Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 22:59

General

  • Target

    619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe

  • Size

    2.6MB

  • MD5

    fbad5430cd662d3af22592e04b2bc074

  • SHA1

    22e9540411b99d83a2fbe15c3377e483c44f2031

  • SHA256

    619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80

  • SHA512

    0e9431853152383f66ea06829ee052fac4bcb0404e45ae3e0703eabe01f0889909feb311d442d8c5bb094907926a37b3288df179729c459e2bd9f5b96ff0810b

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBZB/bSq:sxX7QnxrloE5dpUp6bV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe
    "C:\Users\Admin\AppData\Local\Temp\619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4796
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3104
    • C:\SysDrvXL\xoptiec.exe
      C:\SysDrvXL\xoptiec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4236

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\KaVB9D\dobxec.exe

          Filesize

          2.6MB

          MD5

          b3fe316653a050c97979922b587a6f40

          SHA1

          6e265faa92cc6ec9ce3d902dfabcc5890e3207e5

          SHA256

          c2454c2e86bfc377d9bd8f87dbc6d226c46af1c63d9d256f0a3dcaa2de34dd4f

          SHA512

          5f29a7ca83560afa6682e8abd6be6cc4b359a467586e40677bea68f7a93d5ab74236d866af1dc3b61a941f08b8a104da4549c5ce7f401e78565ceff62b491693

        • C:\KaVB9D\dobxec.exe

          Filesize

          1015KB

          MD5

          ce1e4653ab125653cb8daee5ade3db99

          SHA1

          e5cd3fb67d670398b35863c7dea12cb972571397

          SHA256

          fae9d95858e344767a41f67f5896eeb04291338e6ae607a0c2b60569b5b32546

          SHA512

          bf6d81338a530263db4fa8b280fa91134dd496102d86afa3c21a9ce3565d070b392732bbcf1563e3befa1b9ef96cb7a4608bd9f2e3e8d316a45c83121b2610ab

        • C:\SysDrvXL\xoptiec.exe

          Filesize

          2.6MB

          MD5

          9c51f5867980da5ef74c551c64fc3141

          SHA1

          43a66c047b4aa05f992fac3efd20fe0a4f28d291

          SHA256

          0f38b67e03ba42936b6d33031c77b85244385529381551ba83eefa13263f3cc3

          SHA512

          29615a68fa0e36ce527546a06f48c9e83e1929deb8532d89a9dc5e59d698884e35c83bcb52882a172cf42bae5b06441d2bef836c9c7c6548e5418b635626be80

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          199B

          MD5

          661695a8229b21f5ef9b948fcb18a3f7

          SHA1

          44a29723945a010652adb65093023a1f6505dd52

          SHA256

          c17fae0c01415e1691dc78813577d6f87b08889e3c44c9a507a1ddb51e3bc963

          SHA512

          14f0920d0106545704cc40a7ecf2693397c87452da0fdb676726dd7a3f6a61231b311621958f2c626f2cc0f4d1c2128d8b01949462086246d803f11722de86c0

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          167B

          MD5

          a15e5d8d21dc32a7be474afbafa56b49

          SHA1

          677fa3409f5821d0347666b4a7d12e8df52545b9

          SHA256

          e3e3feec800d63dc05af01f7ca95b93c02d9f599bd7b73564ce164be4cee4b2b

          SHA512

          c464733cb45d871b711195712c90657506840e53b83c58a003f410f018af7e98e5a6285a3eec294cd67590261cc8dd8f3f2a4a1618b35e82c52faec8ff4d5dab

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

          Filesize

          2.6MB

          MD5

          610aed4d2a02e31c74c8b59649f7807c

          SHA1

          0f7f7b11eab6c8c5f0a29550faf5be5b10b509ad

          SHA256

          1b0b5c4bdc072801bb8239681281129506eafa1001de20237c59e6e40475d4d9

          SHA512

          ca316d4a14249de64a8998a7b25ce6f48f40538f962a0f97a1e2172d5609b9f3e11f10d6605de62e4794eeb7c3c5ccab4540bba1bcea3d07f41a0c43e2680b3e