Overview

overview

9

Static

static

3

c497644962...17.exe

windows7-x64

9

c497644962...17.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/08/2024, 02:24

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c4976449626d86b73e6abe5bb579a8994ed4dd79c91eeec9236bbf6cd3933517.exe

  • Size

    2.6MB

  • MD5

    5cb4cfffbbbe511a4bd931e7431dd645

  • SHA1

    cdbefee66867af493124b1a1e83093e7c00bff75

  • SHA256

    c4976449626d86b73e6abe5bb579a8994ed4dd79c91eeec9236bbf6cd3933517

  • SHA512

    ee30d8189a1ead6f330d1778f3ba7d12ce5aba7dcfd1bca58c82a767711c622e11e7f395849047436c1a7825dadc9932e1745a2140968a58b37a3abe79833d5e

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBJB/bS:sxX7QnxrloE5dpUpab

Score
9/10
credential_accessdiscoverypersistencespywarestealer

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c4976449626d86b73e6abe5bb579a8994ed4dd79c91eeec9236bbf6cd3933517.exe
    "C:\Users\Admin\AppData\Local\Temp\c4976449626d86b73e6abe5bb579a8994ed4dd79c91eeec9236bbf6cd3933517.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2264
    • C:\SysDrvFL\abodsys.exe
      C:\SysDrvFL\abodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1516

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\LabZPP\dobaloc.exe
          Filesize

          346KB

          MD5

          05759b19068adc2a5accd79f4dae7dbb

          SHA1

          d48b356a09e111b9d1cc70fa378895435b089128

          SHA256

          c44a0149c02f157806244540678b61ab1f5b2d6e55bce4220bc90b307d9dc4a9

          SHA512

          faa98db26ab026f6d185f00b6657cccc0d96f8e8202752dd0b2933f95dc820bc3dcaf0af851691024263d1a96363ec865699cca58b590bb275f04b00b727c93d

          Download Submit

        • C:\LabZPP\dobaloc.exe
          Filesize

          3KB

          MD5

          1277107cabcc016a5fd1f1042e36a2e3

          SHA1

          d7f8e8f7a16218d6bb1dce7bd03617500801eb78

          SHA256

          8e909b1d2c6f2b50ac77632d0c29bee78baafb5a1b3d23226e037507fc026273

          SHA512

          f129adcdeabd08d93ae5036fe57020e5d0eab6c1565a555dce876fa729326075b333ac31bc8a7973c21d03d17b08334e1acad9033a1e66962d79780e301afbf3

          Download Submit

        • C:\SysDrvFL\abodsys.exe
          Filesize

          2.6MB

          MD5

          3cab25bd22b2e914eb604ab59011dbb0

          SHA1

          6e8c9d5cdbdc59b9322c6558878a8f7676de23ab

          SHA256

          2826954dd5aa18a52d0d5ff1d8268d3124bede538ca5ee8925c87536670c58f9

          SHA512

          33be6f85902ce28f465432bad03e041c097b99ecb3e4764b8b6061af85afc58c3a245664514707503a33459d215498a9567d47f2e086085fea71b4324390805f

          Download Submit

        • C:\Users\Admin\253086396416_10.0_Admin.ini
          Filesize

          200B

          MD5

          93526364e84b625e9a2feb304eebf3f1

          SHA1

          a495869c6cba1526a4011f5ddeefb3e19f1a9ffe

          SHA256

          fadb807a5410c88b92cc7b6994df5a33a4db0841351c1eb7c0be971bb63850d4

          SHA512

          4c6dbe9ab5d51138905ef9f771d77f97069a07d641c0cc69378bae7043d96804d821744b97bdebca7af697090fe974f5feee7097d4072225aef8939ed2185cc5

          Download Submit

        • C:\Users\Admin\253086396416_10.0_Admin.ini
          Filesize

          168B

          MD5

          03de829a117d0740091a2ddac6acd48c

          SHA1

          3a3eab48dafc0588150282ef20d15278aa59a665

          SHA256

          5963e3b19fcc5828a056ad200ebe5d23551975a0db4ec55e15403ad46671ca4f

          SHA512

          f45dfa706434f64d81256bbcb74bec1b58e0d6769e788e94deb37e13b22e720d6d4089b2510c8b23b6cb2332034fa4a8c5a320cd67edc0036f58f475ba258690

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
          Filesize

          2.6MB

          MD5

          395bf66813171fe02e5e38dadf043b4e

          SHA1

          204583e4fae500f0eda7cac1166bb0ce75e8f764

          SHA256

          d12a95dc40f7a91e29e6779d0d3a76d66ce27940a676edc19afdba8a9db0a593

          SHA512

          30284e3adf52a1db42534e30b0991de37214661f0dc0f5c61f75c523905febe804fb51d8ec8b244bd04fd6a8690abd13894a4f776b4dd2ab03f8745710268c97

          Download Submit