Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    04-06-2024 00:39

General

  • Target

    9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe

  • Size

    3.0MB

  • MD5

    8d3bfc534b1c71f59199aba85b65bac3

  • SHA1

    ef44e9b409ae23a5377d21d740d53f9d5c83d089

  • SHA256

    9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7

  • SHA512

    8e040e9c74a8e2c1e628827b5286a78ad5f827e0946a696f2da9c2e4249afa1d2881daeda0ff263ef50cf7b47c5428b7049dc78653e9630dd5e2abd9765b3f03

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSqz8b6LNX:sxX7QnxrloE5dpUpobVz8eLF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe
    "C:\Users\Admin\AppData\Local\Temp\9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2988
    • C:\Adobe0J\xdobsys.exe
      C:\Adobe0J\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Adobe0J\xdobsys.exe

    Filesize

    3.0MB

    MD5

    1149f2d3eb9e8b3be936b4a0851caea9

    SHA1

    095820582c184f34d32c0878fab3407ad1467a3f

    SHA256

    3bb02ce48ccf46d87d062f71e6a3f33cc3964570bc53664bf94ea7e81c15d3cf

    SHA512

    ea8e22d78532cae3f73637fcfa2a3f6867039463c78d5b03e46cd50b21987468fbf7ab9efec9571d924a833dcd8545e04672bd3c3ba82bec2ead3177ca6e481b

  • C:\LabZ76\dobaloc.exe

    Filesize

    3.0MB

    MD5

    64f418a3c2edbab70ef35a55de92915c

    SHA1

    94feb791c0bca7e969dd29ce54aae76532893dee

    SHA256

    39584e39477566ed41652b7ce3e02126ddc93c3c004608fa9b2db06f8494b1da

    SHA512

    be07433c142fe3f75bbb5d4846fb43daaeb93df5940d380e8353528f0dbb41ee33351ff1ad6de7d607d433c16330f8e88a5e7d0be1d5d03ea196a05c492f916e

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    167B

    MD5

    db28181107b9e2a54f3eab391a4518f4

    SHA1

    11f8eaa1deb229a72b8caea7f27bd34f4153351d

    SHA256

    4c3e5d819c4ae6d70020e45f42bdb1ec9334974892f7dc717c6196b1e8e24ba9

    SHA512

    df053a8924ba189b5b0054890a9f3c416378e80804198a8b982288dc392a21efbf948647701b79b132baa689c308c06b01c5d91a71a1600db0cb1323636b4b3f

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    199B

    MD5

    a5f68a21dfc3dac04f24cad6f6b8a31e

    SHA1

    8b9576008bdc78f334aff09b2eaf7386302c7b1e

    SHA256

    c4b3be246ee5c5c389f5f83bccb0a00b803bd8348c8f18aa0fc423f295d001e1

    SHA512

    931dc68383336e59048191cdfd0315ecaac7720e4622dd741a590a9821ecdbc7cb428906f048ba7f0d760319dec026a79524eef811bf1aac436b82353cdd7217

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

    Filesize

    3.0MB

    MD5

    2bbdef029497d18b4def07d55cbacb81

    SHA1

    bb2a59a64780efb0b486ffd4ad1f9f0f102b7ed1

    SHA256

    942402c93e02c39c7bd900d1e9cb2bac4cfb4d10c4940fe58736de4c9b89c10b

    SHA512

    8705dda6c95f23eb1b673b46f0232c9e055a1fef378b522028136cd7edfb421f3bb07adf3b570383bc1a5ec811fc319444c93dee7d4159a5b8e668a99aa99f2e