ba677103a2061050d4a34492676048e06e565d94ba367282cb8b76799d23b210

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

683112823e40d4b3e6e669bf3fbba360N.exe
Size

2.6MB
MD5

683112823e40d4b3e6e669bf3fbba360
SHA1

45e662ac81fe4d1872b76d185cdf6098ad5b6d31
SHA256

ba677103a2061050d4a34492676048e06e565d94ba367282cb8b76799d23b210
SHA512

3f708106bf2228c94d66dcb05777821847ca3f1ea2369f25a5861c1ef9f3ee2922a20282914093fb417b315a18087580fb300ec92644bc21fd0a6c8d1b673726
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bS:sxX7QnxrloE5dpUpbb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	683112823e40d4b3e6e669bf3fbba360N.exe

Executes dropped EXE 2 IoCs

pid	Process
2796	ecadob.exe
2868	abodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2372	683112823e40d4b3e6e669bf3fbba360N.exe
2372	683112823e40d4b3e6e669bf3fbba360N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesXO\\abodec.exe"	683112823e40d4b3e6e669bf3fbba360N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidHQ\\bodasys.exe"	683112823e40d4b3e6e669bf3fbba360N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	683112823e40d4b3e6e669bf3fbba360N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2372	683112823e40d4b3e6e669bf3fbba360N.exe
2372	683112823e40d4b3e6e669bf3fbba360N.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe
2796	ecadob.exe
2868	abodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2796	2372	683112823e40d4b3e6e669bf3fbba360N.exe	31
PID 2372 wrote to memory of 2796	2372	683112823e40d4b3e6e669bf3fbba360N.exe	31
PID 2372 wrote to memory of 2796	2372	683112823e40d4b3e6e669bf3fbba360N.exe	31
PID 2372 wrote to memory of 2796	2372	683112823e40d4b3e6e669bf3fbba360N.exe	31
PID 2372 wrote to memory of 2868	2372	683112823e40d4b3e6e669bf3fbba360N.exe	32
PID 2372 wrote to memory of 2868	2372	683112823e40d4b3e6e669bf3fbba360N.exe	32
PID 2372 wrote to memory of 2868	2372	683112823e40d4b3e6e669bf3fbba360N.exe	32
PID 2372 wrote to memory of 2868	2372	683112823e40d4b3e6e669bf3fbba360N.exe	32

C:\Users\Admin\AppData\Local\Temp\683112823e40d4b3e6e669bf3fbba360N.exe
"C:\Users\Admin\AppData\Local\Temp\683112823e40d4b3e6e669bf3fbba360N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2796
- C:\FilesXO\abodec.exe
  C:\FilesXO\abodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesXO\abodec.exe

Filesize
2.6MB

MD5
cc35bcad60292159aabeb818cbb2bba7

SHA1
28ec8a02e826f27b359c7f37aae1829e1fe8788d

SHA256
6c6f7eeba5e135657296cfff9ae260cd173768e96fce39a1c49ce1106fe8f97c

SHA512
074192c0a1b253c9f26deab7fab4730df44c6585a42daf8a8d5e18a627c23ecf6e4d91572ab68b8dd2fe04bab84a7e3de2b563316c4146cf55eab6dd4e61f954

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
165B

MD5
0ad0c4483dbb6d676cef081a941de682

SHA1
102e9c3f45c845a2129548d8e43dc7d9f0140acb

SHA256
3e6fa955e30819ebeea1b7f68cbfce1e24f19c1a3e35b2d7df7d50dcc693519a

SHA512
1c76b16218dde2cb81dce4705a628201d5e48492a6ddce36629e41d2f820a79bfbaeb9269abf9749cc9c0301a6fe0996abd0f51c0d4dee2d5c38e122f20baa51

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
197B

MD5
e42fdd1efc1c8a2fd8e7d95dff068e0d

SHA1
52b048efecde55e45e912f6fbb2a5d94da68f0e9

SHA256
2d14cfaf561eb021b843c7e5209f6d37d43eec139cef28988b008f4b156b509b

SHA512
2020c5524aecd7355aadf472819c9cd894fb46d5e8943b557fe642e99eeeeceff16105c54e98fb8f045438c06835fcb05c95945fed288bf2cb50ff5f0f843b89

Download Submit
C:\VidHQ\bodasys.exe

Filesize
2.6MB

MD5
fa1500a0bfb1fe4971c207edbe27fabf

SHA1
4f12e60a9fd3060790fc39c7361aee739ad3af52

SHA256
2dceac7fe90c49dfc0f6117454dfa5178533fc7cc82c194647bcfd66ab0c08ca

SHA512
57e662c1cfc33410ee202c6ff9082578dce144b79fc02343d66ae9980121009c07879076ace795f011896d59feac3c1de7df4ae6b04e09d1d1d39c1b8836189d

Download Submit
C:\VidHQ\bodasys.exe

Filesize
2.6MB

MD5
e62579c189a4e87c90456b85fc909579

SHA1
313f15c54662ce32e069e154ca4771111bde2082

SHA256
e957e8f6e357c567c2f6cad84fbc46cf7e81580bbc60094d50f3faf0ec608b3d

SHA512
32a1c0d6741524971a18b69e8a5a45564a89d41616024d56346b5e3cbd584ad636619363fb8881c82941c75d00b69a4255a459103c4dcea125704b4a0250faad

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
2.6MB

MD5
4c3d9b118863fd946820ea8936f432d7

SHA1
1dfeec133c8c34b433ef126e623ac1946d25d5ba

SHA256
892c33d4c14efd7b056a807f7bc3c07bfad1a63755bc51d4c64cd5f54567e833

SHA512
57ce362edb39b42716463c502e2ddabd481ec5900e26d7f43da3bc13cba3c76ec15c7cf1433e986a4c082f8a08cc50270825d692e5e8aa5fe967f9b87ac72c39

Download Submit