Analysis
-
max time kernel
119s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 17:02
Static task
static1
Behavioral task
behavioral1
Sample
27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe
Resource
win10v2004-20241007-en
General
-
Target
27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe
-
Size
2.6MB
-
MD5
dc534873a9ba105945ebf06e192419f0
-
SHA1
b51bda8ba241a8554fadbf7a8613e9f2bf055b89
-
SHA256
27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729d
-
SHA512
8aae109d654457002c11c5537d1078a03fe1304a62725830a62326b29aedd5aba70a29b88f67ebbe1a696369698238946b1a8de0e6ce011004c9463e698819fd
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBGB/bS:sxX7QnxrloE5dpUpZb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe -
Executes dropped EXE 2 IoCs
pid Process 2532 ecxdob.exe 2388 xdobsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2272 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe 2272 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid7K\\dobxec.exe" 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesGM\\xdobsys.exe" 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2272 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe 2272 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe 2532 ecxdob.exe 2388 xdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2272 wrote to memory of 2532 2272 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe 31 PID 2272 wrote to memory of 2532 2272 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe 31 PID 2272 wrote to memory of 2532 2272 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe 31 PID 2272 wrote to memory of 2532 2272 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe 31 PID 2272 wrote to memory of 2388 2272 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe 32 PID 2272 wrote to memory of 2388 2272 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe 32 PID 2272 wrote to memory of 2388 2272 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe 32 PID 2272 wrote to memory of 2388 2272 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe"C:\Users\Admin\AppData\Local\Temp\27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2532
-
-
C:\FilesGM\xdobsys.exeC:\FilesGM\xdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2388
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5e22de5f41576f07b7da12b235e19cd86
SHA1fcd3338bd3498381399ca2704bc7cf3ea2e05206
SHA25675cb20e5b3f2a2011187aa8dd996028246297da0546bd2dae57a72050cacf00a
SHA51261fd65ce1311b906a8c45636c816079bdead81e5b871d2cd89998fce42ad79a4aaf711509e00837957b9313ff21fc423d16666c8fbdfa9288b182ab29ae47dbc
-
Filesize
165B
MD5e37db96e75a868e1ad3d3faac6e0c733
SHA1db8aa4bf67a0f6dc962766ab0b84cb92b1ea191e
SHA256b4bd4ef879b7fa336c229186de61743fbe83293630568aa16c63ed58a3a2d9f8
SHA5128741a8c16a43383b7e49e40ebafc1f660f69d8d435848c57d66707b0f0b8f79c4d6858657fac56a7decd0c6a57bd778d561d69d96cf6e84eca7b5e4e672e1389
-
Filesize
197B
MD508f2f11c2c26b0daf18924f338b2c1ee
SHA1634fbd15e5744ba735bbc9ba7406b7178098c281
SHA256f4352ecd63843d729949ec51ea54f85856cd80920069811ce841cc086c70d07a
SHA5129b1f295453bd62ecaad4239e3d1d656a733f177bd6e1f39736f4b06680e6324295656a14caf1a8c2cc3b5cef38447f8a2d7372258c0171452e98e501fb7b8fb4
-
Filesize
1.4MB
MD5a2af908747e0303548cbd2a5c06b8ea2
SHA1a793c506ffe0cc3ddecf62f3eb616df558a761b7
SHA25626b4a8936b61a7fba4027bd690fb5b8719ab5f18abc27a51cdfff6b11bb99f12
SHA5121ba28df9c2b46dfc326249fc620be0a56588aecbee45692faf4644ac6c18b2eb182dc23e3e55b8d57581926d595b6503a60e8d705ef3dc6e2771bc6ade28b48a
-
Filesize
2.6MB
MD508cefc228d02dd6c33d4df6381be2da7
SHA18f686c55c4b54cf955a804ab93d328f829c7279e
SHA256cde0fa3aef7a9dbc90832e063f82e17ba3296aee5409825b0c2b9ea0a2e57ebd
SHA512fccd8a43789d7f50d745941770b18cab500cf736e2c7594bccc13b97f8892227806c64b9afa09cd13cca70d820d135cb45b1e4df7d5864cf74509a841da6fca3
-
Filesize
2.6MB
MD573e44f1f47e4972799bf160f015e6382
SHA1128ffe5f83a41f37aaba14f6a64f6080f045fb23
SHA256547c87a1c89f76dbf1bfe39aefc8903a2067ee62606e2bf47139f4397b5b7292
SHA5128da0e5760844bd76a9b3f391153a62127ee3f678fcf1ff867637f7b082c591874d49b45590bb2ed137902366c8e82e26a4eaf0bfce05a4e73221cae7f1a0ff01