Analysis

  • max time kernel
    120s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 17:22

General

  • Target

    ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe

  • Size

    2.6MB

  • MD5

    421c7abb8fe0f0daaab456397d9a8530

  • SHA1

    494882bea05d1d21899a66c47c579e63c0bf6fe9

  • SHA256

    ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331

  • SHA512

    cd7571f3063d4f93bb0c83da40e746d16d260b4b20a1378d23b24bbfe82cc9ef2caf2c16f4e0f6a4ca892ce62d71602b08396b722b5e4d484d8b2c6982df4fa0

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBzB/bSq:sxX7QnxrloE5dpUp0bV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe
    "C:\Users\Admin\AppData\Local\Temp\ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2796
    • C:\SysDrvWH\xbodsys.exe
      C:\SysDrvWH\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2940

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\LabZEP\dobdevloc.exe

          Filesize

          2.6MB

          MD5

          7d47222147ee3e902bda95147d228264

          SHA1

          371298ce45245f1cf5037bf7ac24c474efe14e1e

          SHA256

          51df71e7647a7173053bf754f808f204e7aa349cd530d6186150e693e18dfa20

          SHA512

          78a26ecd1757778f679988305264b14906586485ec68fa6998fd5adbb14235d8ebb46f9d3527ef78c65f10af6b51eedf624db763aff706cbe16c2c180a80d628

        • C:\LabZEP\dobdevloc.exe

          Filesize

          2.6MB

          MD5

          0d9513fa1094b6712076933063efcc59

          SHA1

          a59fbdf06e170a1d3e7939389e39f48d6af1ca87

          SHA256

          5dc8fce67331de9f3ec7b583855aefb9dcd9d610990457852e3c6d881917e867

          SHA512

          f22b67dfbc57b639c79ed98d24ee05a2db8209d207db4ebcfb89db7b43f2c520a9dc6e6451ddd890a3df66909104ba5dac3fb7e165205114209924963b826dde

        • C:\SysDrvWH\xbodsys.exe

          Filesize

          2.6MB

          MD5

          0067969e69198d306fe2f1235089e81a

          SHA1

          cda5b88389ea7974c097040fbdc6c03690d13475

          SHA256

          2e6058b631ddd92e15519f3b0c69e2a7f77aefc3d1fbf7dee0ffaf748651e175

          SHA512

          ae1236abd1d2654f659953225c2d429d4ceb54cf233a10211ec9fb85456abec399d1be1641ade73de03dad0fcfb0c905a68e27c366678ff70fa41196085c8a46

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          170B

          MD5

          98150a99aec28f4e80b64a41956d1a67

          SHA1

          8f189c52f7849a68e2f8b9b1632d184ce24dbf74

          SHA256

          c0dc2eccb22454e6012c149539ac69ef7ec0e03d50d3823cac35443d7e1f9b33

          SHA512

          14243089cc2b1f5f8a87a85910b6427d8c43656157ca31327611a800c6b62eb01c2866144dced80e5a8e45455d7602a1aea83f4ffca597234c36c7a4a02ed488

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          202B

          MD5

          f7a6642f3aa36c7c795f15f6353b164b

          SHA1

          5582c18f6b64fe987ed087a86a97140ffb5ce494

          SHA256

          c077a394758b06c315bdcdd3af5917012d882614a46fc6f23a8f3582816dc0fc

          SHA512

          141cb045801d5e8e170dba8c3a62b8bbc1a757a35b3ff9ff8824f64db29274471ee929a402ffe6f24db6deee4ac92279e81a8d5b2f2c961bdca92d9270eff336

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

          Filesize

          2.6MB

          MD5

          3dc7ee1f69254fba07972b60825b540e

          SHA1

          c2a9b4a48256f2e0fe838d8bf82ffd7fb11230c3

          SHA256

          a00a95314a0e04c864de38743fa8b70a49699b604a8e5267dca984353f1d54bc

          SHA512

          db5ee79f61e9d455746eea32760ad71dca54162577134fce011fc18920b8c7b4bb5012696f23cb9a3ca0d0bea645d042f75ac488e2da7e7864b7331f820cff50