Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/08/2024, 06:56

General

  • Target

    ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe

  • Size

    2.6MB

  • MD5

    caf5d388c5a5e9237a3784652b0950f9

  • SHA1

    b73e6c9a785b8c73a1f9651564f2d5dfe2a8260c

  • SHA256

    ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147

  • SHA512

    612c52a29ad2f27af169a59406af1e6275a213c21cf9d04392a841772022d83e9ca19f8dd90e1bf4d3af9f5415e697c11f80a94a0c1c86d191c2b68a0304d605

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bS:sxX7QnxrloE5dpUpMb

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe
    "C:\Users\Admin\AppData\Local\Temp\ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:628
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3744
    • C:\UserDot4S\abodloc.exe
      C:\UserDot4S\abodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1888

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Mint7Q\boddevloc.exe

          Filesize

          2.6MB

          MD5

          5369e0b55aeaf14f76d0137af6e8a0d1

          SHA1

          fead6d7bdf128f6a146b989e90c3a21c1ede7b6f

          SHA256

          d6154a27e5ab172a170273fb95fd57d73a78f4c051c041fcc7023d6c08f157b8

          SHA512

          9a5856b182295c0fba2536a56b0af8661341cab964ebd80cd34f2cf85d73023d3f5a5844dcb802b84dcbea56d86809a110170c386d38bf3b19d70400608ad12d

        • C:\Mint7Q\boddevloc.exe

          Filesize

          16KB

          MD5

          7194af4ca8b5784e038c373119d798e5

          SHA1

          9c114add88126c1358d7020ca7697c5b0528ea2d

          SHA256

          f49a5b25906bde4ad4744acd2ddf6b578eb40dcaee1e76a6cce91e836ac9e050

          SHA512

          dea51aa435f72ea947472a3d1ccdf8ab4c514fe964d86c9fdfb0484772ee56ab728d2b0ca997da1d392b38e9abbc4526ec702dbc83c527a01e04264766012992

        • C:\UserDot4S\abodloc.exe

          Filesize

          2.6MB

          MD5

          52ca94fa6b6385d763178807a4ad1db9

          SHA1

          da17fd99a7ca5ad9ec9e0f79ac3b911e099a7610

          SHA256

          614aaf9ac567d23f7754ca341325d9b13dc538434f782666e7ed0630d2891872

          SHA512

          9aea4373af478364e04ee5d97fe93db8cf2a5e4d0bf45357aadcf9a26bc9bf1c305ab036f794c64e4815fcca28ae18eed88d277b5570e4a896f8ae84fdf5c680

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          203B

          MD5

          74993698a16bf66f0d95bf33324c141e

          SHA1

          616b0074f15be768a9b0879a7e26b1755865238e

          SHA256

          78b8c30983b7a5f49a9e6d372a3e77ff4ed0a4587213e55d038ccfa9c97be64f

          SHA512

          b12808ad2d542674efff6a78b4e326fe3b0ba360d0d273b6ff887aa204c368ffe1cbb7ef2ab6e52c2073f96cd842c4fb127a7acad072d3abcf77681d4dde102c

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          171B

          MD5

          4eab212b02f1e5eb42718bc5a445e31d

          SHA1

          297357164e8c26d96b0194ee49eea84876d0e9b8

          SHA256

          1710f160560df7f586b4128959133438955ddd2cccb6fd412d14c86768c9b25e

          SHA512

          295aebad42518e4659950a3fdde7cbad74b6be2c37211be7c7d8efd76368a192f12abc7eeada070fc17ec33e6232972781d21d66e44e94800e2548bb59dafe9a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

          Filesize

          2.6MB

          MD5

          217770b2c24e8b9639794f6c63881f47

          SHA1

          d62bda020d5c04375d7d4f379fb25ff6f0247e28

          SHA256

          d79519806249cfb9e39b4c53d6adffd9dfa8a61e8a903024eb05d0fe46600b52

          SHA512

          51f2b0ed7078252835a38d2824e04553b7883cc1e6b7f4767bd62817d58f10d39e3a063dda61a52d2b98873e8e68fb45eccb8e40d41d300981fddf5f8ac02037