Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 16:51

General

  • Target

    42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe

  • Size

    2.6MB

  • MD5

    46f26c47f98deb501b7414fcfca26350

  • SHA1

    7481d679b4b396d1ab1cbae89425ca88e734f9f6

  • SHA256

    42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6

  • SHA512

    f853693f06d8bd30ef77308850b12b88e2387ab113c301aacea2f381fef1be6f9c9c1fe7a01dd14f732ad0bcacee7b912a73e2b07ea9010ded5ad2f7702cbd74

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bS:sxX7QnxrloE5dpUp7b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe
    "C:\Users\Admin\AppData\Local\Temp\42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2732
    • C:\UserDotGB\adobsys.exe
      C:\UserDotGB\adobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2764

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\KaVB2T\dobdevloc.exe

          Filesize

          2.6MB

          MD5

          3d1d2f31661222e080c9f7b1e6269e17

          SHA1

          9369a5f43aa3f317c09e277bcbc501f6d3dd5d3f

          SHA256

          36257a3005fd4909d2e9f05983b2cc2428edd3369559294ef721209b4dd666c4

          SHA512

          676f76418d399a29cee8303f7882a2a4a33445b9243fbe44cc794f3a74225671b62fb3b340d068a4046a79d469e9ca9470cee4148ef2f7c48c61a27bfcd58e5e

        • C:\UserDotGB\adobsys.exe

          Filesize

          2.6MB

          MD5

          d6d6f2b24b8a8129cbf4c07961dfe70a

          SHA1

          54a6a781c68096bf5c98734119373a2b746fb9d4

          SHA256

          27b4e03a3a95dc840ff6b444e2b15e77190b3dff72bad8d7539263eceb3f475a

          SHA512

          fe66d1fb078ce0d29722cb7447838200837889747e878e26ba8b5f552cd00418a029f5055545a71d9da4064badda13846698700bf309d0eb6033b9d795e1daef

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          171B

          MD5

          a70d0784d91df7f94a5463ca8519d0bd

          SHA1

          10eb1e255417cd954c8c1b3c8a9bf4c95d35fd05

          SHA256

          5fbc773c364a032e99b491a10857896285cc3034f0c301fdd7560afef7cc29aa

          SHA512

          158d9ad34cd4a5cfac3b4e471e2b4c777f11e76915ee000e244caec02fdf239094c03190e803c85343b8febb25748505806b3c7ee4b2ea54b18615c2e34e6fb8

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          203B

          MD5

          3b3244152c6db8a506ac70010c7ef2e8

          SHA1

          55ff8a625c1a84ce127cf18869766d755bf3c40a

          SHA256

          dd2ce19cb9df04ef881fc913c92cb0a2038d183fa8cdf37ec856204f8ddf7f3b

          SHA512

          adae73e8db78a5a6e65b83407ad5f6812e6951b605f097a9bc3cc563f9ac89936a9372d36eb3af12355665cc275b6b109c3649f0976c8623b49e354f06894cc1

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

          Filesize

          2.6MB

          MD5

          33bfa39a27e5e14b82f354ba90617aba

          SHA1

          f6253b7be63e545a8a2a21a43e9d472a87ac2983

          SHA256

          2e158bffcbc0c472a6734bcf9b03dfabc96707228c1983b29bf463b655def2fb

          SHA512

          c43feda25c21ba6e29c61bb28c0e3250f1c2e3880ae727ee0405a68cc4dd01ee2ad393d7d8855dd271fbc141877aa73bd1e0d27c0b12ff870ab2b6040c433b6a