Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 22:57
Static task
static1
Behavioral task
behavioral1
Sample
610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe
Resource
win10v2004-20241007-en
General
-
Target
610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe
-
Size
2.6MB
-
MD5
7f3b3e0c2939bdb22859057479fc4b16
-
SHA1
a8963f9e46a95618868ac6ebb62e40f972bf2198
-
SHA256
610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d
-
SHA512
36ece480a50115ac49180eb3ffea6fadc3f4310d4af2408fb2d714e7a66a86a32808e21402533fd85a8a89210b0a977443049db35a93b3b746266bfd86820d9f
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB3B/bS:sxX7QnxrloE5dpUpMb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe -
Executes dropped EXE 2 IoCs
pid Process 2752 ecadob.exe 2700 xdobloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2216 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe 2216 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv2Z\\xdobloc.exe" 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax6P\\dobaloc.exe" 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2216 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe 2216 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe 2752 ecadob.exe 2700 xdobloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2216 wrote to memory of 2752 2216 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe 30 PID 2216 wrote to memory of 2752 2216 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe 30 PID 2216 wrote to memory of 2752 2216 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe 30 PID 2216 wrote to memory of 2752 2216 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe 30 PID 2216 wrote to memory of 2700 2216 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe 31 PID 2216 wrote to memory of 2700 2216 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe 31 PID 2216 wrote to memory of 2700 2216 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe 31 PID 2216 wrote to memory of 2700 2216 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe"C:\Users\Admin\AppData\Local\Temp\610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2752
-
-
C:\SysDrv2Z\xdobloc.exeC:\SysDrv2Z\xdobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2700
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5a223736ed80e0a7232fd84363d72159e
SHA15d92e9a95a108d4a24ed79a76e12641b61bc48bd
SHA2563c9eb4ac5a1a9b279786a3c6cb86270e38d86eb3c175be5043b53064eb2a61d5
SHA51236a441ab570e8ba4ddd901d1303022db5254b5829f3851d2940ff574a52475f2740194124c9eb12ae7af454277d4d487cf8e9381dedae5b3a72f6f71079da88e
-
Filesize
2.6MB
MD5b6beec8d83448f23b019412fb0c69858
SHA139f4358c7e4f05960b5a0691576cc2c28a4d7514
SHA256e810ce628ff366ab4c7bda1179f6750712f5b540293e4408332f5cde89572533
SHA512b382f71a333380d7bd9bda9f9e309d5ed70db2be3a2da525d29fe5cfcaa89909f26aeb2b88be86b5e428fcc4714237dedfc9da8597b48d9825444d07c00563a4
-
Filesize
169B
MD5076908e3dcbd24cfb4b7a09ec43ce944
SHA1e3d7f1d401d7aa73f60bd4e842c18d1fb42abfe0
SHA2566a16ca8e6a8bd87dedd2fb2f49b163c0456962ee0aa97a91bc3d60fcaa5dd554
SHA51263813fd32a44f6e14d02f00c0df1962356cd5dd1044368b976de642e034c4c942bb25933b2b4548b9adaf27077e3c86d1285a80c16cc0e4d4295caf698968bf2
-
Filesize
201B
MD53741bcecea467d1bc89332f54f8b83e9
SHA188111790410d133e55fd424968f527ad23ae6198
SHA25632cb63a03b9491cbd7013842d00554330485bd54e56131d9fefb5d82f13eac4c
SHA5127868c37d74603b1d6ad6a5b86f3095252d72ffede5c0cffb8636b151d0426875822602e9e1f1c6153c07051b799721a0cbf23421feab4b872cf3ee181bf072d7
-
Filesize
2.6MB
MD53cb3b34ead24b4a4d18561f04615be49
SHA1abcf579228874d95ce72f4b724ce9605e638e1de
SHA256f25b2d94d1710eb4bb3a89fe64415357309160ec79afee8c307fc0c7d0779e5c
SHA512b877e6028e5d24e0394f3d49061de75e3d204d154accf4cc804dcb90c6d84a06b1c7440f2e6eb270e1faa28a36c1e6cb6d03efbda94e7d09d45c6a8e7e7c4330
-
Filesize
2.6MB
MD5f1f58172ab1e5f1c97761f7fe51a69a6
SHA12e82b9bd4ea7587dd2e23c49ad60b99eceda6caa
SHA2569485b137e283b11e7570dbbb77927b1943ab82b8d671aee1ea369f1518b17257
SHA5126ae73ac695924c0b4a2ad05e6cc1cf6082cd858d83ab12a483e597ae7128882f046390671148d584f2bff285290e80fd561f55c151aa7249c03fb65f0f3d39c6