Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 23:33

General

  • Target

    8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe

  • Size

    2.6MB

  • MD5

    9b42636603c89983378290168040f6f0

  • SHA1

    cbb75e590b62818c8f3e0c8a34eedb3bd12369c7

  • SHA256

    8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971

  • SHA512

    e188976870964290cd3e8129595bf489f2144eb553cebe349a086f684c0f56e7276e969529b796adb1e6e0fb260f0f6f07897f2d1929a81ac0322f3b7ace3f06

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bS:sxX7QnxrloE5dpUp5b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2068
    • C:\SysDrvTV\xbodec.exe
      C:\SysDrvTV\xbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1864

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\LabZ4F\dobxec.exe

          Filesize

          2.6MB

          MD5

          1a36cb06d005923e75f06ccb4505a064

          SHA1

          2fd854f12a4e9d71ec7a5b8e69a569396b7d5048

          SHA256

          051485a52972ea5c0603dd9736040cead746b7e92e9c982589493d4e6b5b606c

          SHA512

          e5362ebc0702021e2e3720fc57e9b360f3685010aeae47c65dc18c7d68ecb2be4429cd9eec606b95744a7b46cd1a292c6058dd9abea5f266061912ecd4065e95

        • C:\LabZ4F\dobxec.exe

          Filesize

          2.6MB

          MD5

          c102aaf0ee64348275dd221dfd70ff61

          SHA1

          68698087775e5c1a974506adbfdf3e83e56d1362

          SHA256

          2615bf3823319c3c223060d066cbd2b39ddf92e0cabdc0869392df9db338f0e6

          SHA512

          b0de666a57ab3cb939be25e8502df18230bd00438d4493a8276ad7a303bc6f7a550df9464abaa4d016e8738ee55c1050d8fbebdb69b8043712de863ca4e246ac

        • C:\SysDrvTV\xbodec.exe

          Filesize

          2.6MB

          MD5

          b55f347584547a05ea5d9dee61e02848

          SHA1

          3a836a07df8df535e7b32f1bea21d266a1c0d3a9

          SHA256

          2c78428ee5c4855a75ac5450e12a7a54d6466bf65ddc0b6e34d36a656c918087

          SHA512

          820d5112c884218f5159868c67de55c4fa42002b751ea25e4d90a3d44d17b91daff0f35895f767d7d0524e8fd2f9252aaefa99cc08e24c713a4f7d5a11b7d0c4

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          166B

          MD5

          ff851da78cb205dcf7e259b97a6443c5

          SHA1

          2f6e351eb6fffb60d8ecef1fb45bd35e64a2aa66

          SHA256

          99fd0a2d4a7492c0234bf7f94e4e577cf485a742013c6a94ca0585bc0281de71

          SHA512

          e89f6cc418661d35f9c2d385dd0febd51da98c8a6d6e5519697e00b13aa94c9ccf6da0e816ab3db0534f9f1d7071427b7d07044ed5d4686e83ffa25e59aee881

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          198B

          MD5

          a1546d5a76b42629e0435f2d02e3ff2d

          SHA1

          3473ccba667a8387310dd44be12aa779dab0db99

          SHA256

          cf061f16ce7ce59139c9bb9531335a1a7139e79eee86d1ce668e74c512dba104

          SHA512

          ba5f3c37a25fa12c8bb48e342bfb32da7a8ae717e7fc5484c38eaabc8089561fb132e434eefe58c4e65a5b07795e68a1eee3738ec8ef5649e8d3cd0cabd5a340

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

          Filesize

          2.6MB

          MD5

          2662a859c62031ac88d3c0749a31ec44

          SHA1

          179ce2d4c88c54ae47f7c03d0c62966533c69f68

          SHA256

          6c28e766a20109f8704ee2cba0658e085db76999e06023d7dfd0c72323376699

          SHA512

          22a9fbede53642aa153e2ee19665d8a1024a91772b322a3048c60815b6b5ec15c6539031d3a11a68a6b2dcff1c3f805e359a83c385fd8ac3d7b9f78f23ec6c40