f37711a5468cd6c73634bcd4d89d9fe33617e4ab0bee0fc1c400bb5e54c66490

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c310345f776bd70917375b46c831da00N.exe
Size

2.6MB
MD5

c310345f776bd70917375b46c831da00
SHA1

99649095eebf035f97d8b421f75d5837ff5811e3
SHA256

f37711a5468cd6c73634bcd4d89d9fe33617e4ab0bee0fc1c400bb5e54c66490
SHA512

2cafede97638d1d662cfad700c5c78796603ae67df475ebc9d7489d1143ae7c7d68cf2157ea11a2746ee5cc1dc173b291982af8e60ce731d92de84e2b07ed93b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBtB/bS:sxX7QnxrloE5dpUp6b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	c310345f776bd70917375b46c831da00N.exe

Executes dropped EXE 2 IoCs

pid	Process
2164	ecxdob.exe
2776	xdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
588	c310345f776bd70917375b46c831da00N.exe
588	c310345f776bd70917375b46c831da00N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files3R\\xdobsys.exe"	c310345f776bd70917375b46c831da00N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid0X\\dobaec.exe"	c310345f776bd70917375b46c831da00N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c310345f776bd70917375b46c831da00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
588	c310345f776bd70917375b46c831da00N.exe
588	c310345f776bd70917375b46c831da00N.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe
2164	ecxdob.exe
2776	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 588 wrote to memory of 2164	588	c310345f776bd70917375b46c831da00N.exe	30
PID 588 wrote to memory of 2164	588	c310345f776bd70917375b46c831da00N.exe	30
PID 588 wrote to memory of 2164	588	c310345f776bd70917375b46c831da00N.exe	30
PID 588 wrote to memory of 2164	588	c310345f776bd70917375b46c831da00N.exe	30
PID 588 wrote to memory of 2776	588	c310345f776bd70917375b46c831da00N.exe	31
PID 588 wrote to memory of 2776	588	c310345f776bd70917375b46c831da00N.exe	31
PID 588 wrote to memory of 2776	588	c310345f776bd70917375b46c831da00N.exe	31
PID 588 wrote to memory of 2776	588	c310345f776bd70917375b46c831da00N.exe	31

C:\Users\Admin\AppData\Local\Temp\c310345f776bd70917375b46c831da00N.exe
"C:\Users\Admin\AppData\Local\Temp\c310345f776bd70917375b46c831da00N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:588
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2164
- C:\Files3R\xdobsys.exe
  C:\Files3R\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files3R\xdobsys.exe

Filesize
2.6MB

MD5
51e55091fc233e558b4712370491e3bc

SHA1
04a5bc61f9daaeed05598109b9d1cc09ef3036dd

SHA256
42988063767d4f4bbc5f4df7460ae1ebb68bcf95c23d967ba49d9c18cafd6095

SHA512
c6b33719565c8ef6135e7cbe2ec2e701f8c71aa7e9c640531b45e843c09d7a27316c8fef648dc8d28656651c73444a497451ce0bafba630a113a4931ae90776c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
165B

MD5
07f4770f6222dd2fb43344fcd722b07c

SHA1
6c1db09d80ad01a47c359828cee2fe10dfff4ee8

SHA256
37e8cdfc43a91df2a95f91caa63e9a4975187a96629d4d2ef948a2de0ff7ae43

SHA512
4e3392ac0cd0fbe31bdd396c8cf9571093c3abd940ba7ecbb815c0db24525c9f80c57a7a197ecb17b0f32d043b3e9ac5cde2c51859cd0d044632ffc069a38e70

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
197B

MD5
af84ddc1c513e10c8ca77571e819b1f1

SHA1
823dc128c3f0e828ea500d24a1ef1f2019671003

SHA256
d8bc79d0ecb2ea11e208ddeb62846d257c54b9f47af5a800e76fbb0b272f0bf5

SHA512
434a73b320aa20fc7d29ca42c9787bafcab04fef558f184986608095059fb45db3718b903985c964bbe4119d1ae322ec943a48186a9274760d844ae173c0f244

Download Submit
C:\Vid0X\dobaec.exe

Filesize
2.6MB

MD5
a8039ff55d9f83cd4c1ff86af144db27

SHA1
6e81c969f7b076034a69658809fa3578d37d2bb8

SHA256
44dce038915891bb2191f03784e7ae0fbb317cd93961f2b51395571fa624b708

SHA512
0ccfdf005717a36c2d4bf43cdf7ef333c80a694a7edecaebb56882bfec30cf3c34ce3d91dd237f850f08320cc77764a124ec6a0724e1198d31398d94485ea038

Download Submit
C:\Vid0X\dobaec.exe

Filesize
2.6MB

MD5
ce57aad21818d51749cb989b5cb3da8c

SHA1
c0f0bc2f2b5390d9e743d465b9eb13c4aa81169e

SHA256
320ef5bdd4f4058c417a7adba58281e11a90cf963ecf81d626d5dc09cf9315a0

SHA512
3736e47ca6ee53e7d905dfdd0e75a64b5a43ccac7b6278966d83dea49e830487004c9ce106b6d4b709ec2caebf81b01f3c7869e8a5afbc546353ce341b9fd435

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
2.6MB

MD5
7b608ddfc4dcccb0402817729c62ed31

SHA1
c155ffbd8b42ae1fa7691e1ccddcf5f1ea89e74b

SHA256
92d62298364ed0cc5df93966ea5094cfe826ee386622157d8ae2a7d286d89533

SHA512
8e14c395f628e06ced525b35b8dce35db6cb15c1b6a34863d0a19e3ddc415213fc724c3af1f863f16b69fd959c114b687e2959bdf11155fd4f314650dce41a1b

Download Submit