57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 22:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe
Size

4.0MB
MD5

2ee0a449814fb02ce0d0a5ffdd2ec4d8
SHA1

2d0c7458f4dd5996ee14e278ce07cfefa08f35ac
SHA256

57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19
SHA512

7b870c2a3c91370906c817fe82a925cb547fc5d00359e341006c525acde13e935fb408b352ecaae0cfe50b61bd999b348abd86876306f3353ba6b663411b65e7
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpjbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe

Executes dropped EXE 2 IoCs

pid	Process
1848	ecxbod.exe
2596	abodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2980	57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe
2980	57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZSJ\\bodaec.exe"	57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files7E\\abodec.exe"	57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2980	57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe
2980	57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe
1848	ecxbod.exe
2596	abodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 1848	2980	57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe	28
PID 2980 wrote to memory of 1848	2980	57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe	28
PID 2980 wrote to memory of 1848	2980	57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe	28
PID 2980 wrote to memory of 1848	2980	57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe	28
PID 2980 wrote to memory of 2596	2980	57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe	29
PID 2980 wrote to memory of 2596	2980	57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe	29
PID 2980 wrote to memory of 2596	2980	57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe	29
PID 2980 wrote to memory of 2596	2980	57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe	29

C:\Users\Admin\AppData\Local\Temp\57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe
"C:\Users\Admin\AppData\Local\Temp\57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1848
- C:\Files7E\abodec.exe
  C:\Files7E\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files7E\abodec.exe

Filesize
4.0MB

MD5
005e76bebedc5edab2eace708b99fa75

SHA1
204fab7bf2459d1e03611396f86f7828e6aaef2c

SHA256
3b305f48a616014e50d9d382e1f36f96785a635d45d92c6c86271d583c1e427f

SHA512
df6dcfdc4bf62c5be8efe834f4ca3e166a807aa100a78d427afcd369c81bf0a5bc1ab3c5e95e86b192d6ad119c6d01aea41165ad8b73b1808adadaaf3afed6b5

Download Submit
C:\LabZSJ\bodaec.exe

Filesize
2.1MB

MD5
7f6f5f97fc89033b03a39e484443f7e6

SHA1
3b158a7a0d5a6aabce0a1a8c457f56cbfbe6a2d2

SHA256
231abe97e8d4fb8739e492e806517dd5ecf1be4736ebec48ccc5783ee3b52497

SHA512
3208a89913f65bc74fcc068f3cfa36ca9657677497ed676384b407b982d9062c3682491dea809c45d3c00e18ce999a42c2ac9d1e5221b39512487d8d853a78fa

Download Submit
C:\LabZSJ\bodaec.exe

Filesize
4.0MB

MD5
8962d1d552bafda5c9fa4bda45053b90

SHA1
a91ef3ec6fe4036aa80ba2e084bebbee65390f8e

SHA256
2400e469fe9c994c05c06c8395df7e96273abe3aef84342e1fc7b9334c4a8f69

SHA512
e6db3a47b8866f658fb1725358de9a6b1b51472f98b8e2b21e401f3a26957dc8c94381755a366b873a742c7f430515c9ef8aac0609aea402b8f2e17ff5115975

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
165B

MD5
cf5ec86b79b48f9665df8860fa98d8b8

SHA1
65ac2a20b0b0f59b388d0dc9cab9bfa67cbfdd7f

SHA256
6182d77df19bf5d68445441a69f2a956d24b37f0113acd2d78b5c8d0305cbb83

SHA512
db8b662e089b1baabf764fd7baedbae85f1a05a362ad13940fa5e8d63be68f06607427a7fe12cfca389c069dd237355eb9217db29241ba952303e94ba4e6eb76

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
197B

MD5
847bc5d2933c9542f711aa685b4fff04

SHA1
ccf142dcc44635d7030a0475cb49d8920c2b78f8

SHA256
c1e007121697e09fd9b017c53de9517bf76c1581114aefff5437badbfb4b1e1b

SHA512
b4d8639c5539add2b17f0eef7f96c15cd3573d38681f821fd080868cf96d5d3f34171213bbd6b5de0b855cdb4bb92180ff51b5f90c76fcabc152acca0ea64187

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
4.0MB

MD5
9d7f1ca78aee62831bb536261e7d0d7a

SHA1
19a7281d7826c02960520172096a7ab38b2538db

SHA256
9be572b56e2d3d36ceaa7ffc3cceeb4cdf1df4f0092626a0a09359ede4c44463

SHA512
d2c656ead544fa65500cedfa2b0aef464c9e76934ebfb5319c396626916af9960deeaabe50a70a5fa87fc538d5a61f8d8f8829fb87f447ac4d98c75426f2df5c

Download Submit