Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 22:57

General

  • Target

    610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe

  • Size

    2.6MB

  • MD5

    7f3b3e0c2939bdb22859057479fc4b16

  • SHA1

    a8963f9e46a95618868ac6ebb62e40f972bf2198

  • SHA256

    610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d

  • SHA512

    36ece480a50115ac49180eb3ffea6fadc3f4310d4af2408fb2d714e7a66a86a32808e21402533fd85a8a89210b0a977443049db35a93b3b746266bfd86820d9f

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB3B/bS:sxX7QnxrloE5dpUpMb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe
    "C:\Users\Admin\AppData\Local\Temp\610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2752
    • C:\SysDrv2Z\xdobloc.exe
      C:\SysDrv2Z\xdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2700

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Galax6P\dobaloc.exe

          Filesize

          2.6MB

          MD5

          a223736ed80e0a7232fd84363d72159e

          SHA1

          5d92e9a95a108d4a24ed79a76e12641b61bc48bd

          SHA256

          3c9eb4ac5a1a9b279786a3c6cb86270e38d86eb3c175be5043b53064eb2a61d5

          SHA512

          36a441ab570e8ba4ddd901d1303022db5254b5829f3851d2940ff574a52475f2740194124c9eb12ae7af454277d4d487cf8e9381dedae5b3a72f6f71079da88e

        • C:\Galax6P\dobaloc.exe

          Filesize

          2.6MB

          MD5

          b6beec8d83448f23b019412fb0c69858

          SHA1

          39f4358c7e4f05960b5a0691576cc2c28a4d7514

          SHA256

          e810ce628ff366ab4c7bda1179f6750712f5b540293e4408332f5cde89572533

          SHA512

          b382f71a333380d7bd9bda9f9e309d5ed70db2be3a2da525d29fe5cfcaa89909f26aeb2b88be86b5e428fcc4714237dedfc9da8597b48d9825444d07c00563a4

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          169B

          MD5

          076908e3dcbd24cfb4b7a09ec43ce944

          SHA1

          e3d7f1d401d7aa73f60bd4e842c18d1fb42abfe0

          SHA256

          6a16ca8e6a8bd87dedd2fb2f49b163c0456962ee0aa97a91bc3d60fcaa5dd554

          SHA512

          63813fd32a44f6e14d02f00c0df1962356cd5dd1044368b976de642e034c4c942bb25933b2b4548b9adaf27077e3c86d1285a80c16cc0e4d4295caf698968bf2

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          201B

          MD5

          3741bcecea467d1bc89332f54f8b83e9

          SHA1

          88111790410d133e55fd424968f527ad23ae6198

          SHA256

          32cb63a03b9491cbd7013842d00554330485bd54e56131d9fefb5d82f13eac4c

          SHA512

          7868c37d74603b1d6ad6a5b86f3095252d72ffede5c0cffb8636b151d0426875822602e9e1f1c6153c07051b799721a0cbf23421feab4b872cf3ee181bf072d7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

          Filesize

          2.6MB

          MD5

          3cb3b34ead24b4a4d18561f04615be49

          SHA1

          abcf579228874d95ce72f4b724ce9605e638e1de

          SHA256

          f25b2d94d1710eb4bb3a89fe64415357309160ec79afee8c307fc0c7d0779e5c

          SHA512

          b877e6028e5d24e0394f3d49061de75e3d204d154accf4cc804dcb90c6d84a06b1c7440f2e6eb270e1faa28a36c1e6cb6d03efbda94e7d09d45c6a8e7e7c4330

        • \SysDrv2Z\xdobloc.exe

          Filesize

          2.6MB

          MD5

          f1f58172ab1e5f1c97761f7fe51a69a6

          SHA1

          2e82b9bd4ea7587dd2e23c49ad60b99eceda6caa

          SHA256

          9485b137e283b11e7570dbbb77927b1943ab82b8d671aee1ea369f1518b17257

          SHA512

          6ae73ac695924c0b4a2ad05e6cc1cf6082cd858d83ab12a483e597ae7128882f046390671148d584f2bff285290e80fd561f55c151aa7249c03fb65f0f3d39c6