Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 23:40

General

  • Target

    b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe

  • Size

    2.6MB

  • MD5

    782bc029e917158d9dc2d3af1462493f

  • SHA1

    231172651917f321cabd4532b993d1fc6cce977e

  • SHA256

    1a103394edcd5e659330eb4db0b7c2f6af6979238a46c71fd9f31e7647dfcec8

  • SHA512

    6630c41ee88582001e04e491cfc1a7329f2bd5fbcb781dcf3924c1a0753d4daeb445a4340d312aa5ded8283b627393d43a2687afaca47afc3a4011674697b34a

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bSqw:sxX7QnxrloE5dpUpKbVw

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe
    "C:\Users\Admin\AppData\Local\Temp\b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2804
    • C:\AdobeRZ\xdobloc.exe
      C:\AdobeRZ\xdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2700

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeRZ\xdobloc.exe

          Filesize

          2.6MB

          MD5

          eb0fb1d7a07ba1cb4a3a5b86865c8742

          SHA1

          7c3e5f49911b42e223c3d2a257519ee02fe27230

          SHA256

          8b52905c8ea112dd580270126281fd10a99685c4b864a52556c88810d432a5f1

          SHA512

          13f9a5fe8fcafa6d90f32faf8b85bb9f5a37b11fe6faff443471100af2de245fd8b526f1edc822495adef31ef991b55128c28bd50e3366b69f7c291f3811e569

        • C:\GalaxXF\boddevloc.exe

          Filesize

          2.6MB

          MD5

          99b65db50dba3eeff96a893a53b2c097

          SHA1

          92d085ea2465f204c53292477d5113405328285f

          SHA256

          4ff5cb185e105455e090d470cf28e99e44d3967c36267b4f3f872e92044984df

          SHA512

          3df470e68960f9615514cfea6412a9308452fd3d9a30f3affec38c535461cf9b93d12c4fba5d01bd3c96888727dda82e10f93b683b373a6fef5e2f2a8cdd4ee4

        • C:\GalaxXF\boddevloc.exe

          Filesize

          2.6MB

          MD5

          3d87b00043954df060c5593c08f9f9b6

          SHA1

          ef8a69389545c01cdaed38b7b037f963205a94df

          SHA256

          0caa71936b4430cd7528fb864eaf702b21253597d45115d366c8c0b6cbac5833

          SHA512

          633b56d31a4478bd1bef026330ef1ea8ffbee52e4f17058150a962f885b53c0747a296f8ae15d5f1b8f068af2a1164868182a657619f06b91131b4a15fcd4335

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          170B

          MD5

          5d3ee695ca5f6b0a9b95457dd478597a

          SHA1

          6003e8c3ca9119ee9c4134442b30c6430bf5df99

          SHA256

          ba4778074c791e8754f2c0d70e56d37ac0c40dcb372fc7bf97d78299764ed427

          SHA512

          d5381f4153d5478f69c116d6b4d698cbc9fd2f7c4d7eb16234b88fc4193bd8a575e0e9669187a303ccede4ce60a049033634e6d4082df615bee5cbdd39a73989

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          202B

          MD5

          2a3dfa581a157019fc8491256b4a678a

          SHA1

          ecb4af8221ee72335c9aa68e82605a44ec1d79ac

          SHA256

          35a098db0a7375cc8712e27303e249deb0f19981837adefc5b799f6ceb6251e5

          SHA512

          fc4bce150724cab06b75e5728c612b92e96991bd2f73300ecf606b65f4c8e215b18e8904c8587b817c0e5775283706bd1074ccfe35fa8e698cd191740faa5960

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

          Filesize

          2.6MB

          MD5

          5e43ed3f8428492a1a628aa33d58cbc5

          SHA1

          9d27e551dc81de020c00526274ff1935465eaf78

          SHA256

          1b51007b8f96a1e6db7c3815854397f4f9d99315366044583c5d5b371e0fc355

          SHA512

          fb0ad3f68d425920499bfc6364fd0b406a569ebef62e491c22f97b58f92940dde49a395294b363fa65aa3c20ce0908feff25f81680cf3d5264320c3ff8a85939