7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/06/2024, 02:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe
Size

3.2MB
MD5

4a7d93131a90e09700908ddd29caf6b4
SHA1

e30603b7ac5b40602edb8054966e5042ceac9cbe
SHA256

7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1
SHA512

d10bfa91b253528012d7b05a5a28fa133b77e1ba26cb8c6047f4e499e70c44a9ac5905853a642e65fa1be9e1b8d800f88e692575ef2f6c79385cb595f46737e9
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpgbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe

Executes dropped EXE 2 IoCs

pid	Process
2140	ecxdob.exe
1212	abodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintOT\\bodaloc.exe"	7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotV2\\abodsys.exe"	7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2488	7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe
2488	7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe
2488	7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe
2488	7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe
2140	ecxdob.exe
2140	ecxdob.exe
1212	abodsys.exe
1212	abodsys.exe
2140	ecxdob.exe
2140	ecxdob.exe
1212	abodsys.exe
1212	abodsys.exe
2140	ecxdob.exe
2140	ecxdob.exe
1212	abodsys.exe
1212	abodsys.exe
2140	ecxdob.exe
2140	ecxdob.exe
1212	abodsys.exe
1212	abodsys.exe
2140	ecxdob.exe
2140	ecxdob.exe
1212	abodsys.exe
1212	abodsys.exe
2140	ecxdob.exe
2140	ecxdob.exe
1212	abodsys.exe
1212	abodsys.exe
2140	ecxdob.exe
2140	ecxdob.exe
1212	abodsys.exe
1212	abodsys.exe
2140	ecxdob.exe
2140	ecxdob.exe
1212	abodsys.exe
1212	abodsys.exe
2140	ecxdob.exe
2140	ecxdob.exe
1212	abodsys.exe
1212	abodsys.exe
2140	ecxdob.exe
2140	ecxdob.exe
1212	abodsys.exe
1212	abodsys.exe
2140	ecxdob.exe
2140	ecxdob.exe
1212	abodsys.exe
1212	abodsys.exe
2140	ecxdob.exe
2140	ecxdob.exe
1212	abodsys.exe
1212	abodsys.exe
2140	ecxdob.exe
2140	ecxdob.exe
1212	abodsys.exe
1212	abodsys.exe
2140	ecxdob.exe
2140	ecxdob.exe
1212	abodsys.exe
1212	abodsys.exe
2140	ecxdob.exe
2140	ecxdob.exe
1212	abodsys.exe
1212	abodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2140	2488	7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe	84
PID 2488 wrote to memory of 2140	2488	7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe	84
PID 2488 wrote to memory of 2140	2488	7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe	84
PID 2488 wrote to memory of 1212	2488	7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe	85
PID 2488 wrote to memory of 1212	2488	7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe	85
PID 2488 wrote to memory of 1212	2488	7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe	85

C:\Users\Admin\AppData\Local\Temp\7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe
"C:\Users\Admin\AppData\Local\Temp\7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2140
- C:\UserDotV2\abodsys.exe
  C:\UserDotV2\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintOT\bodaloc.exe

Filesize
3.2MB

MD5
99cf96a2ad0d8473dca7ae842be1d09d

SHA1
c3857bce22f6dbea89b2420f4b699997c9a172ee

SHA256
7ae8a9c304821543b103ec9e9606e865b11196367332b4ec452de002d9dcfb3e

SHA512
30b3c7bdb583118e6dbd6db5dc6f813610a12a7039c54f22a162be905a70fe22ea5bba37caa235933f108fbb66095f4360f3c48a51bfdc8d3b2290a3cd4d5a36

Download Submit
C:\UserDotV2\abodsys.exe

Filesize
3.2MB

MD5
ec6a25ffd9f4464bb368f942f8fbee39

SHA1
04e48845fa92623ff86eea3366359e9939489895

SHA256
71c7a90a0a070d5469294ccc3a2dc840f773723d44623e26edffeac6fb76f9f2

SHA512
a31594c2b5846008548ac1614b5522d0d100cf242fb7226d68b7b86343e676823406a7e925e27f2c94acab6e2f3b3287a308b29f77ffb5925af71636520e540f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
a0d8f9b752a3920a373509cdc931984d

SHA1
c29d9b2d2172dde59735ac844f2176d5913b6d79

SHA256
fcea5feeb07eebece7e83ae41ed6677dccc481682e721c6384f385e206f2d3ea

SHA512
bb3bd2bb85e343ee16525e682d1e7009400dc5b411a3b8aadb42b740c4e59f975e78b201fb921110fc7b9d0942bbf1651aa7bfa0e059b44b74410795cd77d4b3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
e842b75e0568a7b75936c047d2db243e

SHA1
8aa1dc3f52c5e8ede239eb31e72f4c0c0e5074f2

SHA256
ee65f41c38299f66a625e58a46e327ddbe2e8f3c24f7438f8645cb6b386f7cfc

SHA512
35beacfe9dd65d2835f950698ded234c3af81b881b937be954c93630233e2842dfb3589fd332122e20e5c0ec5da202f2c735d352bbfd84152276d9767679f946

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
3.2MB

MD5
e2ccda07da8eba891eaf1a4e09609ede

SHA1
4192fa7db046623357ad5e4bf0b59a8053db1969

SHA256
7d1d3f9461821e6a88ffebf939f70a5fbb0f0ed8ffc8f0e3dec1515de7f6019f

SHA512
f4d398c0a6cfb259b09b39666120987e6f4f34b5b5db415a07b42dd601d6d87ea6b53ff7ca515eddfdf18b91f376a731740227ec4ffeb9b09bd4b3d5c4ab8a4b

Download Submit