b2357540fd71e8134873625880e5d85c4e6b730c8427a39e85222d1350865856b3d14a0ff78a7487fae478383da3a318168fd2c6201

Download Submit
C:\MintFI\dobxec.exe

Filesize
2.6MB

MD5
aba87a20f34811e68bfe44edddffee08

SHA1
99eb0de3c1b83f9e073c917426523cf98bf3611f

SHA256
044c6efdb3cd7097eb1b424925a921a2b308eee35041dc59f903c02987104222

SHA512
3b471f71d76034dc4fb0e00171200bed36005108288a078588af607312bfe1a488d94b9b20f6be8be70fed6b34b92f2c05ea37623e24003af124053bd5be7164

Download Submit
C:\UserDot09\xdobsys.exe

Filesize
2.6MB

MD5
e5595e3e5281018a330f2be983bfdb70

SHA1
413b1380ea5a1d56c287cb1a509688dd39d5a507

SHA256
cb9ec4e76bc9675b3ce4bd70d7955a253d1ae640d4b5d1a828d76b852c11ad30

SHA512
3788837437644fe0ba4e64d786603fdd32e2ff95cdcaea67b4a1aac60d71168034dded0889c83bb95b60689ff5a5f9f36ac0c4f071a493f169ff9d263eb7e0e1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
44cd4de44e536902345821d3b4ee3f15

SHA1
a4f1ff2e087fa4689ac129ab5d44b4c2237e34ea

SHA256
eef58a55fd1db640aff862193af29a67a1aa056bf7936a5eb876868d68f1e37e

SHA512
0f5a92b9346ff38f0cb6ff8ed67f30b77af3fc4e435d4cbc318e26a3be1aa0ab867cfe74eba58a46fc3c9512136c03b6c032a2c892d53919cd62238a12ed99a3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
6970e885595eb288dc733184aabd8276

SHA1
ed450da6ca7401c1196bcc1ed6550c6e30638d54

SHA256
09115e6f45028b8b61b4e9d57bdad5949c1a1b5f743b95a8ab442c5c67fdcb18

SHA512
00f97ab835d5e0d909801a01a5cbe25ad86bf6117b04e1989d554b6d547b594705e8f2b6ce9694b65ddeece45a5e483ada4f34913d4d75bbbfa186c70c8fe4df

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
2.6MB

MD5
1b14f5e9dceaf0ca711af531aea92ed9

SHA1
9aea681005df7424b1f4eadba53095213e1e4b81

SHA256
cb40250f2354eaaa06825faa13a982a59cee9b912bb787c62867bbbf5a649a37

SHA512
43a3093d4b7ba9be9fbb272bf55b8217b465fb413d601d4791289a0a6fa3798720d080ad165b0050eb1a354631c4d3b940dfe6d014c0fbed5d6d25e487aa9081

Download Submit