Analysis

  • max time kernel
    120s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 19:51

General

  • Target

    bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe

  • Size

    2.6MB

  • MD5

    e2434796bed4d1cd649c6afb0fc47096

  • SHA1

    42f630e492619fe20283d7227a7f65f9a4e9e361

  • SHA256

    bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2

  • SHA512

    48af8958a4cb5664f84919eb22ab5a69c409146065dd99ea7d4d4f21a116265aa582dfc47b1853424f52ad9126bdc8b9a7328210de842585f7a1a87afcf0aff4

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LByB/bST:sxX7QnxrloE5dpUptbc

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe
    "C:\Users\Admin\AppData\Local\Temp\bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2840
    • C:\UserDotVP\adobloc.exe
      C:\UserDotVP\adobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\UserDotVP\adobloc.exe

    Filesize

    2.6MB

    MD5

    a9b59fd50ebaa96fe4b424fef373164c

    SHA1

    363f9fa726dd4efd3ccafda46ac7c80017ba33c3

    SHA256

    1c11c49bb849841baa860a28d7eb783fc87316607980d963665b3b945707c2c9

    SHA512

    1f1fd00be44aa7b2bf184f5dff0c87310baf36fd6c0092048d2a0ca9520c87b6f409ae0b62710f8b6b218dd2474b5256a57345fac95aa1a45134b4031912c863

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    167B

    MD5

    924c1df92c2972a703fc41a5f9dd1142

    SHA1

    e87c0bb9714ef5e1524fb45fbe97211cbfd52b97

    SHA256

    6c5fd35e989155e26dc0211d2bfa8e02ced13e412e896ad5429a54079ab396e1

    SHA512

    3a6e50d98ecca3b05de456564dc6886ce89a6e547ed3aa307a45e53ed7169418f0d736efd01853fa9f5f42c2fec7e19ee6b52c9f7c45e383d8295d922339c271

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    199B

    MD5

    f9117eee618ab2f518669fc9e9ac0b69

    SHA1

    e46b8ca88d18838e0c13d41f73e3efbb9440e350

    SHA256

    2e5f1564c70b9bea81e670441d620319cfb53b6bc75e08ed4c18c648478a0037

    SHA512

    eaa194082870ea6696f1cfe8ebb59c15885af97f3772a9f42cafaddc4140024197e90153214f737c5697beb52e775a452bd26e2d4056a265701f81adb1b7d6cf

  • C:\VidZJ\dobxec.exe

    Filesize

    2.6MB

    MD5

    8ad735c4b1fd47bc059253faf6a96257

    SHA1

    dca508a9e3c827be0bd82e6982e101ea1915e1b9

    SHA256

    eea5793b496d55ed232476f2596b5d7509f138802748dee1852b1957a98ce5dd

    SHA512

    dd458c1dd6151c2c071895e1cee7a2c60665eb5b3e015d6ef1cf92edb8d8fb7ff03638900c6859d832c5d182ad5eca4407c856a34efc93e5b4df7e69b97607c4

  • C:\VidZJ\dobxec.exe

    Filesize

    2.6MB

    MD5

    d59404919001e16d0537d335d3186bfb

    SHA1

    2ba6f68ba04c126a4495f777476f7b3c8c73977e

    SHA256

    6a375f4e5c9ce7f1236885cb44fe6d27363e28c153f2fa08b676427841f3b361

    SHA512

    40b0f608f0e7f696787eae54af9dbf1538a46f0c49e236fe8ebe4a1b0d1757d6843557de6e7a3aea541fa7dc6ffa0b5ce6c2cd9f146f3fe73d8f7e6e51c6f83d

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

    Filesize

    2.6MB

    MD5

    5caa483e082bc29ab84be295f233d41b

    SHA1

    4413807b6dfded29dae77e9bcff661527a59544b

    SHA256

    05d7275c56bd2d14607576eabbc1e6328f51c9628f65660263f23132f05c5d07

    SHA512

    6abaf58b413ad5a1aeea47effa18c2e44fb74d385e2bd02f784935dd7b62162789f4b5223f32c7269887e1a4e8b67729cb7dc9da5a9d5bb8081b60d016c0ef2b