07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9a

Analysis

max time kernel
119s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-10-2024 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe
Size

3.1MB
MD5

b10d8da598afbfd7bcee9dcc7eea5550
SHA1

02a23f737bda43e5a2ae2a4c6de9b9d91e479ff0
SHA256

07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9a
SHA512

c6c1a39f5769895c6dcc6235b0ee5224615b6fc17e79528661b0a39a6703356218f9323764e2790a1ef9c57d964ee7738e4d228ef90dd242ace20096b317c982
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bSqz8b6LNXJqI20:sxX7QnxrloE5dpUprbVz8eLFcz

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe

Executes dropped EXE 2 IoCs

pid	Process
2792	ecabod.exe
2708	xdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2668	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe
2668	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotN2\\xdobloc.exe"	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBAT\\optiaec.exe"	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2668	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe
2668	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe
2792	ecabod.exe
2708	xdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2792	2668	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe	30
PID 2668 wrote to memory of 2792	2668	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe	30
PID 2668 wrote to memory of 2792	2668	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe	30
PID 2668 wrote to memory of 2792	2668	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe	30
PID 2668 wrote to memory of 2708	2668	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe	31
PID 2668 wrote to memory of 2708	2668	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe	31
PID 2668 wrote to memory of 2708	2668	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe	31
PID 2668 wrote to memory of 2708	2668	07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe	31

C:\Users\Admin\AppData\Local\Temp\07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe
"C:\Users\Admin\AppData\Local\Temp\07f08ecb3448126fef108775792e46de3238edd70836c8f3f44f44119e5c3c9aN.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2792
- C:\UserDotN2\xdobloc.exe
  C:\UserDotN2\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBAT\optiaec.exe

Filesize
3.1MB

MD5
44a0f8e4335be881a0afdc742d6b7905

SHA1
5eb82eff4f885129b0a027a07f6905f7aba654ea

SHA256
0cae11d597f90b96338291f2aea769fe14ba67a5644844d4a929bc61bf783fa3

SHA512
948a89ed14bd21da90085de913ccf8219c64aa3d3ea7d150d82dbd58d853cb706c4ad2f914505304097bb30bc7b59b7952be8c844f7cb44032cf8124a79b81a3

Download Submit
C:\UserDotN2\xdobloc.exe

Filesize
3.1MB

MD5
96707dbb386d89ab6d76225997dce840

SHA1
99ae1a20dafc1c0696cbb6888351a3bed83a60a6

SHA256
5532dc2280c0cbceaa05380b2886dc0430d82aa5e2504cc50693239604a62bd6

SHA512
e09f196eacbf44bfa2ee47be48bc2cb553205e5943d7ae1baa04190a062346c81648ac3efea265ddfba09925d71d794fd7ad87c10b4551103b95c489dd63353d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
fd86e493fb51689e4073c180169e7a8a

SHA1
d196b1b475958bdc79894c53670c612a9f13ac7a

SHA256
15b64211fb19fa4e8efe56807c23627d1ca49c79842de7efb11ea2fa09223a28

SHA512
f1ce8e840ddbe168c2d5f8153216d4f7a989c53a54a3b5c063884597eb496a740f2e6afa087780827f39ddf58a3fad9dd87c284c926744bf807247176f96f989

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
9b3ad23a8bc2994b5edb598d69832603

SHA1
086cfdfc1ac79fa287aed5d74c51d42ca339c9f2

SHA256
bc1915d3e135f043386c35fecb5fd2f13cde62a4d31ead71e1159536b7dc63ee

SHA512
dd10f3bed3d12368bfd22a027032fa17f3bb8632944160384bbec497c79d137a6d90a8b553db6d42318a89bf71de4e118fb209a65bba1bbac8e27631cba237dc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
3.1MB

MD5
02ee6862c1b684634e803ab637ce2b8e

SHA1
858a76d57ac4f57d83b99a5db9ca017e038fc4f2

SHA256
8ec5e5cf4524ba66cabaad1a6cb9f98a25a6c7ce995dde95a147a8291ad3c342

SHA512
a14c24d15ff7188d7e284f28f2e371dbf57d0f1868e166ba29f945c77ba7b2351b92197ea84091224fcf7c151d88b338c73dbe0bd0d385613d7e8239d1358809

Download Submit