Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 19:46

General

  • Target

    1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe

  • Size

    2.6MB

  • MD5

    8dd78af353a40a21e7f4a68d1f98d862

  • SHA1

    968360bbe8492b80a45278d27f38f55a03dff1d2

  • SHA256

    1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d

  • SHA512

    dedf814fd9efaf3506bfeddc1189419968b2d2bb11927fae67936938d0a2a9518b1e319267f2a9b633663e9adb19edb4297d664f1f4492327c50a64e40b07a17

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpWb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe
    "C:\Users\Admin\AppData\Local\Temp\1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:408
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:964
    • C:\UserDotFD\devdobec.exe
      C:\UserDotFD\devdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2936

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\LabZVF\dobaec.exe

          Filesize

          2.6MB

          MD5

          49145a78b75a9970005bd5d260fcee00

          SHA1

          ce4b444a95de48a53c7ff9bd9910c5a185b16bec

          SHA256

          ff7379e23a4970913b937004e8da5cdc6a4768bf2dad0d5f5df344b4f1ae73db

          SHA512

          0d695b581f18c2000f1d6185e8954ea8257093064fec4259960d045796881bcd0303d891c020ec9b7764897925eb0b323dcf81de86914e7824734200c67b07ce

        • C:\LabZVF\dobaec.exe

          Filesize

          84KB

          MD5

          4dcc4da5f3ba5e92b9fa638971bbc513

          SHA1

          b4a298d739d70f7dd2209a4040c2d27d8d74c9da

          SHA256

          2f26e66611a6f50c141954f8fbc33b9a1f781a5434991aa5a3ea004773c23c8f

          SHA512

          646aa93c3806bd723c8262543f5d055e1502094d0b70dac64c6a6e29922746dec17e4237c39cb6038c8a20abdf9cf2039bbf75ff477dd21278d6118e9955a7d5

        • C:\UserDotFD\devdobec.exe

          Filesize

          2.6MB

          MD5

          8b7b8c4f38cfcb14c6d7d9af767744a6

          SHA1

          c9608f290f316c122f9214cc1eb982b2090aaef5

          SHA256

          3f093d1c0e403b29a6f8f3b609d3563f7e304dc9895ddc576d4a32d41abbf488

          SHA512

          f14da2852e41fd566a97ed99910303115012247f3e0c6b8a7c6803b10a102d5b54a1b86ceffea8318fe86d4e6548c45a6b58d7e64188c5bb8940d072419c9089

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          201B

          MD5

          76672c7a2a8e5954bb110a40d3362e23

          SHA1

          405d4a078248f5fe35db2c4a902839c6405361f4

          SHA256

          041a3ed7897d9c8b508e5b4d2013470a7ff791ebcc92cb8874b669af9d029380

          SHA512

          7690af1390ade6e92169501cab5ee7dd3befbac05a0de526437e15ad955d4ca31adb01cc87111c1d307fc6d217c1ec1f2fd39fbf1396daf9204c6ee930a6664a

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          169B

          MD5

          60576ccfc73279113a7b17797fe56f9b

          SHA1

          412827d5611b58e2e45aeb3f213889c41cfb8968

          SHA256

          8f536f61bd2981a945787cce75d01966ec36c2e6c30a09c6a8e07978f505cd00

          SHA512

          acabb940cd0673c701238b71933cd82665f92516f1d4849bcdd921bc7b20da572b096f735671fe71926cab9f3d7adf98d07562a599c22c13d6d9b5d73be81735

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

          Filesize

          2.6MB

          MD5

          65bd24bf44c8770c514f5c0a3d2b6ca4

          SHA1

          58e7449c5edb2bde903d62e8574941cfc877cf18

          SHA256

          2010a9785abcd9890279ea3e8716f947566adc0f1af9fd0e00d25622ee09fa82

          SHA512

          741a720e0b6eb8caad2bd3a04b598fe0093f2c1dec7baaf73f8c09e990b8f2cbc9c3e3a2fd90fd60effa9bc046b6e3e3786fdfb70bb750a764dd43fc1bdf81c1