Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 15:08
Static task
static1
Behavioral task
behavioral1
Sample
ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe
Resource
win10v2004-20241007-en
General
-
Target
ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe
-
Size
2.6MB
-
MD5
453fd7630731c656c396ddc193d59e40
-
SHA1
d6fb879028f527d622555695f55847102fd4b47d
-
SHA256
ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736
-
SHA512
58060e442a49fd1cbf144f851cfab4ca430b8e9e150eac625ddeef5d2a02eed82fefc8b2fa6c4436821ba98dcbf95e54291406e2179e4cde38a3c72fa2a58f0e
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bS:sxX7QnxrloE5dpUpnb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe -
Executes dropped EXE 2 IoCs
pid Process 2340 ecabod.exe 2324 xdobsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2276 ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe 2276 ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files0O\\xdobsys.exe" ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidRE\\dobxsys.exe" ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2276 ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe 2276 ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe 2340 ecabod.exe 2324 xdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2276 wrote to memory of 2340 2276 ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe 31 PID 2276 wrote to memory of 2340 2276 ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe 31 PID 2276 wrote to memory of 2340 2276 ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe 31 PID 2276 wrote to memory of 2340 2276 ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe 31 PID 2276 wrote to memory of 2324 2276 ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe 32 PID 2276 wrote to memory of 2324 2276 ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe 32 PID 2276 wrote to memory of 2324 2276 ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe 32 PID 2276 wrote to memory of 2324 2276 ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe"C:\Users\Admin\AppData\Local\Temp\ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2340
-
-
C:\Files0O\xdobsys.exeC:\Files0O\xdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2324
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD56a73d9c98b6dce850ec626ddc86993b4
SHA133346d6841f2f4f32921c034b3576f966827b446
SHA256c282d9f59b2890538ccdcc998f877290d1905ad52c3dcb4def30acafe6b934f3
SHA512dd0d7d8480fc51db8d2a2946b9dce98c816fdb19078d0ec83b2255e2eaae7a09dfdad4c8edc3b50a2bac7890913f4a625eb8a60b3dddb700df44469bb70afd99
-
Filesize
166B
MD5d82cac5925de884ae90aa2054d57d346
SHA1910de397f1413a243d13505c9d6126434a956564
SHA2563ffa47291f8fdf2b6f1306464c1a58267ff6e394b801d44e233d106517e4ca3a
SHA51255e7c4ab8cd57369e663aa8ca1f7f016b40cdd4f0c27ac72b8f635957e1744a71ee226d92b646b1d83c56c82666fe042516c2ff4e0b2f7cb562cd827a006e7da
-
Filesize
198B
MD55ab98fbf633a425a8a114b8d04e4328e
SHA11e93e02194949ed022f1179bdb6a9615dbc030f7
SHA256596a30f165ddc8e76856cc4c4431a7e3240caac07ca04de312ac5f5837287fd4
SHA512094b4197b6741d3997e5603b0ed3b6779f943baa440984d213a5bdbbc37b30ce54bc287b8e223164d47202d049f407c239980e698f166ef267a8eb6fdf3013bd
-
Filesize
2.6MB
MD5e8fbad3b2a56f8d65e86b9788afe7266
SHA1aa4de61a8b9fb32b5067e990ad55a8d039aeb3f4
SHA256a7fd6173d525d576a3a482e52ac41859f552d1d861e28bf0fdc931e64aba213d
SHA512e18b35aa5f56059eeacd139d9b05752c6b5640d4a56386c72366735badcd13d7de3357b91ba43a91ad19c6e699b08c1edb99e776e265c957460075bbeebbf82a
-
Filesize
32KB
MD56843f8f48c6b08412830d6db1f113935
SHA183f66b4ef66565beb675d2c879fc5e587eb37efa
SHA256e9e64960df16bd6464d3814dfe634685bc8354fd7df9d86c0178bfbfec8dc821
SHA512c7f05aa65f869d626cb413dfbe06a29647e34f2dbe0a53c7af081d9af6b2a3c621e228b4bc98e54a4b8ca83f8385bc087031d69914592368875bf83e3bea4382
-
Filesize
2.6MB
MD53d57528139d71390b2f3fe2f869ff477
SHA1b08919cd879868ec890dd3d6b5558d6ba2eeee1c
SHA25626a5966bec9d29e8cf53950f631b8dce26f698ed204289fa64c56f0d6fecd00c
SHA512f971023e63a1148f7015bc075c60909abc0b009839706abac0f03b6c0c4d03c3db0db7a9899320fe7e617541dbeb3911facda7e45bf0e85246ec4d6626d07ffe