ba677103a2061050d4a34492676048e06e565d94ba367282cb8b76799d23b210

Analysis

max time kernel
120s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

683112823e40d4b3e6e669bf3fbba360N.exe
Size

2.6MB
MD5

683112823e40d4b3e6e669bf3fbba360
SHA1

45e662ac81fe4d1872b76d185cdf6098ad5b6d31
SHA256

ba677103a2061050d4a34492676048e06e565d94ba367282cb8b76799d23b210
SHA512

3f708106bf2228c94d66dcb05777821847ca3f1ea2369f25a5861c1ef9f3ee2922a20282914093fb417b315a18087580fb300ec92644bc21fd0a6c8d1b673726
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bS:sxX7QnxrloE5dpUpbb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	683112823e40d4b3e6e669bf3fbba360N.exe

Executes dropped EXE 2 IoCs

pid	Process
3664	ecxdob.exe
1176	abodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc1R\\abodloc.exe"	683112823e40d4b3e6e669bf3fbba360N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax9A\\dobxec.exe"	683112823e40d4b3e6e669bf3fbba360N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	683112823e40d4b3e6e669bf3fbba360N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2760	683112823e40d4b3e6e669bf3fbba360N.exe
2760	683112823e40d4b3e6e669bf3fbba360N.exe
2760	683112823e40d4b3e6e669bf3fbba360N.exe
2760	683112823e40d4b3e6e669bf3fbba360N.exe
3664	ecxdob.exe
3664	ecxdob.exe
1176	abodloc.exe
1176	abodloc.exe
3664	ecxdob.exe
3664	ecxdob.exe
1176	abodloc.exe
1176	abodloc.exe
3664	ecxdob.exe
3664	ecxdob.exe
1176	abodloc.exe
1176	abodloc.exe
3664	ecxdob.exe
3664	ecxdob.exe
1176	abodloc.exe
1176	abodloc.exe
3664	ecxdob.exe
3664	ecxdob.exe
1176	abodloc.exe
1176	abodloc.exe
3664	ecxdob.exe
3664	ecxdob.exe
1176	abodloc.exe
1176	abodloc.exe
3664	ecxdob.exe
3664	ecxdob.exe
1176	abodloc.exe
1176	abodloc.exe
3664	ecxdob.exe
3664	ecxdob.exe
1176	abodloc.exe
1176	abodloc.exe
3664	ecxdob.exe
3664	ecxdob.exe
1176	abodloc.exe
1176	abodloc.exe
3664	ecxdob.exe
3664	ecxdob.exe
1176	abodloc.exe
1176	abodloc.exe
3664	ecxdob.exe
3664	ecxdob.exe
1176	abodloc.exe
1176	abodloc.exe
3664	ecxdob.exe
3664	ecxdob.exe
1176	abodloc.exe
1176	abodloc.exe
3664	ecxdob.exe
3664	ecxdob.exe
1176	abodloc.exe
1176	abodloc.exe
3664	ecxdob.exe
3664	ecxdob.exe
1176	abodloc.exe
1176	abodloc.exe
3664	ecxdob.exe
3664	ecxdob.exe
1176	abodloc.exe
1176	abodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 3664	2760	683112823e40d4b3e6e669bf3fbba360N.exe	89
PID 2760 wrote to memory of 3664	2760	683112823e40d4b3e6e669bf3fbba360N.exe	89
PID 2760 wrote to memory of 3664	2760	683112823e40d4b3e6e669bf3fbba360N.exe	89
PID 2760 wrote to memory of 1176	2760	683112823e40d4b3e6e669bf3fbba360N.exe	90
PID 2760 wrote to memory of 1176	2760	683112823e40d4b3e6e669bf3fbba360N.exe	90
PID 2760 wrote to memory of 1176	2760	683112823e40d4b3e6e669bf3fbba360N.exe	90

C:\Users\Admin\AppData\Local\Temp\683112823e40d4b3e6e669bf3fbba360N.exe
"C:\Users\Admin\AppData\Local\Temp\683112823e40d4b3e6e669bf3fbba360N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3664
- C:\Intelproc1R\abodloc.exe
  C:\Intelproc1R\abodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax9A\dobxec.exe

Filesize
2.6MB

MD5
815d19afd5e30e6af0fa02974ec9d78f

SHA1
82d15b4b34b104bdf91bb4c41a66cdf7aafa55b0

SHA256
dfc3ba32dceb88bbd6d752daaafb69eb662513d22b5f3650a9f6c6ef82354223

SHA512
988204f75b9a5f15cebf48fd700656f8f79aa25967b91f46d931f3a0a7391156ce5e94982e79e59be081979c73888633416517d9266aa449117622b66f13114b

Download Submit
C:\Galax9A\dobxec.exe

Filesize
2.6MB

MD5
3753fd64894a82198c2cf737614c24cd

SHA1
55c5a2a1988ab5d9afb3c54df74c4ffa6726e83d

SHA256
e7fcd49872c9ef3958b70ed5ae1e7076c709f59ca888a34aa40374ff44ae5e64

SHA512
78af644402e3146c02a02eedfd18a1d2dd4f4ed822576a2a9fcfa0c2bbed1ddf2323b0842bf221154ff22a28d63493d4687e10638b214e2a08b7ecac274489be

Download Submit
C:\Intelproc1R\abodloc.exe

Filesize
1.1MB

MD5
43c05e124d3046ac800f5718ade67ddd

SHA1
f7013ba4c5a2b215c1d5107426d0a2c9c7e0ce2a

SHA256
135844b116d3c07e9a66259b4cf591cd73868b6f68122d4aad3a55a1e6e16144

SHA512
a65088a10b6f49a9ec381e62f9a109b325bd5e4ccc464dcc591b532284eb4d2c30ab1bba7f21349dae5ebee19ccfdd533c49ddfe407e716d7e7c2bf85ca74bcd

Download Submit
C:\Intelproc1R\abodloc.exe

Filesize
2.6MB

MD5
5e4e048244aacc72a472254af3b77301

SHA1
6f2a4d1ceb8a53c058f414a76208df8e6e66d91e

SHA256
dac904dd2f5bdfc0ddf6f9b92a9a2b9d2ee6ca6069d01ef2e5e7a444a762a192

SHA512
64fef47af1f0ecd6437f5d16fd36c39156bc6b67426d6b8cb76421f4a7c4e86f7863c520066e8b52c204ed8ad52664cb481b3d41544e09c9fb65dacb273c04e1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
c50108ab6aba9d57854895bf15eed815

SHA1
0e4753f5028729b55c1ff922c10dc1e4f3cfb858

SHA256
894ff7c0d5a0da28a40fe5d00810f0a9386e2cdd6a1b960d5fffa3e89f99ad09

SHA512
4768758a66bf25e3f23381767454cb5c1697be2c51a504d43b81bfcdbe2c98dab35beb439b1b6103e309031cc62049afda8cfb0fed8131f76dc8102681b1f6ba

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
74bedf9492658fb4f5e37f285632a870

SHA1
60dd3ee59436f2a839547d63a4ce01d809b86776

SHA256
9ddff4bedf33a969e1abc9f2844d6fe45b51b2b017d7441e7eef0c3dcc132806

SHA512
d033a4394d80e347341e4b609c50923d460ad385afda7218d708144e968e6b322d2ce0d072404145efe0ef0944069af137145b5f56641730dd95f6e28c9083b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
2.6MB

MD5
49a3fa74e229a75a8efa04e7281b65c8

SHA1
b33772a004e787888c5c6be5727642c084c1c8f0

SHA256
1b79bb842f5c97f533a29b2d8b2af69201f78f7584927be8cf980b4acf8b203e

SHA512
a1fcc0ce6e990d6274ec1ce4d34106f14deed1b9717f6d318742fed86d9b12c7c24669239ed9f29bf172a521819754f88ce9b90ed44b00d2d828ba84d8fd5c6f

Download Submit