Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 05:33

General

  • Target

    f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe

  • Size

    3.1MB

  • MD5

    1fc9c061cffa61d9910130b0704877bd

  • SHA1

    165432d7a40beff25264f2f8aa17ee71b4eea543

  • SHA256

    f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc

  • SHA512

    2d79cc1b349d864a949f12f981548f6fb962689ed0befa9b2d663e1d1f23caf22b2f2e64c9dbfa264bf627cc6483968e60e418db4c90de5adb6d9916660f575e

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpIbVz8eLFc

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe
    "C:\Users\Admin\AppData\Local\Temp\f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3016
    • C:\SysDrvU6\abodec.exe
      C:\SysDrvU6\abodec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZD7\boddevsys.exe

    Filesize

    24KB

    MD5

    9c2027a7c7492e3e9c9e9e76551a9910

    SHA1

    dc58d3007a7439d9090f8871d30e593200b0c170

    SHA256

    1b17ed84060ccff1425351c7cc60b227b5be60ca125a590f327b2ce17115a6e2

    SHA512

    faaf958baa6509dbacf5ca2c05412824b0f0dc35f73db49ee5e3802ddcaccc3fc8e50ef05f7c6aaa0e56d92323b8a7008d5830c338df5601b0e806aa4de472f3

  • C:\LabZD7\boddevsys.exe

    Filesize

    3.1MB

    MD5

    31b9fdb4447ac3e03d968a552bc4e770

    SHA1

    d627686f45ee3073c5d2b2ab3c697fbb6c80d830

    SHA256

    3b4fd6d2394a2f6e8d87efd5d9bf0a29b6d66a27a65ff07e0dc1f3f75e035255

    SHA512

    4f1ef15941ad7cd5179ae19a4f6a7d244837516dd80b008b9807c6f39d623f60a7fb5b27d828623f476de96fbc5bf2a207a95127ef0f3497fed6a57e91422ad0

  • C:\SysDrvU6\abodec.exe

    Filesize

    8KB

    MD5

    4f22d799849ad951d457b82eff37db75

    SHA1

    4e1063fe8d636bd72f9cd680c689c23c67188ea6

    SHA256

    6d731a85e1aa5373ae56b774f79879aaae0bf7acee2d491ffbe549dc72920948

    SHA512

    9906f7f210918aad8326adf8876fb1a50517812f1d6dc706f0ad6c14c9363ea1c2bdf15f1589563e9483925b76a4a315f4db9d27af6ab0674f200275d3b25f9a

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    169B

    MD5

    891c967c987ea982c1e60cc6bcc5a40c

    SHA1

    20e30f1ed605617491e7585ee90da44682c6ea4c

    SHA256

    2e08d9f0bc66b04d64a7534ec68d4cebd2d07523028fc084488779347111d1bc

    SHA512

    e7f7a3e258b6defd7dfdf02b952b0a9783a2b6337d57a23ca3e826f366ba1461c5a6a99cac66b40fea945367420628b6a8e39317f7a68e1d412348a2204f2be5

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    201B

    MD5

    0d4a04a3fcef2cc9f34eb8b30b62b418

    SHA1

    2edbc1c297dba9631efea4f9c9f32e55d0469f82

    SHA256

    0eb6cd237f3175a57fde98c1a121f8c73ff607981ef2fff9edd1576820d0d02d

    SHA512

    e5ac0f9243fbe9f0f2b8f2b461e81139edd42a6662b2b324040af5f92d9ad45ea6e70e92ef75f51dfe7f9d253f2be6e3ba5cf238fef7273394ad609720c9c7b6

  • \SysDrvU6\abodec.exe

    Filesize

    3.1MB

    MD5

    50bb275267184a0e41603764ec06b077

    SHA1

    b393397afa25191e789c635dea9c6bbfa73ce282

    SHA256

    0c684298e148c36ad575add5bb3db22037de1f9397c86e0c5702601642ce971e

    SHA512

    86c945be7b936374e49b8f166212345b04a36844e19c48c9bd631b07f27d8bb52591b1b975734d6dee4b8b51422cde7c59ee29aa074abbf6f692841eb1c881fe

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

    Filesize

    3.1MB

    MD5

    b7bb8edd4e2caeea06934fb4571e43a5

    SHA1

    a3909c7611517ba066e725bebda7338a55138dfa

    SHA256

    401fdc1be8ea4ea987dbdf26195f61b66b4240a2f3cf7f9b0d4ff5ca567620a7

    SHA512

    fcab33a85831f07780fac91e2f839642bba9a234e7efec2b11caad8a07accfe09de5f05fe669f6921f6ced92d34a14b1845f45c22fad0e389b77aedb09112245