Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 16:36
Static task
static1
Behavioral task
behavioral1
Sample
6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe
Resource
win10v2004-20241007-en
General
-
Target
6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe
-
Size
2.6MB
-
MD5
440692a91aee96bf3b79e09fa4da0d30
-
SHA1
8660fb96cf47c02ed8e1983ab0447038b2e59672
-
SHA256
6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82c
-
SHA512
dd475e0dd97f83e44e40c3319211ff5ed5f9dd60832780e2c40d06651c83c157d3ce12c9643e1b0ac9b23e81569c6e3ce664f4bfba250e25e7073548e8791509
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bS:sxX7QnxrloE5dpUp7b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe -
Executes dropped EXE 2 IoCs
pid Process 1708 ecadob.exe 2884 xdobsys.exe -
Loads dropped DLL 2 IoCs
pid Process 1920 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe 1920 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZ6\\xdobsys.exe" 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ25\\dobdevloc.exe" 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1920 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe 1920 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe 1708 ecadob.exe 2884 xdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1920 wrote to memory of 1708 1920 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe 30 PID 1920 wrote to memory of 1708 1920 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe 30 PID 1920 wrote to memory of 1708 1920 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe 30 PID 1920 wrote to memory of 1708 1920 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe 30 PID 1920 wrote to memory of 2884 1920 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe 31 PID 1920 wrote to memory of 2884 1920 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe 31 PID 1920 wrote to memory of 2884 1920 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe 31 PID 1920 wrote to memory of 2884 1920 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe"C:\Users\Admin\AppData\Local\Temp\6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1708
-
-
C:\SysDrvZ6\xdobsys.exeC:\SysDrvZ6\xdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2884
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5955866843b2d70f1acaa99c1887a8917
SHA1fa7dd44c40d78af634bd8d49ca408b00a15dc1f3
SHA256becf197a314d7603456a73723a402e12c838f95a30b3b62fbd6883cca57378e1
SHA512dc12afc303f1a3f6bcad3e3522186a1cb229c97a9c1ea39ded04987900c122598958d971abc27e66081dd9f89838adbba071cfc7b8d0c57245d024e6bfc5c918
-
Filesize
181KB
MD519edbfac35ee4cc2ec541fb6f49eff31
SHA1ce97af3e3af303bdcb36bda362d154682ca7ccfc
SHA256246bc5f7c083c7754b5256617facde076f75b0c4672c152c6010090385547321
SHA5129609adc7265ff031b1648051900f1a42a800c2632d73e33223ea2bb3f6b17ebcd7942b3ab5bd82a43d969500728bd9f6fe7af335a4b5849f338fd1780ff326c4
-
Filesize
2.6MB
MD519299b20a631f602dadbfedc947b45b9
SHA19fcb1d4fef804af3a7fa9310c3020452b17334d0
SHA256f0f5d280f557d57009df926468e13d68d8b98c1e774d8dcb85df8fb6b2e2352d
SHA512cc6bfe44a9b7938dc8fed46e0e968ed128696554b673f9ddc349b19502b929eef046eb860e48908a6a22d80bbd2d749f54a0b4d553ec365b8d97429cfc16f817
-
Filesize
170B
MD5b18ae6d8ba430c964aebacb67d92e119
SHA1a57b6a4ca366f7c70a72f57e5139156b6ad75e53
SHA25624e775a684534221e36f026beaebc073c513841ce8cfa9a23ad5cc9fae2fb9f3
SHA512b215867060e05a436ad102419f1c7bbe228220710c0c942e232dcb88d00135a7482e25ff5f71788ef3b340bdd070d5c33873d6c866095cae21295cffea505112
-
Filesize
202B
MD514840abefeaaabde16bb020d5fae395c
SHA1991e6fbce74692d7f360845ef1e8e2ff59759a63
SHA256a8ba49e4325c42291c969abd0931c0ef4f4dd13483f9c8ed1dfa3740b8c136b9
SHA512eb9db47b394009cd9e6b09eda8ac6332087c90790b58eb94b6d0f8ac52bf092569e3b84ad4c3a06d14a95b2a69b9a4ebbe6bd1da47b6f5690cfa5b3be7d061b6
-
Filesize
2.6MB
MD53a13e665e1302756969cd26b1565acbb
SHA14f157676313d43fc2da32e3bda71764838f8456d
SHA256144a3467eb097f6f8e3d2d859076afbe0462ef307ff1bd20ebc7f5b43e18f4c2
SHA51213972258c6c2c3bb3fbb7c841a1fde714e5474c0015aa1de47e5e02606735fb7a43b524a5305e0f8f62fbd9a87b124d6d95f05f9f22c33f0cadb9f2b8895a489