Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 12:59
Static task
static1
Behavioral task
behavioral1
Sample
3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe
Resource
win10v2004-20241007-en
General
-
Target
3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe
-
Size
2.6MB
-
MD5
3e6f50ee48a51e32b20aa767477164b0
-
SHA1
9ec5f2e7f8aa2bd95aa2c69b0d2ce3e2163ce213
-
SHA256
3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772
-
SHA512
9d20dca9f66d192f2f52488a41b323862e9d76758b6cb2b5899e6dfe0acac53ab3861778bfa43cfde73e5a3a2151e9de7dd3e6517254598473b0659873849b7c
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bS:sxX7QnxrloE5dpUphb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe -
Executes dropped EXE 2 IoCs
pid Process 2196 ecadob.exe 2104 xdobec.exe -
Loads dropped DLL 2 IoCs
pid Process 2532 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe 2532 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotN4\\xdobec.exe" 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBH0\\dobaloc.exe" 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2532 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe 2532 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe 2196 ecadob.exe 2104 xdobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2196 2532 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe 30 PID 2532 wrote to memory of 2196 2532 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe 30 PID 2532 wrote to memory of 2196 2532 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe 30 PID 2532 wrote to memory of 2196 2532 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe 30 PID 2532 wrote to memory of 2104 2532 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe 31 PID 2532 wrote to memory of 2104 2532 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe 31 PID 2532 wrote to memory of 2104 2532 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe 31 PID 2532 wrote to memory of 2104 2532 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe"C:\Users\Admin\AppData\Local\Temp\3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2196
-
-
C:\UserDotN4\xdobec.exeC:\UserDotN4\xdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2104
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD586b64dec647fc6561ca3c3be840e179f
SHA15065a325a3ae69b7d81fa0cfad86c6ae8dbdba95
SHA25608904d00fb6dc543e7a286896fea330f5ccd0148403289cb7652524602db62f5
SHA5127172976d33e7fefb4f446bccb0a5371eceb18bab7c117d1031900cb7f5c649734b2acb0fcf875cf941b948e349b549399ac8e7d218c7ecf216ab8141aae0b587
-
Filesize
2.6MB
MD5df5443419d7cff3adb8c744c5b5cd6b5
SHA12b16f6d55ad4115ec7f2d05c3dde6c66b65081d9
SHA256bc91e48d324bec3306bdedff504df65e01b12b51e2469ce2dbf383764ac18760
SHA512cd8e12f3bdf65417072badd00da64a76c62998eeb1f60df0130315ffa34eebf054b22cf100db29b49efebf825af1d27dff30affffba57490e116a9fb562ddc83
-
Filesize
2.6MB
MD5f1ca6d163b5377cdd9a3a98e1765cb5f
SHA120c71eda1f5a09aed1b2ceb50e07884be120c8ef
SHA2560f98ea63fe435bc54c61759dcfe3573402306098a5288a501eea860188c30ab6
SHA512517a207bee6f486114f4ba78c6d51e7c2f403ccb1572bdc2d4d90c9d3bd621a8cece436af04f7cf8a6286fc9463de9ec87b4dcf52fa6bb5f4d401553208abd62
-
Filesize
168B
MD589070966b6b92934c99f0d088a167acc
SHA1f1ebbb71c6560fb310fb500674ea97d5a4d51dc5
SHA256fba341ba03c8aad9cdfe55815fa94cff29a812b23ae695b0acc42e54090a3f33
SHA512ca1a0314d0b6d9018cf0b07a397ab5513a52314d5461783f23f1d593f9983f2baf65829c5b620c5e5773e6715e7598975c67d12a62eb5732891bd34d035644af
-
Filesize
200B
MD5bc99c067013cf34b39ba2e513a4e3cd7
SHA14a83d035bb79be79515f4370adcca94f0b63664a
SHA256d4e71924a131d263a99f29cee1ac1019b5e84b7e0e6d4b7d4bc9a6d63f8aa875
SHA5124ae9bae45b6112f9ef3fce443c2c2c9ad415afcb2dd558e435ad4366500ed5d2c5831acf3468389758fb076bd51222d575de70092a94b126f14f8fe95ce187a0
-
Filesize
2.6MB
MD5eb64773dc200cc8a3ba0544dff503e1a
SHA1dc22661573c1afbde30b76ef5d232b250c4d4dad
SHA2560d947406379c9cb94809f247d67213e12a462855f678028c51d0398d90dd1355
SHA512a6ed2972582d87108058f54ad6603949209833ca9829dff4b33cd2c7380fc5f751050324e75a9b1ca69eb93bd4ab3f5b5ea63ad359700ac0dc6dedf825310cf8