Analysis

  • max time kernel
    119s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 20:06

General

  • Target

    423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe

  • Size

    2.6MB

  • MD5

    cbfa0825412a6ad9f76f895b18c4f320

  • SHA1

    5f2d2327b8cf845bad200996b915ed10445834a2

  • SHA256

    423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5

  • SHA512

    22302470b7583aea038d0c24406155167b04d02802b5fc162997033ebc12a5ba714e42392285fe770daa074641a3ea65786bafb9c997c4ed2cc6b755740bac93

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSq:sxX7QnxrloE5dpUpmbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe
    "C:\Users\Admin\AppData\Local\Temp\423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3976
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2192
    • C:\UserDot6O\abodsys.exe
      C:\UserDot6O\abodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\KaVBUX\dobxloc.exe

    Filesize

    2.6MB

    MD5

    4db3f0a8ca214887cfd2aa7beb3eebd0

    SHA1

    40985a926a895df60a43d288b24612bebacbd392

    SHA256

    9bbfc50831928e3153044649183b72b4258d154baed1a1aa66364d4a97d3f3ed

    SHA512

    ed2e78078e76ae5c7b496b1f356a13782d13361a82e0413d18fdc622d024b2c32a3b968ab546c882c03e047a7e527d589181e8e1e4427242a6935c3893a28b02

  • C:\KaVBUX\dobxloc.exe

    Filesize

    2.6MB

    MD5

    67b63bda74b1f340a22a73e4af1a8294

    SHA1

    024baf78f903cbdcc62b7783e7d9963386b10487

    SHA256

    6999221e08e7fbbbde2c4bf238373072d3ec3ff0ebec00413bb7c3d66cdc4eeb

    SHA512

    00ad75788fbdd9cfb0dc47010ade01bbdc13247050a76fdecb51ff132ec379e18a011c896beb1d95bf30aa24a7681b8b075fd15a652cd4b11eb61227a702a2ce

  • C:\UserDot6O\abodsys.exe

    Filesize

    6KB

    MD5

    b646265f07f9f16a9eedf6d5027f9e3c

    SHA1

    a47300f0e83643f499e1b7c1be83a375a1293ac7

    SHA256

    d9d3e8602e7f445e99a6594bba9d12ffef0a099ea168321e788dbde80f1fe025

    SHA512

    403b6c7a5606ac30e67478febf3210fc1d0e88e15fcc0544f80a00e2249b9fcf6ec71a25f5e36eaa2528ba1ab9c016dc5269cd1fe3a9758317b2abf1d8553f67

  • C:\UserDot6O\abodsys.exe

    Filesize

    2.6MB

    MD5

    8ba87f63e63bf4e09ce0629063823b58

    SHA1

    be6a4a5bb8d94a4d0b681ec64a39309c954dc9a3

    SHA256

    8c39fe3dcc35f36f9952a1a9a1da46c7bc29dd0f8e9e7ac732d45fce25f61cb5

    SHA512

    0475235ff6c4b424ae49d596c8b7545b413b26afb9b11520dba56a07531e05d7bf46932d861a765b87eaa1d955df940ed7c2c85e184a3f083996ba8d4450d047

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    201B

    MD5

    af18655f60fd56b9468a21804d0b0d38

    SHA1

    b2485da7dbd7de59862dd166fd8e21a6e659f5aa

    SHA256

    0ce7f994bf8fee21eb94a400c92be49bed78ec52f6452b9bcb7e6c33b04473bd

    SHA512

    f3a280ad438242306e4082c57d093860c62671e76b4a6d680783d815c972efe119c4c1d72789eb879eaef251b4d80df9837cf1f27e71c30fd8dce6bd933017fd

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    169B

    MD5

    caa87c05077aad6d0aba7657a3eaaaf2

    SHA1

    0e79a8c0c835bdd779883fe0a3cd1f29a7f840da

    SHA256

    9b1ad83d9cdbc9fc1a5a044d372ed22928d4823133e0f5bc5a27ddb6d3b40e5b

    SHA512

    317800cdb06655b86a86c1373e1ad8dbe2c8fe292811ee4b98d85694f6151d106861ebcb012bea3cace4454d027a93a83d0b36658a7b4a521c81d82f1df5482d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

    Filesize

    2.6MB

    MD5

    386a65358c62712bb8e174123162a717

    SHA1

    916fd4a573da6e00ad80cab7977b547d93bc1ee2

    SHA256

    0a5c9416348408f71b0c96db1345590baf64b346d33ff05fdf50807629625c9f

    SHA512

    9355f0fa8d2e01b7604e60285daa333b29fcf09c5c067139426f7ae0a1002d2b0e307cad1c939c13ec1816713109f5408e1da671285ab951325e02f19a809a31