Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 23:33

General

  • Target

    8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe

  • Size

    2.6MB

  • MD5

    9b42636603c89983378290168040f6f0

  • SHA1

    cbb75e590b62818c8f3e0c8a34eedb3bd12369c7

  • SHA256

    8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971

  • SHA512

    e188976870964290cd3e8129595bf489f2144eb553cebe349a086f684c0f56e7276e969529b796adb1e6e0fb260f0f6f07897f2d1929a81ac0322f3b7ace3f06

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bS:sxX7QnxrloE5dpUp5b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe
    "C:\Users\Admin\AppData\Local\Temp\8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3596
    • C:\SysDrv6N\xdobloc.exe
      C:\SysDrv6N\xdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2272

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\KaVBPB\dobdevsys.exe

          Filesize

          228KB

          MD5

          23497ef37ee3467d3edb83457238a3c6

          SHA1

          b515b9ac3705b3a5c4f7980537fe717a66e62fe3

          SHA256

          26b7202f6fbb8ed46a4a8686021fdedb8b96565df03da9785627c5fc0e4b8ed1

          SHA512

          b88a5105b1df502437b9165eb9727a1f0bcd08a26965c17de0c9aeff21038f21e58bbd14fc1c0c93012acbea7a6febd8c091ef6a8da6fe728a7e9eaaac485f09

        • C:\KaVBPB\dobdevsys.exe

          Filesize

          864KB

          MD5

          419ea425a9877e8102e6026c4dff10c4

          SHA1

          b48f829854cb2605ad87b003bb2c51cc672d8e61

          SHA256

          e0456e37529a37b27e3ef2bdf2edcec914bcbd717835e081cd99b52896948f01

          SHA512

          3204a01421c2a13defeef72e7c01b83983e4778e31dd07a2b327d0c4f8d6aea4807f6557ae947870203c621b23919945e2e9033270ede34f9ead2b47af74142e

        • C:\SysDrv6N\xdobloc.exe

          Filesize

          102KB

          MD5

          c086eba78c30d076c12734e00cd5c026

          SHA1

          f043e2bb506b346b870add636882f38d5e49bfb4

          SHA256

          a771e3cbb26259f20348bf74ef2b5e3c3293f714878bcc42dc476657dfc0a503

          SHA512

          6419c9fd9d9ea0eae2c6ebae7dd50c14bdebaabaf568857ccd979d12e8821606f12dfd1e7a4bea29d2f0ba15eedc656ad411ed870fa3edcc1af0c36047b00932

        • C:\SysDrv6N\xdobloc.exe

          Filesize

          2.6MB

          MD5

          20ed5faa9f27e2999b65d5f52887ba5c

          SHA1

          e628ef7a917482fa9e20ca1b52b8a4aa0a353cbe

          SHA256

          1e068902eef35bf78822e5bd2d9982b7a36c3cef93eee4c3bd3a933259eb1319

          SHA512

          14c416052b3a7b6de99794acf7f5f97d9f1675722483a4bd930d7866d35b5bcdc9577c051f96d7ad8aea7b5a88b9123b28e5b026a7302cc856baf85831178582

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          202B

          MD5

          2098c1e54610b0badfb761c52a704010

          SHA1

          c0fce5bd3e4a8e830166f7e1829e6b123a076de3

          SHA256

          a9c156c67fb65f36766bc958dce96c409bc697efcd636a979d10e2725026b338

          SHA512

          72c2c0d4bb97b3e5c47dc144579794c1003e0cf21f363edf4cd1e64c9f9a6d6019b651df028bbb3fbc0291a2436f8a76f168b198f62797298fd6e2a129a00b8d

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          170B

          MD5

          863e0d48901c6d70d856d4efed40cb01

          SHA1

          b3b61c459cf6b5177645c291f3030a6ebeccb4f5

          SHA256

          ff5a5e7e6a827eba179d116de48a1288f9500a7c529bede3fc5456d9cd5adae4

          SHA512

          3e11f2e930c8b121b1967e073a3182b4ff53ed148be8e84405a4986e2360e92fd159d8f2ae50d381a74c8256d5d633229962a578349ba931d99446faaef0e6f0

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

          Filesize

          2.6MB

          MD5

          fe6b8eaa8f6218a0e8dfebeda823968e

          SHA1

          4959a3ea66fee942baa97a922a911938f2dd7217

          SHA256

          4a786f95a95aa4d957207bba917e527ffd35e519174dbd75fa0fc1447339d738

          SHA512

          51b3b976722dda44002855e3df1d549fe9cbaf561ca323d42c9f0ec6db63579a009c569cad082d7996502743c1b402cd1ebdfc7c1ed1b899949bc424b2d65182