Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:46
Static task
static1
Behavioral task
behavioral1
Sample
1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe
Resource
win10v2004-20241007-en
General
-
Target
1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe
-
Size
2.6MB
-
MD5
8dd78af353a40a21e7f4a68d1f98d862
-
SHA1
968360bbe8492b80a45278d27f38f55a03dff1d2
-
SHA256
1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d
-
SHA512
dedf814fd9efaf3506bfeddc1189419968b2d2bb11927fae67936938d0a2a9518b1e319267f2a9b633663e9adb19edb4297d664f1f4492327c50a64e40b07a17
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpWb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe -
Executes dropped EXE 2 IoCs
pid Process 964 ecxbod.exe 2936 devdobec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotFD\\devdobec.exe" 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZVF\\dobaec.exe" 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 408 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe 408 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe 408 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe 408 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe 964 ecxbod.exe 964 ecxbod.exe 2936 devdobec.exe 2936 devdobec.exe 964 ecxbod.exe 964 ecxbod.exe 2936 devdobec.exe 2936 devdobec.exe 964 ecxbod.exe 964 ecxbod.exe 2936 devdobec.exe 2936 devdobec.exe 964 ecxbod.exe 964 ecxbod.exe 2936 devdobec.exe 2936 devdobec.exe 964 ecxbod.exe 964 ecxbod.exe 2936 devdobec.exe 2936 devdobec.exe 964 ecxbod.exe 964 ecxbod.exe 2936 devdobec.exe 2936 devdobec.exe 964 ecxbod.exe 964 ecxbod.exe 2936 devdobec.exe 2936 devdobec.exe 964 ecxbod.exe 964 ecxbod.exe 2936 devdobec.exe 2936 devdobec.exe 964 ecxbod.exe 964 ecxbod.exe 2936 devdobec.exe 2936 devdobec.exe 964 ecxbod.exe 964 ecxbod.exe 2936 devdobec.exe 2936 devdobec.exe 964 ecxbod.exe 964 ecxbod.exe 2936 devdobec.exe 2936 devdobec.exe 964 ecxbod.exe 964 ecxbod.exe 2936 devdobec.exe 2936 devdobec.exe 964 ecxbod.exe 964 ecxbod.exe 2936 devdobec.exe 2936 devdobec.exe 964 ecxbod.exe 964 ecxbod.exe 2936 devdobec.exe 2936 devdobec.exe 964 ecxbod.exe 964 ecxbod.exe 2936 devdobec.exe 2936 devdobec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 408 wrote to memory of 964 408 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe 86 PID 408 wrote to memory of 964 408 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe 86 PID 408 wrote to memory of 964 408 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe 86 PID 408 wrote to memory of 2936 408 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe 89 PID 408 wrote to memory of 2936 408 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe 89 PID 408 wrote to memory of 2936 408 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe"C:\Users\Admin\AppData\Local\Temp\1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:964
-
-
C:\UserDotFD\devdobec.exeC:\UserDotFD\devdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2936
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD549145a78b75a9970005bd5d260fcee00
SHA1ce4b444a95de48a53c7ff9bd9910c5a185b16bec
SHA256ff7379e23a4970913b937004e8da5cdc6a4768bf2dad0d5f5df344b4f1ae73db
SHA5120d695b581f18c2000f1d6185e8954ea8257093064fec4259960d045796881bcd0303d891c020ec9b7764897925eb0b323dcf81de86914e7824734200c67b07ce
-
Filesize
84KB
MD54dcc4da5f3ba5e92b9fa638971bbc513
SHA1b4a298d739d70f7dd2209a4040c2d27d8d74c9da
SHA2562f26e66611a6f50c141954f8fbc33b9a1f781a5434991aa5a3ea004773c23c8f
SHA512646aa93c3806bd723c8262543f5d055e1502094d0b70dac64c6a6e29922746dec17e4237c39cb6038c8a20abdf9cf2039bbf75ff477dd21278d6118e9955a7d5
-
Filesize
2.6MB
MD58b7b8c4f38cfcb14c6d7d9af767744a6
SHA1c9608f290f316c122f9214cc1eb982b2090aaef5
SHA2563f093d1c0e403b29a6f8f3b609d3563f7e304dc9895ddc576d4a32d41abbf488
SHA512f14da2852e41fd566a97ed99910303115012247f3e0c6b8a7c6803b10a102d5b54a1b86ceffea8318fe86d4e6548c45a6b58d7e64188c5bb8940d072419c9089
-
Filesize
201B
MD576672c7a2a8e5954bb110a40d3362e23
SHA1405d4a078248f5fe35db2c4a902839c6405361f4
SHA256041a3ed7897d9c8b508e5b4d2013470a7ff791ebcc92cb8874b669af9d029380
SHA5127690af1390ade6e92169501cab5ee7dd3befbac05a0de526437e15ad955d4ca31adb01cc87111c1d307fc6d217c1ec1f2fd39fbf1396daf9204c6ee930a6664a
-
Filesize
169B
MD560576ccfc73279113a7b17797fe56f9b
SHA1412827d5611b58e2e45aeb3f213889c41cfb8968
SHA2568f536f61bd2981a945787cce75d01966ec36c2e6c30a09c6a8e07978f505cd00
SHA512acabb940cd0673c701238b71933cd82665f92516f1d4849bcdd921bc7b20da572b096f735671fe71926cab9f3d7adf98d07562a599c22c13d6d9b5d73be81735
-
Filesize
2.6MB
MD565bd24bf44c8770c514f5c0a3d2b6ca4
SHA158e7449c5edb2bde903d62e8574941cfc877cf18
SHA2562010a9785abcd9890279ea3e8716f947566adc0f1af9fd0e00d25622ee09fa82
SHA512741a720e0b6eb8caad2bd3a04b598fe0093f2c1dec7baaf73f8c09e990b8f2cbc9c3e3a2fd90fd60effa9bc046b6e3e3786fdfb70bb750a764dd43fc1bdf81c1