Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 14:49
Static task
static1
Behavioral task
behavioral1
Sample
50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe
Resource
win10v2004-20241007-en
General
-
Target
50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe
-
Size
2.6MB
-
MD5
a090dc0f5b9a2dc6498e66d6336da710
-
SHA1
ca5f8b4ba7aba68609734727e7c9ebac0bf6a407
-
SHA256
50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7
-
SHA512
ea713af642c65d011ad5b2c9c8fd325f7027c4598914589f6033ce0659d2e8a86798eb15a7eee591e5e0d2bd01c98dad3b9ebec296aa6743741795f5415a1243
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpWb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe -
Executes dropped EXE 2 IoCs
pid Process 3056 ecdevbod.exe 1452 xdobloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files7D\\xdobloc.exe" 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxK9\\dobxloc.exe" 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1312 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe 1312 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe 1312 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe 1312 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe 3056 ecdevbod.exe 3056 ecdevbod.exe 1452 xdobloc.exe 1452 xdobloc.exe 3056 ecdevbod.exe 3056 ecdevbod.exe 1452 xdobloc.exe 1452 xdobloc.exe 3056 ecdevbod.exe 3056 ecdevbod.exe 1452 xdobloc.exe 1452 xdobloc.exe 3056 ecdevbod.exe 3056 ecdevbod.exe 1452 xdobloc.exe 1452 xdobloc.exe 3056 ecdevbod.exe 3056 ecdevbod.exe 1452 xdobloc.exe 1452 xdobloc.exe 3056 ecdevbod.exe 3056 ecdevbod.exe 1452 xdobloc.exe 1452 xdobloc.exe 3056 ecdevbod.exe 3056 ecdevbod.exe 1452 xdobloc.exe 1452 xdobloc.exe 3056 ecdevbod.exe 3056 ecdevbod.exe 1452 xdobloc.exe 1452 xdobloc.exe 3056 ecdevbod.exe 3056 ecdevbod.exe 1452 xdobloc.exe 1452 xdobloc.exe 3056 ecdevbod.exe 3056 ecdevbod.exe 1452 xdobloc.exe 1452 xdobloc.exe 3056 ecdevbod.exe 3056 ecdevbod.exe 1452 xdobloc.exe 1452 xdobloc.exe 3056 ecdevbod.exe 3056 ecdevbod.exe 1452 xdobloc.exe 1452 xdobloc.exe 3056 ecdevbod.exe 3056 ecdevbod.exe 1452 xdobloc.exe 1452 xdobloc.exe 3056 ecdevbod.exe 3056 ecdevbod.exe 1452 xdobloc.exe 1452 xdobloc.exe 3056 ecdevbod.exe 3056 ecdevbod.exe 1452 xdobloc.exe 1452 xdobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1312 wrote to memory of 3056 1312 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe 88 PID 1312 wrote to memory of 3056 1312 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe 88 PID 1312 wrote to memory of 3056 1312 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe 88 PID 1312 wrote to memory of 1452 1312 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe 91 PID 1312 wrote to memory of 1452 1312 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe 91 PID 1312 wrote to memory of 1452 1312 50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe"C:\Users\Admin\AppData\Local\Temp\50cf27704aaf2f87d1d5d2640b475bdc6ee4d72628e97161c563ff8987011dc7N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3056
-
-
C:\Files7D\xdobloc.exeC:\Files7D\xdobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1452
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD572a16782a265923db2e3338eae449172
SHA13d406c1c5ad077c9de7c5565bf6e027f6891992e
SHA256f9affbcd2fbcec63009f87e5afdf949c462ffbcd79aec44d7a929d1ae2a431b5
SHA5121b3f4642564a6dac318f01caf19a40799fe2f4ac073943bc92ab1111bcb050cb210124bed8af682b8ccfccb9fa41e25070ff56f027e242e5f3c9c8be4b5df1b8
-
Filesize
2.6MB
MD58f79af9310a3d262ef129d280b180f5b
SHA1dda598130d6af8066af8021d3fb2a03eb988c830
SHA256e94f96a514a721db424b083511c4b06447de77b3886c691d4ca0121621235837
SHA51255c128d559b24a10d645aefd556f5a84c8da67e7154cc6764669dd85350baec64e0bbd784d4daad9e88efddfe7e838fce55bbaad5ea8b935b64753d22d162719
-
Filesize
2.6MB
MD5187bcc32c6c18b1e7fe8267bb33c4b4c
SHA132f3b48e085799e3b00d307f1ee2325a2e10b9f3
SHA256d53e432e31c7ab029ffb742210ae2933379728a900a09c7dd3273ff2866e1e94
SHA5121b0c5f38f68c226901ccaaedff88b853d96583b5d59c0a2201944ae8b95ad7f566acc12a9baccb037d43b2d24477b62c80719c84616674785843e57460ed1202
-
Filesize
202B
MD56f0322acc60cf496c2bbbbb9c26a2f6f
SHA1c70a17d64203f5da0c7c180db09b6eedce7c13ab
SHA25698a29bf3345f6594dfb41171594a82b35bbe6410cf456bcebbbd569c009cd0fe
SHA512216db69a66b5e67a0192c183644e6c4339b9c73d31a961a8dde138be1b7aee1c77645152589cc4fe716c019267e08c5beaa9239037e11499cb2b2e822e4fad52
-
Filesize
170B
MD5e6ce8495ecafb97985dedf6f40d586df
SHA1817669ddfd3f4722fa9f4206ef14860e1c7756f6
SHA25663c975ba49f1cc1f2a45825137768cb1a3a7b6e0912c3463535db294f7e72e3b
SHA512f8f10af4756d68c39b7d22a74fde07d3c8b0278e16616d07703b65f558a1affa34e7fb15a26c2ade5c5b4f7dbb7e08859876d3710cedf666fd15395a28f2843c
-
Filesize
2.6MB
MD56cbf66966e1e3ea688f41de9ea990e30
SHA1f5c65ebe69b5482d8f6e3b3f701b8f8d5e8dc38a
SHA2566589656debcec3d6d6c25a14fc620691e4ebf64900ac6b4a2ea5eef8d37215db
SHA512978e0d7d771ad8f62fd77adb9f9b57457d76d61f96c5b03d672950f2fe01798114c53e2a9b3ceb8bf85d01dfbdbe5e02cdda1a510e9a87d076aea6de82c48700