Analysis

  • max time kernel
    120s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 14:16

General

  • Target

    3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe

  • Size

    2.6MB

  • MD5

    3e43ac79893671e60cb51956afb88c6c

  • SHA1

    a0d7cd7729b11903f090c6aef75e7d2dba4435a7

  • SHA256

    3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130

  • SHA512

    da1abc2d4b99707afdc13569ff02bcbb440dca4f8eff4b53c59edabd9beb48140ea80130e4d5302a8d678882a5ae69972b19774c3d41215c456ac494e2b0c360

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bSG:sxX7QnxrloE5dpUp1bv

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe
    "C:\Users\Admin\AppData\Local\Temp\3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2920
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3344
    • C:\SysDrvZ9\xbodloc.exe
      C:\SysDrvZ9\xbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3940

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintQ9\dobasys.exe

    Filesize

    2.6MB

    MD5

    3107458fd031850370404c1d8bab33d1

    SHA1

    ce4d7f86f61c51e7219462f8845be862cda5f6a5

    SHA256

    b8d0c770647faac8a65dcb5198895cbea0c3e813ab98894850bc061d9b271f91

    SHA512

    30d13268328564753ebb63dbfe0ec16e927231cd688cf8152c7c0b7ec72caf4ccd9f539f2b481a733b2414c5eda2b6786c37a7b39ade66c2a4f13e7973d58de6

  • C:\MintQ9\dobasys.exe

    Filesize

    2.3MB

    MD5

    e68cebea682a898bfea701f6679dda96

    SHA1

    7502a4fb2b83511185d0e36c4a1430aae6572365

    SHA256

    d1e0b2b21d28561491691d1cd318774c6bb989352de98e90ca4166e296f08626

    SHA512

    64d05fe2c73085c5c9e2989c0b89996c7cb032232b4f5db95e42a33b98d93e78dac76bcdff21a1360c66977d2a69f26f32ff536bd03127f8fe8f6fba2081a4d9

  • C:\SysDrvZ9\xbodloc.exe

    Filesize

    2.6MB

    MD5

    fab7e8ba1518ad553c00708f73275d08

    SHA1

    db79cde3d7365db375a65286b79a16654ec7efd1

    SHA256

    f88a0b4ba1b20b675e41d68866eaa93b240d87203d2ae29c98e8fb5d6e409e5d

    SHA512

    d602365b1f6967975e75ec19243a6677e6171d582efdf86a46d203b7c742b19bcc2810a82b6738a07413e655762409f07c9ab036f89f5043b21ec713b1ba7039

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    201B

    MD5

    696c17df5ba6348d3ddd91b557d35f89

    SHA1

    76eacbc5123f2009e5fc44a29513a80eb3f7d2e7

    SHA256

    bd2ddb42c9e51f52be6bbe7eceae0daf73175fd64c64e837f810d6adb1b33bb3

    SHA512

    0c9de3cd1cd0b4c6a60e5548d018a0953b16202c6fb6f79dfd1c1333e9795e7de7b4bd76aabfdc7ff6cbb8676b1f36e481e15cd5a6f5a8e7aea9d7ce5ca8b1da

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    169B

    MD5

    e9f556a7ab853d509f05cdc1263eb710

    SHA1

    2f7319899ec343b6727d383e942750713978a842

    SHA256

    ad19bff9c0a53d6f657196ba5d2800bf425690a9e4320940bf416cb23604cdc3

    SHA512

    29e950cc33fdf6fea3d2d7e49e3e08af63fe1ae7b7777ce651d0f85a19c9d5249e55f8101ae54e2b6550aa7ba002aa334dfab4eeecfa1bf12607b2f1d8cb6bac

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

    Filesize

    2.6MB

    MD5

    dd99effe4f763bebf5a402d2f3ca3d65

    SHA1

    4bd47b638a9848d80b659794adeb9173afcafc47

    SHA256

    5dba993c81a00f6220274ec8e61152a885bd322609387b75a1b6aa93bb17b383

    SHA512

    678bf8d66a1baf9c10bafd858f5df864fce7d7e79ce0ff3dd96b28550273e28bdf1c398e94dc3222335434cb0fad141eb0f92ac2fe234cc9089b3336605e1ef5