Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 00:01
Static task
static1
Behavioral task
behavioral1
Sample
42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe
Resource
win10v2004-20241007-en
General
-
Target
42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe
-
Size
2.6MB
-
MD5
28059835fcef9aba9240ae90757e0290
-
SHA1
a15d9d51328309f8bc59de08eaecfec07483e8bc
-
SHA256
42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40
-
SHA512
b4be8d2a584785d8092cec220f2b167977f9f53e49cc3a840843381a9ae69fff2bbc04a7b76e536dbe352bb5134e6ef1a9f612ae113a7d55e21600eac329d990
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bS:sxX7QnxrloE5dpUpvb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe -
Executes dropped EXE 2 IoCs
pid Process 3040 ecxdob.exe 696 devdobsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2092 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe 2092 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocTH\\devdobsys.exe" 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintXU\\dobdevloc.exe" 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2092 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe 2092 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe 3040 ecxdob.exe 696 devdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2092 wrote to memory of 3040 2092 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe 31 PID 2092 wrote to memory of 3040 2092 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe 31 PID 2092 wrote to memory of 3040 2092 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe 31 PID 2092 wrote to memory of 3040 2092 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe 31 PID 2092 wrote to memory of 696 2092 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe 32 PID 2092 wrote to memory of 696 2092 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe 32 PID 2092 wrote to memory of 696 2092 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe 32 PID 2092 wrote to memory of 696 2092 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe"C:\Users\Admin\AppData\Local\Temp\42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3040
-
-
C:\IntelprocTH\devdobsys.exeC:\IntelprocTH\devdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:696
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD557a04070ca83c00ff16d6afade31a7c5
SHA11dfb31f42c9e6b2dd431797fbadff8babf933a20
SHA2565e5d7c232601ee9a91f634a63593bbe782ef15f1927e2dc40b3512c66a10d98c
SHA51292c354cde6e06357cf18fc93594927d0ac133f46a4c9739249a5dab2112617149e3c29b3a165ac91b0a7de37d6fb3949647abf5c6a639bfbed05a30bf5c15bcd
-
Filesize
2.6MB
MD5ee4827c1317f21bbec46b6a28ea36394
SHA15863a553ac702cf816b2f11b041a5424385c6594
SHA256ee627072fbf25f3366053512bdb383272450f8caf3e68cc33c0da7d963de429a
SHA512825dea012f777235880ece8f68a34b96d70dea2078b96836edeb52b270bcb705129399dbc749a93e57334fe3bf747771c3dab60540981e90ceacdc0ae8d22f41
-
Filesize
2.6MB
MD5ba1a8f6a982973e40427cc1f472919ad
SHA155bd6080a753e833b11c30c78629a35fb6251e56
SHA256bfec55ff59b920c8e1a4dc5130857db17f759cc68c77c11d67ace65a762dffa4
SHA512674184393b4b1727d77f6ac420999495d90ea0ca7258d15d14fadf68b146f0cd701d5e92db8d136e4bec3254737cd4ac21c5ef154390c3c50780db4dd37c3046
-
Filesize
175B
MD55339d98b541f130e7572607f93dd6c6d
SHA1e60c2c042c31ba5823b71b1e831ece6f305c8924
SHA2564383fd5a5c969a36260717364bd96a65a6a147ad5f2b9b9bf490df476acb0eb3
SHA512feb29794af6bd9f4d4e3f0acbbfcab73cc7d11011a505370970e8ac25d1939f71f8aea2460b949855100e528de76bf2ece96048da0b575a1705eca491bf8504e
-
Filesize
207B
MD5abbedd48e1c2605dea6dd1752ed9c2a7
SHA1539e92d1ca976460434c09433a823f03485a20e7
SHA2569eb233bb37831478ce49c86935f155475b57ac6d86b785825cc20baa01467422
SHA5129d913e1b15f8a865518cebdf271834f3f72970f865f3d1a03fce449bab6ccc148493bebb127daa08846c8cd1627acd0a79693499537fa9b24370c9e49c501d74
-
Filesize
2.6MB
MD50b54a8efe9dfeedab9b30b33d7db7f85
SHA16bc8fe5c30073b2d87ad7d4b2c19ee0bc2c6deba
SHA256ffcbc857921e6643893b4530e04df28129c39c7ddb9db67f1a578e60618e0ac3
SHA5125293bb636f67651bf37157bcd6f3b2ebbc658559ef69d7109a8fea6876b881ea32b6b5e7fd4890ec09390149b1150396d146e656b096077aaf8c7ebc237e5b1a