Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 01:19
Static task
static1
Behavioral task
behavioral1
Sample
d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe
Resource
win10v2004-20241007-en
General
-
Target
d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe
-
Size
2.6MB
-
MD5
f975d76498c7cff6e1a283bcb5a167e0
-
SHA1
278b1b0092b196db6a2fd168a35c7bde8763e430
-
SHA256
d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113c
-
SHA512
b4629ef75eb898a47bda3871d337a5a61856929202689ba83fd67ab0e62a7339ccb802fb06d199ce64fc0c31b759bc08c4335d5dd3e8019b9f802783876d8de8
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bS:sxX7QnxrloE5dpUpLb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe -
Executes dropped EXE 2 IoCs
pid Process 2688 ecxdob.exe 2784 xdobsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2528 d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe 2528 d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOT\\xdobsys.exe" d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintRX\\optidevsys.exe" d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2528 d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe 2528 d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe 2688 ecxdob.exe 2784 xdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2528 wrote to memory of 2688 2528 d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe 30 PID 2528 wrote to memory of 2688 2528 d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe 30 PID 2528 wrote to memory of 2688 2528 d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe 30 PID 2528 wrote to memory of 2688 2528 d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe 30 PID 2528 wrote to memory of 2784 2528 d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe 31 PID 2528 wrote to memory of 2784 2528 d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe 31 PID 2528 wrote to memory of 2784 2528 d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe 31 PID 2528 wrote to memory of 2784 2528 d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe"C:\Users\Admin\AppData\Local\Temp\d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2688
-
-
C:\FilesOT\xdobsys.exeC:\FilesOT\xdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2784
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD54d9cf771fb8e74a81c50672c908d776c
SHA153284bcaeec8a6a73c8b3514b1e2715c498de845
SHA256e9443a1a72f434f1b4ff26caeb142b9a999a7c5ab2e99a442049c1d6acf5c4d1
SHA512eac6f863c9b02fd4c497baacfce748df9f3371874fac9b62ff8c4ab1a8ae4dc4aa41adc002c4314e0caf26bbc696e06b3b17e64e99252491a47c424712a135cb
-
Filesize
2.6MB
MD5ebdc35d7254c99def9219917c79662f0
SHA1778cab0923645fd7b82b64146c66feea9a1801b8
SHA2565278fcc45f79b614aefc74622d200753e7bd388b0ec499bc3cea4843d68a0b4c
SHA5124be269edb11d776925ed68d44cd7288152fde38b412646fbef10ae7a7c171cc90e33b3ccad7cae7bbd3dafafbbc6b8f9e512644f21e2df767da17b3651d559bf
-
Filesize
2.6MB
MD5a1e8daec3c0529d0c84653e594c674e6
SHA14b4dbbd2659b9766aa856d9fc68b2cd1b9670670
SHA256cc81ba9b96923f610c291d2334f98e804a8494614f0498e4b5d1d5bf4a7852bd
SHA51236230da409ec282d6c7a25b7221cd2ff65cc179d6d5e0c95ae503a2fd71f43c4d58528ec7a874bb22e86954716f1df62e5e56cbbfe1bb51563d243237df421e3
-
Filesize
170B
MD534f3c4d39001897f4421795117f84c8e
SHA176ab80295f178e7e9fba0c29e7ae340e80147306
SHA256e3ef49a601373e6399f416a5c100a3e4f616aa350a57b382876525fb584b6391
SHA51283c04cf1f9dab30b6cb966fc42844775998f38f2ed82b36d3cf5df6c96d54bedea5461bb0b45964c9497bcf52d4f1620c6665550f37441db9f031a89fd6a1548
-
Filesize
202B
MD5c438ea64186f522af644e1f3d0a69dee
SHA1a7e81174feec195e30047b4f3ac9aa5a2e2c3868
SHA256dd2ff09e6dfd828794000d6f1f19627c376cd239a073dfb5fa39e8edf1aa0294
SHA512469f98afeb76a7febb9c0e268a39fcdb729fe9cb563900b8acac146b3c3e0966c068f6b2321088b9151f30e7a9a50f37942add0ae92de329d40625147ef8dd37
-
Filesize
2.6MB
MD5efcd8aefdb73e99d0de812d7f113a7c8
SHA19424344c76ce12dc8c811f785bd90dbaddc74cb7
SHA256a678197c85e5c1ed4c40e17e2d0c8e92dd8d757ac3c965e5767f2cbb3bb8e478
SHA5125cd2c0b8f7d247695b15f2920d4173c7dfd98cc9ab2ffeaace7523b94aa46bdb4667b521b61ab70a01ec99b68aab60d871dc9e1bdd88daca8621c3f90273d7ee