Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 23:33
Static task
static1
Behavioral task
behavioral1
Sample
8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe
Resource
win10v2004-20241007-en
General
-
Target
8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe
-
Size
2.6MB
-
MD5
9b42636603c89983378290168040f6f0
-
SHA1
cbb75e590b62818c8f3e0c8a34eedb3bd12369c7
-
SHA256
8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971
-
SHA512
e188976870964290cd3e8129595bf489f2144eb553cebe349a086f684c0f56e7276e969529b796adb1e6e0fb260f0f6f07897f2d1929a81ac0322f3b7ace3f06
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bS:sxX7QnxrloE5dpUp5b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe -
Executes dropped EXE 2 IoCs
pid Process 2068 ecadob.exe 1864 xbodec.exe -
Loads dropped DLL 2 IoCs
pid Process 2452 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe 2452 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvTV\\xbodec.exe" 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ4F\\dobxec.exe" 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2452 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe 2452 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe 2068 ecadob.exe 1864 xbodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2452 wrote to memory of 2068 2452 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe 30 PID 2452 wrote to memory of 2068 2452 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe 30 PID 2452 wrote to memory of 2068 2452 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe 30 PID 2452 wrote to memory of 2068 2452 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe 30 PID 2452 wrote to memory of 1864 2452 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe 31 PID 2452 wrote to memory of 1864 2452 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe 31 PID 2452 wrote to memory of 1864 2452 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe 31 PID 2452 wrote to memory of 1864 2452 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe"C:\Users\Admin\AppData\Local\Temp\8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2068
-
-
C:\SysDrvTV\xbodec.exeC:\SysDrvTV\xbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1864
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD51a36cb06d005923e75f06ccb4505a064
SHA12fd854f12a4e9d71ec7a5b8e69a569396b7d5048
SHA256051485a52972ea5c0603dd9736040cead746b7e92e9c982589493d4e6b5b606c
SHA512e5362ebc0702021e2e3720fc57e9b360f3685010aeae47c65dc18c7d68ecb2be4429cd9eec606b95744a7b46cd1a292c6058dd9abea5f266061912ecd4065e95
-
Filesize
2.6MB
MD5c102aaf0ee64348275dd221dfd70ff61
SHA168698087775e5c1a974506adbfdf3e83e56d1362
SHA2562615bf3823319c3c223060d066cbd2b39ddf92e0cabdc0869392df9db338f0e6
SHA512b0de666a57ab3cb939be25e8502df18230bd00438d4493a8276ad7a303bc6f7a550df9464abaa4d016e8738ee55c1050d8fbebdb69b8043712de863ca4e246ac
-
Filesize
2.6MB
MD5b55f347584547a05ea5d9dee61e02848
SHA13a836a07df8df535e7b32f1bea21d266a1c0d3a9
SHA2562c78428ee5c4855a75ac5450e12a7a54d6466bf65ddc0b6e34d36a656c918087
SHA512820d5112c884218f5159868c67de55c4fa42002b751ea25e4d90a3d44d17b91daff0f35895f767d7d0524e8fd2f9252aaefa99cc08e24c713a4f7d5a11b7d0c4
-
Filesize
166B
MD5ff851da78cb205dcf7e259b97a6443c5
SHA12f6e351eb6fffb60d8ecef1fb45bd35e64a2aa66
SHA25699fd0a2d4a7492c0234bf7f94e4e577cf485a742013c6a94ca0585bc0281de71
SHA512e89f6cc418661d35f9c2d385dd0febd51da98c8a6d6e5519697e00b13aa94c9ccf6da0e816ab3db0534f9f1d7071427b7d07044ed5d4686e83ffa25e59aee881
-
Filesize
198B
MD5a1546d5a76b42629e0435f2d02e3ff2d
SHA13473ccba667a8387310dd44be12aa779dab0db99
SHA256cf061f16ce7ce59139c9bb9531335a1a7139e79eee86d1ce668e74c512dba104
SHA512ba5f3c37a25fa12c8bb48e342bfb32da7a8ae717e7fc5484c38eaabc8089561fb132e434eefe58c4e65a5b07795e68a1eee3738ec8ef5649e8d3cd0cabd5a340
-
Filesize
2.6MB
MD52662a859c62031ac88d3c0749a31ec44
SHA1179ce2d4c88c54ae47f7c03d0c62966533c69f68
SHA2566c28e766a20109f8704ee2cba0658e085db76999e06023d7dfd0c72323376699
SHA51222a9fbede53642aa153e2ee19665d8a1024a91772b322a3048c60815b6b5ec15c6539031d3a11a68a6b2dcff1c3f805e359a83c385fd8ac3d7b9f78f23ec6c40