ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
15-10-2024 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe
Size

2.6MB
MD5

f23c1316612a0bc48ed27320c2df6abb
SHA1

cf8fa069238b0d08edfab4d71266d1598f166010
SHA256

ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46
SHA512

be59935fc18b2918f8a14df111c508da81c7f56ecb017c238c7e5e8197d918adc5fb13423e27befd4c39ea713c092cbe4589f049e3f6740af7d652d920eaea2e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bS:sxX7QnxrloE5dpUp0b

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe

Executes dropped EXE 2 IoCs

pid	Process
3008	ecabod.exe
1828	xdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2072	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe
2072	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBZB\\dobdevloc.exe"	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocJ5\\xdobsys.exe"	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2072	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe
2072	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe
3008	ecabod.exe
1828	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 3008	2072	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe	30
PID 2072 wrote to memory of 3008	2072	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe	30
PID 2072 wrote to memory of 3008	2072	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe	30
PID 2072 wrote to memory of 3008	2072	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe	30
PID 2072 wrote to memory of 1828	2072	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe	31
PID 2072 wrote to memory of 1828	2072	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe	31
PID 2072 wrote to memory of 1828	2072	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe	31
PID 2072 wrote to memory of 1828	2072	ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe	31

C:\Users\Admin\AppData\Local\Temp\ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe
"C:\Users\Admin\AppData\Local\Temp\ffbabbc63f917b31a63ef8caf0a7d0e0bf3fe49b75f7945f1fc77053be7eca46.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3008
- C:\IntelprocJ5\xdobsys.exe
  C:\IntelprocJ5\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocJ5\xdobsys.exe

Filesize
2.6MB

MD5
a4e4725a48664034eb9afdbd9d94c726

SHA1
fbcc7c6548e5fbc77f000b9307a30894da1b7d4c

SHA256
de0778a56330405abf29c86e5fde4be97a5248b5b85aab27d537632808f1c409

SHA512
f79c16a18f49d671f47055b6e752bad641aa7532a1b99793201bd1bd21597a024c9fe992e1c6914d026c6b85d4799ceb115e15faea9b62afbeb32a31524d9abb

Download Submit
C:\KaVBZB\dobdevloc.exe

Filesize
2.6MB

MD5
a83521b0573709abc1c5def6f56091c5

SHA1
90ac174edc0bb321f3b95ac7206aa5936c92bfaf

SHA256
1da6d540f1971f1829fcbad5aebd3629582833fb8ebb0ab73be567350f5b4405

SHA512
5c98323bdec3cca3e21ea463c0be0ec2765c1cffa5c937562c86ce5605af6fae896ff33af6592235991b9e3ffc10bfb5861244242c7394f3a07de48e91c326aa

Download Submit
C:\KaVBZB\dobdevloc.exe

Filesize
2.6MB

MD5
bb458a440f2f945d29373e59b0af8d12

SHA1
0da1fc9bae345ec43708bee0446094a2cad3bdff

SHA256
97230ef5f05ef9ea28146a5e3638153972d04fb2b836214d96bd9bc021fbfc68

SHA512
136bd5c43bc46f58505fbe5a76901f3905b12328222178064828dbc669ad996a0607bf42575acf62474cda2262181d2056e47e4f356ee45c7427d8fa288c84ed

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
3760d9f0d59f7ae450d04c24f461a447

SHA1
df71f3d41ff4ed66fd57af3032be26a441795645

SHA256
c7e5ab714a0cfc35f5cbc35b9d53beb0ec1af0861e774e5a9d56f72287a426d9

SHA512
0bfd900be3b40f37fb7805e9f6b91300d752c7e5f5c8f36312b87f05e7d13470c567fac8e9fc13430a7b6a91827d40f2a67fdc4fab8ef84b5678abc863105f6d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
569fe45a6b1ce4b2c73e0601b78b6f93

SHA1
321f702e259954814260c90063d4f6cdcab56c6f

SHA256
f2223796384720e64e9db3fb46122d2c170451f88d98cd09daf8e3efebacbcf4

SHA512
0f68492d1278ae93723a75ef367502b9a3f9f33b7db6d0775cb77bed80b37a8ab4d645a1aec28c90c41be6395c3f6d1411f600efd7de6b1f229912ef9388091f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
2.6MB

MD5
9cc7f9b4acdb4f5e40528f1d57f99a37

SHA1
2d610b1edf8ee02aed1600da955271331a40962d

SHA256
a22b70c0e733e3b8a2eeb882b4f13687d5eec9b9362972cc667ce09f11a51ef1

SHA512
2486cb247ec2df8d83c8107bc6b70c42012da87a1b358469474532dd1dd7f1406b2e6b6d60643b53c6d98fcc612c11841ca3bfae1b8d0f289142a8cec59cf5b7

Download Submit