d050b35f2cb0ba23ec12c825c81470daba6679303524505516d99a33dcbebd63

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/05/2024, 03:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d050b35f2cb0ba23ec12c825c81470daba6679303524505516d99a33dcbebd63.exe
Size

3.1MB
MD5

178d410026d10d034a4f8799091895d7
SHA1

d7c9b21732118bde51829aace8e01fc5959e0481
SHA256

d050b35f2cb0ba23ec12c825c81470daba6679303524505516d99a33dcbebd63
SHA512

d429d1f24050047e934dddfc31fcac5700eb318f6378df388e69076df47eeea2202222926223ec10afee6793bfa02360b344f9057f834967f71d655f0d240141
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqz8:sxX7QnxrloE5dpUpCbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	d050b35f2cb0ba23ec12c825c81470daba6679303524505516d99a33dcbebd63.exe

Executes dropped EXE 2 IoCs

pid	Process
2504	ecabod.exe
2640	abodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2156	d050b35f2cb0ba23ec12c825c81470daba6679303524505516d99a33dcbebd63.exe
2156	d050b35f2cb0ba23ec12c825c81470daba6679303524505516d99a33dcbebd63.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesKC\\abodloc.exe"	d050b35f2cb0ba23ec12c825c81470daba6679303524505516d99a33dcbebd63.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB4Z\\dobaec.exe"	d050b35f2cb0ba23ec12c825c81470daba6679303524505516d99a33dcbebd63.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2156	d050b35f2cb0ba23ec12c825c81470daba6679303524505516d99a33dcbebd63.exe
2156	d050b35f2cb0ba23ec12c825c81470daba6679303524505516d99a33dcbebd63.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe
2504	ecabod.exe
2640	abodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2504	2156	d050b35f2cb0ba23ec12c825c81470daba6679303524505516d99a33dcbebd63.exe	28
PID 2156 wrote to memory of 2504	2156	d050b35f2cb0ba23ec12c825c81470daba6679303524505516d99a33dcbebd63.exe	28
PID 2156 wrote to memory of 2504	2156	d050b35f2cb0ba23ec12c825c81470daba6679303524505516d99a33dcbebd63.exe	28
PID 2156 wrote to memory of 2504	2156	d050b35f2cb0ba23ec12c825c81470daba6679303524505516d99a33dcbebd63.exe	28
PID 2156 wrote to memory of 2640	2156	d050b35f2cb0ba23ec12c825c81470daba6679303524505516d99a33dcbebd63.exe	29
PID 2156 wrote to memory of 2640	2156	d050b35f2cb0ba23ec12c825c81470daba6679303524505516d99a33dcbebd63.exe	29
PID 2156 wrote to memory of 2640	2156	d050b35f2cb0ba23ec12c825c81470daba6679303524505516d99a33dcbebd63.exe	29
PID 2156 wrote to memory of 2640	2156	d050b35f2cb0ba23ec12c825c81470daba6679303524505516d99a33dcbebd63.exe	29

C:\Users\Admin\AppData\Local\Temp\d050b35f2cb0ba23ec12c825c81470daba6679303524505516d99a33dcbebd63.exe
"C:\Users\Admin\AppData\Local\Temp\d050b35f2cb0ba23ec12c825c81470daba6679303524505516d99a33dcbebd63.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2504
- C:\FilesKC\abodloc.exe
  C:\FilesKC\abodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesKC\abodloc.exe

Filesize
3.1MB

MD5
16afe7db46ef0e1fa1f1fa06197d1421

SHA1
5aa81859c19400e969c21b8e5d19a8d5b3da348c

SHA256
a364be01b493322d207c20fe34aa14c3fcc68a1be00929ba1a857e0ac7313b97

SHA512
3163fa41c2c8fdc3e73110a088c473b030f79a880c8056e99296ea67402a57aff3dc7636706b9c59305dae9d8c376d73ce6e7051dd1ea87271644df70ab4a67f

Download Submit
C:\KaVB4Z\dobaec.exe

Filesize
2.0MB

MD5
2456e825ceeedb20f71206165d49e947

SHA1
890f9632fef2a6bf43a9dfd735746c09de658961

SHA256
bed445e013cfb98c10918a7d597b299d1361eedd9c130606df15e64bf7cc7606

SHA512
970e403d499e2e6ce89292e5e79ed790e0a90bd1db7ff84e7bb8662441954b77395552a9eff23069355d32fb3163ba55b4761c48c45bc8f4ad37465dad63e20e

Download Submit
C:\KaVB4Z\dobaec.exe

Filesize
3.1MB

MD5
1b1e7ae3f215c842412cb0e3b2a62ee3

SHA1
2d979e4f78298956b82f46c0122e98037e8526f3

SHA256
e7de08d2b807d0448127db5499056e6dee5626d9b2bf1e4b695d06194b685303

SHA512
e29c312823c480b2d405399e35303add0b84a3afd0f6c27541e5e7f7741e86565a52cc36fb956158247583eabfa2e42a3e66ac2ae8ae2cce8b0cbf6b23474dfa

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
166B

MD5
e101c1b33af0e2c5298d714d343d1df1

SHA1
6df12e723e90b0872cef8465b26d15865e36b950

SHA256
2a02527e24e5f3b930e736bf9b9e4faa4b4709d1ebe755c8eaf2576eef3d2f6a

SHA512
65437cd8c6b619a7ae0ebd338acbf1386d23fa7540dfacc63d45624c1d65b2a065cd36ae42bc7adfff26697317db9c72b3263ce752ed0b9406f1a4b30026969f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
198B

MD5
f6c204223230fa3881ec04fcde77a74f

SHA1
3b04a5c759acf26e43760d9bdd503517c5a80011

SHA256
28e6a625fd86f20f8ace93abc278e706e5f4b8076aba7fd865849fdcffc70d16

SHA512
893fb2921de58f695dfc77cecd49cf35a7936beed0582714aa53c8ecb6b70ed882fe802adce03224da1d421b12b68c01b7b7eef1b1c8c236ccc4907659301ba0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
3.1MB

MD5
ca59452f000b99bf93fc91e0beb72d55

SHA1
6ab6f6adfd93d359c7936a5a74ddd04695fbc356

SHA256
5889640303a881c364fd510b5b27e5a553fdaa348656e27dce247e2e1c304a76

SHA512
151c2917e845b0dc768393efe02d3d043e79fc5e99afbf231845e6817a812dbd235fd1d8602f609fc9219945cd757a0c8b57a816076d148e24218b257196bf3a

Download Submit