Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 00:39
Static task
static1
Behavioral task
behavioral1
Sample
9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe
Resource
win10v2004-20240426-en
General
-
Target
9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe
-
Size
3.0MB
-
MD5
8d3bfc534b1c71f59199aba85b65bac3
-
SHA1
ef44e9b409ae23a5377d21d740d53f9d5c83d089
-
SHA256
9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7
-
SHA512
8e040e9c74a8e2c1e628827b5286a78ad5f827e0946a696f2da9c2e4249afa1d2881daeda0ff263ef50cf7b47c5428b7049dc78653e9630dd5e2abd9765b3f03
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSqz8b6LNX:sxX7QnxrloE5dpUpobVz8eLF
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe -
Executes dropped EXE 2 IoCs
Processes:
ecabod.exexdobsys.exepid process 2988 ecabod.exe 1720 xdobsys.exe -
Loads dropped DLL 2 IoCs
Processes:
9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exepid process 2888 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe 2888 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe0J\\xdobsys.exe" 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ76\\dobaloc.exe" 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exeecabod.exexdobsys.exepid process 2888 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe 2888 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe 2988 ecabod.exe 1720 xdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exedescription pid process target process PID 2888 wrote to memory of 2988 2888 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe ecabod.exe PID 2888 wrote to memory of 2988 2888 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe ecabod.exe PID 2888 wrote to memory of 2988 2888 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe ecabod.exe PID 2888 wrote to memory of 2988 2888 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe ecabod.exe PID 2888 wrote to memory of 1720 2888 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe xdobsys.exe PID 2888 wrote to memory of 1720 2888 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe xdobsys.exe PID 2888 wrote to memory of 1720 2888 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe xdobsys.exe PID 2888 wrote to memory of 1720 2888 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe xdobsys.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe"C:\Users\Admin\AppData\Local\Temp\9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2988
-
-
C:\Adobe0J\xdobsys.exeC:\Adobe0J\xdobsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD51149f2d3eb9e8b3be936b4a0851caea9
SHA1095820582c184f34d32c0878fab3407ad1467a3f
SHA2563bb02ce48ccf46d87d062f71e6a3f33cc3964570bc53664bf94ea7e81c15d3cf
SHA512ea8e22d78532cae3f73637fcfa2a3f6867039463c78d5b03e46cd50b21987468fbf7ab9efec9571d924a833dcd8545e04672bd3c3ba82bec2ead3177ca6e481b
-
Filesize
3.0MB
MD564f418a3c2edbab70ef35a55de92915c
SHA194feb791c0bca7e969dd29ce54aae76532893dee
SHA25639584e39477566ed41652b7ce3e02126ddc93c3c004608fa9b2db06f8494b1da
SHA512be07433c142fe3f75bbb5d4846fb43daaeb93df5940d380e8353528f0dbb41ee33351ff1ad6de7d607d433c16330f8e88a5e7d0be1d5d03ea196a05c492f916e
-
Filesize
167B
MD5db28181107b9e2a54f3eab391a4518f4
SHA111f8eaa1deb229a72b8caea7f27bd34f4153351d
SHA2564c3e5d819c4ae6d70020e45f42bdb1ec9334974892f7dc717c6196b1e8e24ba9
SHA512df053a8924ba189b5b0054890a9f3c416378e80804198a8b982288dc392a21efbf948647701b79b132baa689c308c06b01c5d91a71a1600db0cb1323636b4b3f
-
Filesize
199B
MD5a5f68a21dfc3dac04f24cad6f6b8a31e
SHA18b9576008bdc78f334aff09b2eaf7386302c7b1e
SHA256c4b3be246ee5c5c389f5f83bccb0a00b803bd8348c8f18aa0fc423f295d001e1
SHA512931dc68383336e59048191cdfd0315ecaac7720e4622dd741a590a9821ecdbc7cb428906f048ba7f0d760319dec026a79524eef811bf1aac436b82353cdd7217
-
Filesize
3.0MB
MD52bbdef029497d18b4def07d55cbacb81
SHA1bb2a59a64780efb0b486ffd4ad1f9f0f102b7ed1
SHA256942402c93e02c39c7bd900d1e9cb2bac4cfb4d10c4940fe58736de4c9b89c10b
SHA5128705dda6c95f23eb1b673b46f0232c9e055a1fef378b522028136cd7edfb421f3bb07adf3b570383bc1a5ec811fc319444c93dee7d4159a5b8e668a99aa99f2e