Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 05:33
Static task
static1
Behavioral task
behavioral1
Sample
f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe
Resource
win10v2004-20240426-en
General
-
Target
f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe
-
Size
3.1MB
-
MD5
1fc9c061cffa61d9910130b0704877bd
-
SHA1
165432d7a40beff25264f2f8aa17ee71b4eea543
-
SHA256
f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc
-
SHA512
2d79cc1b349d864a949f12f981548f6fb962689ed0befa9b2d663e1d1f23caf22b2f2e64c9dbfa264bf627cc6483968e60e418db4c90de5adb6d9916660f575e
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpIbVz8eLFc
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe -
Executes dropped EXE 2 IoCs
Processes:
ecxdob.exeabodec.exepid Process 3016 ecxdob.exe 2628 abodec.exe -
Loads dropped DLL 2 IoCs
Processes:
f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exepid Process 1680 f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe 1680 f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvU6\\abodec.exe" f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZD7\\boddevsys.exe" f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exeecxdob.exeabodec.exepid Process 1680 f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe 1680 f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe 3016 ecxdob.exe 2628 abodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exedescription pid Process procid_target PID 1680 wrote to memory of 3016 1680 f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe 28 PID 1680 wrote to memory of 3016 1680 f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe 28 PID 1680 wrote to memory of 3016 1680 f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe 28 PID 1680 wrote to memory of 3016 1680 f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe 28 PID 1680 wrote to memory of 2628 1680 f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe 29 PID 1680 wrote to memory of 2628 1680 f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe 29 PID 1680 wrote to memory of 2628 1680 f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe 29 PID 1680 wrote to memory of 2628 1680 f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe"C:\Users\Admin\AppData\Local\Temp\f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3016
-
-
C:\SysDrvU6\abodec.exeC:\SysDrvU6\abodec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2628
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD59c2027a7c7492e3e9c9e9e76551a9910
SHA1dc58d3007a7439d9090f8871d30e593200b0c170
SHA2561b17ed84060ccff1425351c7cc60b227b5be60ca125a590f327b2ce17115a6e2
SHA512faaf958baa6509dbacf5ca2c05412824b0f0dc35f73db49ee5e3802ddcaccc3fc8e50ef05f7c6aaa0e56d92323b8a7008d5830c338df5601b0e806aa4de472f3
-
Filesize
3.1MB
MD531b9fdb4447ac3e03d968a552bc4e770
SHA1d627686f45ee3073c5d2b2ab3c697fbb6c80d830
SHA2563b4fd6d2394a2f6e8d87efd5d9bf0a29b6d66a27a65ff07e0dc1f3f75e035255
SHA5124f1ef15941ad7cd5179ae19a4f6a7d244837516dd80b008b9807c6f39d623f60a7fb5b27d828623f476de96fbc5bf2a207a95127ef0f3497fed6a57e91422ad0
-
Filesize
8KB
MD54f22d799849ad951d457b82eff37db75
SHA14e1063fe8d636bd72f9cd680c689c23c67188ea6
SHA2566d731a85e1aa5373ae56b774f79879aaae0bf7acee2d491ffbe549dc72920948
SHA5129906f7f210918aad8326adf8876fb1a50517812f1d6dc706f0ad6c14c9363ea1c2bdf15f1589563e9483925b76a4a315f4db9d27af6ab0674f200275d3b25f9a
-
Filesize
169B
MD5891c967c987ea982c1e60cc6bcc5a40c
SHA120e30f1ed605617491e7585ee90da44682c6ea4c
SHA2562e08d9f0bc66b04d64a7534ec68d4cebd2d07523028fc084488779347111d1bc
SHA512e7f7a3e258b6defd7dfdf02b952b0a9783a2b6337d57a23ca3e826f366ba1461c5a6a99cac66b40fea945367420628b6a8e39317f7a68e1d412348a2204f2be5
-
Filesize
201B
MD50d4a04a3fcef2cc9f34eb8b30b62b418
SHA12edbc1c297dba9631efea4f9c9f32e55d0469f82
SHA2560eb6cd237f3175a57fde98c1a121f8c73ff607981ef2fff9edd1576820d0d02d
SHA512e5ac0f9243fbe9f0f2b8f2b461e81139edd42a6662b2b324040af5f92d9ad45ea6e70e92ef75f51dfe7f9d253f2be6e3ba5cf238fef7273394ad609720c9c7b6
-
Filesize
3.1MB
MD550bb275267184a0e41603764ec06b077
SHA1b393397afa25191e789c635dea9c6bbfa73ce282
SHA2560c684298e148c36ad575add5bb3db22037de1f9397c86e0c5702601642ce971e
SHA51286c945be7b936374e49b8f166212345b04a36844e19c48c9bd631b07f27d8bb52591b1b975734d6dee4b8b51422cde7c59ee29aa074abbf6f692841eb1c881fe
-
Filesize
3.1MB
MD5b7bb8edd4e2caeea06934fb4571e43a5
SHA1a3909c7611517ba066e725bebda7338a55138dfa
SHA256401fdc1be8ea4ea987dbdf26195f61b66b4240a2f3cf7f9b0d4ff5ca567620a7
SHA512fcab33a85831f07780fac91e2f839642bba9a234e7efec2b11caad8a07accfe09de5f05fe669f6921f6ced92d34a14b1845f45c22fad0e389b77aedb09112245