Analysis

  • max time kernel
    119s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 17:00

General

  • Target

    d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe

  • Size

    2.6MB

  • MD5

    f7cf191c3efdf86f2d1a224d2d47fd70

  • SHA1

    4d6cc971511f21e001654d7600db6984c71a57ed

  • SHA256

    d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8

  • SHA512

    730714123d20e8c4dcc046ae7b6f4d1fe5a08f6d044eed175c084f3dfe39ca141222c6f85d8f885db5d8494f0672bc491cd364abdf0ec31e3875ba31f96d0ae3

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBIB/bSq:sxX7QnxrloE5dpUprbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1236
    • C:\UserDot8Q\aoptiloc.exe
      C:\UserDot8Q\aoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2804

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Mint8B\dobaloc.exe

          Filesize

          2.6MB

          MD5

          ddbe523fec5896c73ebdfad2a068bbb4

          SHA1

          03d285de7fc20968b3022fe31fbb4998204ce1d5

          SHA256

          2ec30346fe5090f040a01935037a0af1ead048def0e2267b4ea9c59a3b8a1317

          SHA512

          90a2037d71839040824d62d827553b896f2aac933626c9f204142b06c140eeae06b3f2d5eb230b84768911da662f64ba26a33e44aaa33e730c0958ffac588ea6

        • C:\Mint8B\dobaloc.exe

          Filesize

          2.6MB

          MD5

          625e64609280230258b1413393a0e659

          SHA1

          b5b6065c7b685e8b95d677cc0212edfa236680d7

          SHA256

          8532fdb960eb340b32bad72cf25750eff89eadfa1da9d70f5cd98f10c24e62ae

          SHA512

          e65dbd9e9b1be1d7103cc1e2ae1027152508a7603256ca47e28658c71cd391b2af8882aa2a1386e211c7ce1c19d90730a998dbe27fd2c24c631ab1fa1acabfe8

        • C:\UserDot8Q\aoptiloc.exe

          Filesize

          2.6MB

          MD5

          c14273ffd7e8b7005e6e145ea032d81a

          SHA1

          3ea4e1e6f201485bb343ff5aabbbeb0f2259cd48

          SHA256

          44960a2615abb036c26e768b5da4c85394d356885b085ddebca1be2ba93e05a5

          SHA512

          5e6825e0ad609dd2fcd6bf24ee096ad5cd08baa9faf25c2291cef40a7400b731a35db84d1dc2a8bcc5f8ea229849c6bb3776ea4b00edb719478abf673120427c

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          170B

          MD5

          bc0718787be037b59227fad328070f24

          SHA1

          0c2cf1fce9905ff7cd8ff95d4679c091912c060c

          SHA256

          a094d79b791e03074a91190fc6810d96a4934d1fe16e380289ee4f28ecf799bc

          SHA512

          a77468912e4d1bc6357b39d92dc0d9ddde5f2a0da2b36e8dad70876f97442f4c28a6f7667e6be34342328b7e1be598e1d49c0cd382d51570025ce841d26790b1

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          202B

          MD5

          6a6ada199eec0a132cf8ea43f1f61c11

          SHA1

          9344e3a94a4774324f3e64a315b2930b5b74a10f

          SHA256

          ba6a175748e6033ab285cd1fcea7e71544a9b3059928e59eca30a310c4d114ce

          SHA512

          eac427e2e6dc9f526b83c535815fa7ee2bb7bd5c0fa21fc4ebace7e826429cf8ddf27d69f4263f0e4d9a7cfc53cc8cbf6e0305576403d518f6b0d0eebf8d5535

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

          Filesize

          2.6MB

          MD5

          8dd42663e66714d3cf08c1501ce18029

          SHA1

          af3ce807bda72cb424153ac6eb0367ea8697ac8f

          SHA256

          475f3d8fbca9b480e9830fcf99144dab3d99b0bcab8ea7e18e9304489f3a7abe

          SHA512

          14ce5b74f44825ead4a24a8396a4aea826128fee70a7e493deb2b4335b3e02b72a4e6d20a92eda5f55b2867bcc23bef5ad0d811dbadffd5ac818bb1a7fe2b10f