Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 23:40
Static task
static1
Behavioral task
behavioral1
Sample
b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe
Resource
win10v2004-20241007-en
General
-
Target
b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe
-
Size
2.6MB
-
MD5
782bc029e917158d9dc2d3af1462493f
-
SHA1
231172651917f321cabd4532b993d1fc6cce977e
-
SHA256
1a103394edcd5e659330eb4db0b7c2f6af6979238a46c71fd9f31e7647dfcec8
-
SHA512
6630c41ee88582001e04e491cfc1a7329f2bd5fbcb781dcf3924c1a0753d4daeb445a4340d312aa5ded8283b627393d43a2687afaca47afc3a4011674697b34a
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bSqw:sxX7QnxrloE5dpUpKbVw
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe -
Executes dropped EXE 2 IoCs
pid Process 2804 ecadob.exe 2700 xdobloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2192 b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe 2192 b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxXF\\boddevloc.exe" b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeRZ\\xdobloc.exe" b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2192 b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe 2192 b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe 2804 ecadob.exe 2700 xdobloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2804 2192 b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe 30 PID 2192 wrote to memory of 2804 2192 b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe 30 PID 2192 wrote to memory of 2804 2192 b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe 30 PID 2192 wrote to memory of 2804 2192 b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe 30 PID 2192 wrote to memory of 2700 2192 b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe 31 PID 2192 wrote to memory of 2700 2192 b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe 31 PID 2192 wrote to memory of 2700 2192 b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe 31 PID 2192 wrote to memory of 2700 2192 b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe"C:\Users\Admin\AppData\Local\Temp\b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2804
-
-
C:\AdobeRZ\xdobloc.exeC:\AdobeRZ\xdobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2700
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5eb0fb1d7a07ba1cb4a3a5b86865c8742
SHA17c3e5f49911b42e223c3d2a257519ee02fe27230
SHA2568b52905c8ea112dd580270126281fd10a99685c4b864a52556c88810d432a5f1
SHA51213f9a5fe8fcafa6d90f32faf8b85bb9f5a37b11fe6faff443471100af2de245fd8b526f1edc822495adef31ef991b55128c28bd50e3366b69f7c291f3811e569
-
Filesize
2.6MB
MD599b65db50dba3eeff96a893a53b2c097
SHA192d085ea2465f204c53292477d5113405328285f
SHA2564ff5cb185e105455e090d470cf28e99e44d3967c36267b4f3f872e92044984df
SHA5123df470e68960f9615514cfea6412a9308452fd3d9a30f3affec38c535461cf9b93d12c4fba5d01bd3c96888727dda82e10f93b683b373a6fef5e2f2a8cdd4ee4
-
Filesize
2.6MB
MD53d87b00043954df060c5593c08f9f9b6
SHA1ef8a69389545c01cdaed38b7b037f963205a94df
SHA2560caa71936b4430cd7528fb864eaf702b21253597d45115d366c8c0b6cbac5833
SHA512633b56d31a4478bd1bef026330ef1ea8ffbee52e4f17058150a962f885b53c0747a296f8ae15d5f1b8f068af2a1164868182a657619f06b91131b4a15fcd4335
-
Filesize
170B
MD55d3ee695ca5f6b0a9b95457dd478597a
SHA16003e8c3ca9119ee9c4134442b30c6430bf5df99
SHA256ba4778074c791e8754f2c0d70e56d37ac0c40dcb372fc7bf97d78299764ed427
SHA512d5381f4153d5478f69c116d6b4d698cbc9fd2f7c4d7eb16234b88fc4193bd8a575e0e9669187a303ccede4ce60a049033634e6d4082df615bee5cbdd39a73989
-
Filesize
202B
MD52a3dfa581a157019fc8491256b4a678a
SHA1ecb4af8221ee72335c9aa68e82605a44ec1d79ac
SHA25635a098db0a7375cc8712e27303e249deb0f19981837adefc5b799f6ceb6251e5
SHA512fc4bce150724cab06b75e5728c612b92e96991bd2f73300ecf606b65f4c8e215b18e8904c8587b817c0e5775283706bd1074ccfe35fa8e698cd191740faa5960
-
Filesize
2.6MB
MD55e43ed3f8428492a1a628aa33d58cbc5
SHA19d27e551dc81de020c00526274ff1935465eaf78
SHA2561b51007b8f96a1e6db7c3815854397f4f9d99315366044583c5d5b371e0fc355
SHA512fb0ad3f68d425920499bfc6364fd0b406a569ebef62e491c22f97b58f92940dde49a395294b363fa65aa3c20ce0908feff25f81680cf3d5264320c3ff8a85939