Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 16:36

General

  • Target

    6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe

  • Size

    2.6MB

  • MD5

    440692a91aee96bf3b79e09fa4da0d30

  • SHA1

    8660fb96cf47c02ed8e1983ab0447038b2e59672

  • SHA256

    6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82c

  • SHA512

    dd475e0dd97f83e44e40c3319211ff5ed5f9dd60832780e2c40d06651c83c157d3ce12c9643e1b0ac9b23e81569c6e3ce664f4bfba250e25e7073548e8791509

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bS:sxX7QnxrloE5dpUp7b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe
    "C:\Users\Admin\AppData\Local\Temp\6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1708
    • C:\SysDrvZ6\xdobsys.exe
      C:\SysDrvZ6\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2884

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\LabZ25\dobdevloc.exe

          Filesize

          2.6MB

          MD5

          955866843b2d70f1acaa99c1887a8917

          SHA1

          fa7dd44c40d78af634bd8d49ca408b00a15dc1f3

          SHA256

          becf197a314d7603456a73723a402e12c838f95a30b3b62fbd6883cca57378e1

          SHA512

          dc12afc303f1a3f6bcad3e3522186a1cb229c97a9c1ea39ded04987900c122598958d971abc27e66081dd9f89838adbba071cfc7b8d0c57245d024e6bfc5c918

        • C:\LabZ25\dobdevloc.exe

          Filesize

          181KB

          MD5

          19edbfac35ee4cc2ec541fb6f49eff31

          SHA1

          ce97af3e3af303bdcb36bda362d154682ca7ccfc

          SHA256

          246bc5f7c083c7754b5256617facde076f75b0c4672c152c6010090385547321

          SHA512

          9609adc7265ff031b1648051900f1a42a800c2632d73e33223ea2bb3f6b17ebcd7942b3ab5bd82a43d969500728bd9f6fe7af335a4b5849f338fd1780ff326c4

        • C:\SysDrvZ6\xdobsys.exe

          Filesize

          2.6MB

          MD5

          19299b20a631f602dadbfedc947b45b9

          SHA1

          9fcb1d4fef804af3a7fa9310c3020452b17334d0

          SHA256

          f0f5d280f557d57009df926468e13d68d8b98c1e774d8dcb85df8fb6b2e2352d

          SHA512

          cc6bfe44a9b7938dc8fed46e0e968ed128696554b673f9ddc349b19502b929eef046eb860e48908a6a22d80bbd2d749f54a0b4d553ec365b8d97429cfc16f817

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          170B

          MD5

          b18ae6d8ba430c964aebacb67d92e119

          SHA1

          a57b6a4ca366f7c70a72f57e5139156b6ad75e53

          SHA256

          24e775a684534221e36f026beaebc073c513841ce8cfa9a23ad5cc9fae2fb9f3

          SHA512

          b215867060e05a436ad102419f1c7bbe228220710c0c942e232dcb88d00135a7482e25ff5f71788ef3b340bdd070d5c33873d6c866095cae21295cffea505112

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          202B

          MD5

          14840abefeaaabde16bb020d5fae395c

          SHA1

          991e6fbce74692d7f360845ef1e8e2ff59759a63

          SHA256

          a8ba49e4325c42291c969abd0931c0ef4f4dd13483f9c8ed1dfa3740b8c136b9

          SHA512

          eb9db47b394009cd9e6b09eda8ac6332087c90790b58eb94b6d0f8ac52bf092569e3b84ad4c3a06d14a95b2a69b9a4ebbe6bd1da47b6f5690cfa5b3be7d061b6

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

          Filesize

          2.6MB

          MD5

          3a13e665e1302756969cd26b1565acbb

          SHA1

          4f157676313d43fc2da32e3bda71764838f8456d

          SHA256

          144a3467eb097f6f8e3d2d859076afbe0462ef307ff1bd20ebc7f5b43e18f4c2

          SHA512

          13972258c6c2c3bb3fbb7c841a1fde714e5474c0015aa1de47e5e02606735fb7a43b524a5305e0f8f62fbd9a87b124d6d95f05f9f22c33f0cadb9f2b8895a489