Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01-11-2024 21:19

General

  • Target

    e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe

  • Size

    2.6MB

  • MD5

    3d3ea83b2b8f6d254c654505521506b0

  • SHA1

    a4480aae27dfb526384eb179b3896e6d2fada447

  • SHA256

    e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276e

  • SHA512

    639eeee85e8d6884a1d383f7808702b9d957b71e7914a2fbd3e976b30b61dec755adfde21505b030f53365aabcb1312d761f5ac3a26ed527dc2d6c917275a881

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bS:sxX7QnxrloE5dpUptb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe
    "C:\Users\Admin\AppData\Local\Temp\e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2056
    • C:\FilesOI\xbodsys.exe
      C:\FilesOI\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2380

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesOI\xbodsys.exe

    Filesize

    2.6MB

    MD5

    2cf327a72c94214f7465e5e021b9207e

    SHA1

    e89748b21407b6c2c853934271edde05284fba20

    SHA256

    9b3a8f0b295fddcb53592a6af22a1e2ffac0e46b943ff5217e785347ed82b13c

    SHA512

    965dc9f13d599ec8efa6400d4c2c89d2da3d4b1e88ce4330405b713fc4a1fa5b7f9e889c02e7dbea8fa81944dc4c41bc333721c7f40ceb9136f5b23af1c0582a

  • C:\LabZXO\optixloc.exe

    Filesize

    2.6MB

    MD5

    a0cb979d7f11fad58e1e68f1d647b8fd

    SHA1

    23fe72e31208c28536edcbc69bd12ea0985b6b7a

    SHA256

    e793e162edecfbc6c4bf7158d63a1fef3a22d2d3fdb94655ed842b5dae71ae90

    SHA512

    cf9c1564d4459d0386c4b438e9d58f9f37bfbc0f78f73a72ac3bb20cb7027b761a7a43f6befcda7ed22180ed62d8b627ef5d9c0f003e6f69414046c466413461

  • C:\LabZXO\optixloc.exe

    Filesize

    2.6MB

    MD5

    03ebfac6e5089ee1bef3eb57753c6e4e

    SHA1

    4d76bd3c0c8f12423ef2b5037b8d7c86a1aa34fb

    SHA256

    05a5e1aa9efb1bb53a00b1a077a8574ad923ddd01dbe641d7b5f5f27ff568522

    SHA512

    e2455bfba79c64bddd492e7daff3d99e4670512e8aeac515ddcbbe2db4f20769a17aeaeb46ea4141a766c6991a14b28119a34cfa45efd0a3cf74392cd6b27c57

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    168B

    MD5

    7de7daa834d985338fd5363e3909a780

    SHA1

    2ae121abd7b09b761b269821ef8a2c8670ff2d36

    SHA256

    0493f2b7906b2e219a826b6d7a3f9bc023f92a8d00048f5b25240eb58534e246

    SHA512

    f82d3a24e0f964dcca1b050e85aeca5da1ef5d381bbce00b1cdf3b84e3c1526762bc4f293abbc983e9b1c5a70b04b68eabcd54a1db3273d5e910d92ba6358f4c

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    200B

    MD5

    4264b2019848f93783ef5182b9e658fe

    SHA1

    26cdd31c24a2d0274870434ff39a8de2ed2f531a

    SHA256

    4938401bcee272ba3d1bb312e3cf4880951fb68d3170b22a8cfe6fdcdcdf2288

    SHA512

    1d4260524883a355b2d56b57444114c2fe9a1f93e099188b83071a45b3763e4b8692ef9e77d4c10f4936064fb76e8c57b54aa5bbce410f1f4b5c3b133adfea96

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

    Filesize

    2.6MB

    MD5

    383f3207756b46e3e20390b7b707319d

    SHA1

    c4e384a0812a83825925f04fdfc45a7b85d11494

    SHA256

    42324e1420fcd19500826a11fd0157f38e795de25100531fddf0cf15bbc193ae

    SHA512

    5459ac471bff77a3f041384a3838bdba1fbbcd8578b4396ce32ffdc2ef917193c7a7f3af25f9e6bc508900d5fa2d2bc96b4189e59b5fb8fcff0deb55ddda33d8