60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe
Size

2.6MB
MD5

4979549ffeb15b3a35518ee078efa6c8
SHA1

92b5093771d0d49794b688aec922a1322ef97259
SHA256

60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d
SHA512

da1637076866f1f1b9d8a30a97cccaf01552c0764f6c87022fa47fc27f709f5a59a75637a9aced327fd8ff22ecf8b6ef6eff7474471057d326dd957efabcb1a3
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bS:sxX7QnxrloE5dpUpZb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe

Executes dropped EXE 2 IoCs

pid	Process
1588	ecxdob.exe
2796	xdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2024	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe
2024	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocUB\\xdobsys.exe"	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZSQ\\dobasys.exe"	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2024	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe
2024	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe
1588	ecxdob.exe
2796	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1588	2024	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe	31
PID 2024 wrote to memory of 1588	2024	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe	31
PID 2024 wrote to memory of 1588	2024	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe	31
PID 2024 wrote to memory of 1588	2024	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe	31
PID 2024 wrote to memory of 2796	2024	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe	32
PID 2024 wrote to memory of 2796	2024	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe	32
PID 2024 wrote to memory of 2796	2024	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe	32
PID 2024 wrote to memory of 2796	2024	60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe	32

C:\Users\Admin\AppData\Local\Temp\60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe
"C:\Users\Admin\AppData\Local\Temp\60c41a36a04f8d4f67c32dd91e73d6c7b92db7cd6b2d1294ac6604cb40dae30d.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1588
- C:\IntelprocUB\xdobsys.exe
  C:\IntelprocUB\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocUB\xdobsys.exe

Filesize
2.6MB

MD5
5978450795f583c4939504006ae431e2

SHA1
a284fca603df351a099c120ed3e4e4524df81b71

SHA256
12f17c9432361304158e94e1a3c3928a887c169f1f116962eff1041b9118b5c3

SHA512
57ac3dfed5f580e2808e66fa234522765f4db26720899bca5afad92cf2e552fc9f164a7fd1df8911c1d304aa99fae8d8e6756b65c5847a43fc637da78c7bf8da

Download Submit
C:\LabZSQ\dobasys.exe

Filesize
2.6MB

MD5
0a02175405d965cc035a1434b90a0ca0

SHA1
22f8d95919bb15330b2bbda138e2a88275397c04

SHA256
ff77da8fb4d6008fc7a35438b2827985d4105f9763ef908742b44e2fad53ab37

SHA512
37e1d9e51d4d4eb4470c96d6aa528b6c6bbee8ef5c636fb6d15b74128cca311a3db72b8f00d8b9858a11611e40e7a2f8b2663055ed20b37c2c9b7706167296d1

Download Submit
C:\LabZSQ\dobasys.exe

Filesize
2.6MB

MD5
e514db97564ebe2715e201fc3b95faf7

SHA1
43a4b811f5a5a75084ad67087f1b0e22c8b55dc0

SHA256
4c6010e367b7588161c9a33176bade9e06afe6aa19e4fd85ec7396064efc766d

SHA512
5ef2b7a6efd31cc96ece5acc481fb8dedba1275fe4dd8734eeba28081513ec945d92a84ecba2b55b033bb00549e0184b26606aa0a5a11caed2139d9e5f9921b0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
e10156bd3b1e11cd130845afcf199e65

SHA1
fabc55008b0f334050b50935a366bd36ee3ab7fd

SHA256
ef2fff5ec9511f2b443b89a23bf4301f19c553892ce14b27ca947d49224cbaa9

SHA512
6a3e4867c170605d3674bb2e6177cd8438b9284ae17d40b23fd2b969060ce54d07f2f12cd717210372cc2c8ee059f18d5e740e8dc4a9a1b017b316ca5b4a1895

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
7cd2b3aa8c1f8592251915deb1bd8f4a

SHA1
8bce79dc9347e68a371553beeafbc63a48937497

SHA256
43c84705d4d2dbf0f86ef3cc3fff295bf1b6fad973be6ff7e69b596925fb54a7

SHA512
350033d21f9d531d0a77d16e70032300ee7b46f3ff93f37289b5d0ae007cc79591e121c0ce87625acb8b86517dbee0639e7049d419e0fa192802c67a1e16c8da

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
2.6MB

MD5
bee8c086d3a2f4ec27e899edd0d2e293

SHA1
29abafece21f2537439dfc4964f77eb26c423d50

SHA256
66409fa1d2238873aff5583c93a10ec4625c0f715397076b0ce842ef9356cc90

SHA512
012cf334beeffdce48b088b877f17596ae93189ef871cce72524c998e567e1d8b864ec734eb256af81331ff68658756792cf6cbaba6a92337e26f9aaba25afc9

Download Submit