Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 12:59

General

  • Target

    3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe

  • Size

    2.6MB

  • MD5

    3e6f50ee48a51e32b20aa767477164b0

  • SHA1

    9ec5f2e7f8aa2bd95aa2c69b0d2ce3e2163ce213

  • SHA256

    3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772

  • SHA512

    9d20dca9f66d192f2f52488a41b323862e9d76758b6cb2b5899e6dfe0acac53ab3861778bfa43cfde73e5a3a2151e9de7dd3e6517254598473b0659873849b7c

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bS:sxX7QnxrloE5dpUphb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe
    "C:\Users\Admin\AppData\Local\Temp\3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2196
    • C:\UserDotN4\xdobec.exe
      C:\UserDotN4\xdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2104

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\KaVBH0\dobaloc.exe

          Filesize

          2.6MB

          MD5

          86b64dec647fc6561ca3c3be840e179f

          SHA1

          5065a325a3ae69b7d81fa0cfad86c6ae8dbdba95

          SHA256

          08904d00fb6dc543e7a286896fea330f5ccd0148403289cb7652524602db62f5

          SHA512

          7172976d33e7fefb4f446bccb0a5371eceb18bab7c117d1031900cb7f5c649734b2acb0fcf875cf941b948e349b549399ac8e7d218c7ecf216ab8141aae0b587

        • C:\KaVBH0\dobaloc.exe

          Filesize

          2.6MB

          MD5

          df5443419d7cff3adb8c744c5b5cd6b5

          SHA1

          2b16f6d55ad4115ec7f2d05c3dde6c66b65081d9

          SHA256

          bc91e48d324bec3306bdedff504df65e01b12b51e2469ce2dbf383764ac18760

          SHA512

          cd8e12f3bdf65417072badd00da64a76c62998eeb1f60df0130315ffa34eebf054b22cf100db29b49efebf825af1d27dff30affffba57490e116a9fb562ddc83

        • C:\UserDotN4\xdobec.exe

          Filesize

          2.6MB

          MD5

          f1ca6d163b5377cdd9a3a98e1765cb5f

          SHA1

          20c71eda1f5a09aed1b2ceb50e07884be120c8ef

          SHA256

          0f98ea63fe435bc54c61759dcfe3573402306098a5288a501eea860188c30ab6

          SHA512

          517a207bee6f486114f4ba78c6d51e7c2f403ccb1572bdc2d4d90c9d3bd621a8cece436af04f7cf8a6286fc9463de9ec87b4dcf52fa6bb5f4d401553208abd62

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          168B

          MD5

          89070966b6b92934c99f0d088a167acc

          SHA1

          f1ebbb71c6560fb310fb500674ea97d5a4d51dc5

          SHA256

          fba341ba03c8aad9cdfe55815fa94cff29a812b23ae695b0acc42e54090a3f33

          SHA512

          ca1a0314d0b6d9018cf0b07a397ab5513a52314d5461783f23f1d593f9983f2baf65829c5b620c5e5773e6715e7598975c67d12a62eb5732891bd34d035644af

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          200B

          MD5

          bc99c067013cf34b39ba2e513a4e3cd7

          SHA1

          4a83d035bb79be79515f4370adcca94f0b63664a

          SHA256

          d4e71924a131d263a99f29cee1ac1019b5e84b7e0e6d4b7d4bc9a6d63f8aa875

          SHA512

          4ae9bae45b6112f9ef3fce443c2c2c9ad415afcb2dd558e435ad4366500ed5d2c5831acf3468389758fb076bd51222d575de70092a94b126f14f8fe95ce187a0

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

          Filesize

          2.6MB

          MD5

          eb64773dc200cc8a3ba0544dff503e1a

          SHA1

          dc22661573c1afbde30b76ef5d232b250c4d4dad

          SHA256

          0d947406379c9cb94809f247d67213e12a462855f678028c51d0398d90dd1355

          SHA512

          a6ed2972582d87108058f54ad6603949209833ca9829dff4b33cd2c7380fc5f751050324e75a9b1ca69eb93bd4ab3f5b5ea63ad359700ac0dc6dedf825310cf8