e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9d

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/10/2024, 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe
Size

3.6MB
MD5

73d8ccf4d90dc848c8a6fbee1b69feb0
SHA1

27e9df68ab43e4f4fef535e653b367d855b6d8a7
SHA256

e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9d
SHA512

77f9509820a7b6615d6b6cfeae2b3900e00ad78a71554db6d253451a8f486f7dabb9c58b95ed26f0b75b14774248a63ca0f6017de610073e044a06b78c2b5697
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpAbVz8eLFcz

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe

Executes dropped EXE 2 IoCs

pid	Process
2780	ecdevbod.exe
2684	xdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
3056	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe
3056	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot09\\xdobsys.exe"	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintFI\\dobxec.exe"	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3056	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe
3056	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe
2780	ecdevbod.exe
2684	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2780	3056	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe	31
PID 3056 wrote to memory of 2780	3056	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe	31
PID 3056 wrote to memory of 2780	3056	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe	31
PID 3056 wrote to memory of 2780	3056	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe	31
PID 3056 wrote to memory of 2684	3056	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe	32
PID 3056 wrote to memory of 2684	3056	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe	32
PID 3056 wrote to memory of 2684	3056	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe	32
PID 3056 wrote to memory of 2684	3056	e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe	32

C:\Users\Admin\AppData\Local\Temp\e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe
"C:\Users\Admin\AppData\Local\Temp\e6e7baaad09ccdc344044492473c61de8b410bbc6792b04253dd70f6875e0b9dN.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2780
- C:\UserDot09\xdobsys.exe
  C:\UserDot09\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintFI\dobxec.exe

Filesize
3.6MB

MD5
7859a1bcbc8d3b2961fe6648c3f88f7a

SHA1
76ca95a5198694f3dce49171b9e98964ac2a2a6a

SHA256
a9b129fd922a6bc4ddb4f678e8311808cdf49e17a22a5727355e9483f75b5e08

SHA512
4e2fc3a4a8d655709ba3692a63defbf2664026ad99edc8db7b580f66714393eb35509a61c57c67f6b36e319efb8a8753e6105e6205c603beb6b0059ebd00ade6

Download Submit
C:\MintFI\dobxec.exe

Filesize
3.6MB

MD5
d20f1f6d16513aeda7663471fa78fb3c

SHA1
e97c1619ee3e71bcf4e5b770ecd2ccba3cc92aa6

SHA256
310034277d888672c7b16f9751b333879fa6427ae0221cb9a43cf2ba82bcb975

SHA512
220a0bf01fd11a2f872c2230d8be31ba9787fa6fb0b30a977922033bc1ebc3121082e27efee6ff573d5a599c2f79f5739cbfe4ebc137a24a8789c8bf49ffcdc6

Download Submit
C:\UserDot09\xdobsys.exe

Filesize
3.6MB

MD5
bd86a7aa63f58ac5298e99731effc2c3

SHA1
15b3c5cbfc613471883d12cae77171f844774361

SHA256
c9d7a9fe68e6a0c9e73fe662f54c0732a24da0ae5e032e63c4d8c8f020c8d6cc

SHA512
f5ed9784eea75267eb51946453a79d760a0f2aa46fc2e04c1bdac37ba30030e9b353e56e7dafdcaa38052f5b53d75e0288a2e0932384f6663d9232adcf24122a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
44cd4de44e536902345821d3b4ee3f15

SHA1
a4f1ff2e087fa4689ac129ab5d44b4c2237e34ea

SHA256
eef58a55fd1db640aff862193af29a67a1aa056bf7936a5eb876868d68f1e37e

SHA512
0f5a92b9346ff38f0cb6ff8ed67f30b77af3fc4e435d4cbc318e26a3be1aa0ab867cfe74eba58a46fc3c9512136c03b6c032a2c892d53919cd62238a12ed99a3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
6970e885595eb288dc733184aabd8276

SHA1
ed450da6ca7401c1196bcc1ed6550c6e30638d54

SHA256
09115e6f45028b8b61b4e9d57bdad5949c1a1b5f743b95a8ab442c5c67fdcb18

SHA512
00f97ab835d5e0d909801a01a5cbe25ad86bf6117b04e1989d554b6d547b594705e8f2b6ce9694b65ddeece45a5e483ada4f34913d4d75bbbfa186c70c8fe4df

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
3.6MB

MD5
37af933e43ddcd5e764e428547bf1004

SHA1
f6f46fb30e81d7cc40dca1abfa75d4b1e311c1b3

SHA256
6c1a53fc8ade38cf4c5b896b174143e98d0a9876b171ee5fb40e18b9bbcc1610

SHA512
15719fcac26f5281f00ab9232d04e27be9a4d67a62efe89395281d8a37609b2e283288dc2e69a13829190459bb2cc7b765ba48124a18d5c299670fcbe3f53599

Download Submit