Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 05:48

General

  • Target

    fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe

  • Size

    3.6MB

  • MD5

    56981af27179a55421ace1b07a50962e

  • SHA1

    f7fd6767bb14e2859411f06755c022c0fca8627b

  • SHA256

    fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777

  • SHA512

    b4396b9fd47157522bcc846ae688a1a197f5b31ab23ca1d5ff34febaf7bb066a11520237255863e98e66febef6a6ba9556ec5ecc4f69f9e2a2c9b79197817825

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpHbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe
    "C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2548
    • C:\UserDotEG\xdobloc.exe
      C:\UserDotEG\xdobloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZH4\boddevloc.exe

    Filesize

    3.6MB

    MD5

    1c5ca0f427c0991d13699ebfbcccf79e

    SHA1

    579ffcb5804e4df36968c4ad790cb570348d5c13

    SHA256

    0fc34c0bbd0dad0e41a7581ff3d36d42bba51af91244158c9310ceccdb1ed980

    SHA512

    c5bae5f1b5affcac55927e9601c7a9f38a72992217f7b603e68e877704e065b1b9252e48dc2365a859f8d8b41f7a9fa181bb969bfc42acd0cf7f8d3f0418c908

  • C:\LabZH4\boddevloc.exe

    Filesize

    3.6MB

    MD5

    4c026ae806777f73d5b2448b1ece46fe

    SHA1

    8fcf647fcefd602bd4c8a742d51fa94febf2a66e

    SHA256

    219aaf32ddb938ab0eb922d3cf1cf5ce054dd928b3f34633000f039645e6f746

    SHA512

    e0312b459b91d9ecf9a3d94f66547367b6bbaa65237f053b8639035c0ba2d6fedb17cef6480ae65c3240a6d2d5c87a7512d57f95f1f40eb0ed6b0b379552dc15

  • C:\UserDotEG\xdobloc.exe

    Filesize

    3.6MB

    MD5

    f1eba410de9ae20a71164337c3f0ed62

    SHA1

    f5bb3c4624d89ad2de6f8314abdbf6debb1efd2e

    SHA256

    8fb2731c4591287a0c8deafcf0f49ea4a457c0d4e668809d39638fe9d8e8ce49

    SHA512

    a4bce017e4be40ae7ffdb69f2d31e8549dd0ea866c5c0a225179d190863659ac3d021576c35bea38141ecaf728685f9bd55c19b0aebddfea776d65f3284d2368

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    172B

    MD5

    ee129eb44fb023bd52fccd204aed6852

    SHA1

    d7ceca78b36bcd23012401c7837e8d33f2b15652

    SHA256

    7894460e593d9cd5521ce1f3740e395553e73b038296cd288210b363dd6e95a8

    SHA512

    800f4f0c5b26df12d2d90e2768161bfe501b074405ad3a124e1337d80d54b30d2610e1a6ff1202e8da53d465ad19d573557039e3ca9d352d519269c5277d8f4e

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    8c3ab458e6ac60419fb362853981a58a

    SHA1

    3f51913ce0be3080cbc323384e077ff2dfb0b3d7

    SHA256

    03c251a9b8f9751059d5a9e5e66981e34692340907e542bc8d3328e416ea48b7

    SHA512

    91de8b2ebaa8aab0c39ba812699d2f3b6327cff360b01c3562b57a83dc8cd77687e637ccc604145446370028bab7188f38479f92ea2567103d5bb8808bff88d8

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

    Filesize

    3.6MB

    MD5

    b7ce3d96ed2eae43fbff12fabfddea61

    SHA1

    cca20e563680278312288e4837b1f133befe6855

    SHA256

    349aabb46d08255ef1edbb49ac73c4b4aea179407619b8ded91baf90cf26b259

    SHA512

    be4252467038d0febb383b924cc367d103b4e420cadecdc60a065833a7133ba64a4b6482946811d980b7b62d73168caa77b58c31364bac359b662942acc49ee9