Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 15:08

General

  • Target

    ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe

  • Size

    2.6MB

  • MD5

    453fd7630731c656c396ddc193d59e40

  • SHA1

    d6fb879028f527d622555695f55847102fd4b47d

  • SHA256

    ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736

  • SHA512

    58060e442a49fd1cbf144f851cfab4ca430b8e9e150eac625ddeef5d2a02eed82fefc8b2fa6c4436821ba98dcbf95e54291406e2179e4cde38a3c72fa2a58f0e

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bS:sxX7QnxrloE5dpUpnb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe
    "C:\Users\Admin\AppData\Local\Temp\ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2340
    • C:\Files0O\xdobsys.exe
      C:\Files0O\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2324

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Files0O\xdobsys.exe

          Filesize

          2.6MB

          MD5

          6a73d9c98b6dce850ec626ddc86993b4

          SHA1

          33346d6841f2f4f32921c034b3576f966827b446

          SHA256

          c282d9f59b2890538ccdcc998f877290d1905ad52c3dcb4def30acafe6b934f3

          SHA512

          dd0d7d8480fc51db8d2a2946b9dce98c816fdb19078d0ec83b2255e2eaae7a09dfdad4c8edc3b50a2bac7890913f4a625eb8a60b3dddb700df44469bb70afd99

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          166B

          MD5

          d82cac5925de884ae90aa2054d57d346

          SHA1

          910de397f1413a243d13505c9d6126434a956564

          SHA256

          3ffa47291f8fdf2b6f1306464c1a58267ff6e394b801d44e233d106517e4ca3a

          SHA512

          55e7c4ab8cd57369e663aa8ca1f7f016b40cdd4f0c27ac72b8f635957e1744a71ee226d92b646b1d83c56c82666fe042516c2ff4e0b2f7cb562cd827a006e7da

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          198B

          MD5

          5ab98fbf633a425a8a114b8d04e4328e

          SHA1

          1e93e02194949ed022f1179bdb6a9615dbc030f7

          SHA256

          596a30f165ddc8e76856cc4c4431a7e3240caac07ca04de312ac5f5837287fd4

          SHA512

          094b4197b6741d3997e5603b0ed3b6779f943baa440984d213a5bdbbc37b30ce54bc287b8e223164d47202d049f407c239980e698f166ef267a8eb6fdf3013bd

        • C:\VidRE\dobxsys.exe

          Filesize

          2.6MB

          MD5

          e8fbad3b2a56f8d65e86b9788afe7266

          SHA1

          aa4de61a8b9fb32b5067e990ad55a8d039aeb3f4

          SHA256

          a7fd6173d525d576a3a482e52ac41859f552d1d861e28bf0fdc931e64aba213d

          SHA512

          e18b35aa5f56059eeacd139d9b05752c6b5640d4a56386c72366735badcd13d7de3357b91ba43a91ad19c6e699b08c1edb99e776e265c957460075bbeebbf82a

        • C:\VidRE\dobxsys.exe

          Filesize

          32KB

          MD5

          6843f8f48c6b08412830d6db1f113935

          SHA1

          83f66b4ef66565beb675d2c879fc5e587eb37efa

          SHA256

          e9e64960df16bd6464d3814dfe634685bc8354fd7df9d86c0178bfbfec8dc821

          SHA512

          c7f05aa65f869d626cb413dfbe06a29647e34f2dbe0a53c7af081d9af6b2a3c621e228b4bc98e54a4b8ca83f8385bc087031d69914592368875bf83e3bea4382

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

          Filesize

          2.6MB

          MD5

          3d57528139d71390b2f3fe2f869ff477

          SHA1

          b08919cd879868ec890dd3d6b5558d6ba2eeee1c

          SHA256

          26a5966bec9d29e8cf53950f631b8dce26f698ed204289fa64c56f0d6fecd00c

          SHA512

          f971023e63a1148f7015bc075c60909abc0b009839706abac0f03b6c0c4d03c3db0db7a9899320fe7e617541dbeb3911facda7e45bf0e85246ec4d6626d07ffe