Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 06:56
Static task
static1
Behavioral task
behavioral1
Sample
ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe
Resource
win10v2004-20240802-en
General
-
Target
ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe
-
Size
2.6MB
-
MD5
caf5d388c5a5e9237a3784652b0950f9
-
SHA1
b73e6c9a785b8c73a1f9651564f2d5dfe2a8260c
-
SHA256
ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147
-
SHA512
612c52a29ad2f27af169a59406af1e6275a213c21cf9d04392a841772022d83e9ca19f8dd90e1bf4d3af9f5415e697c11f80a94a0c1c86d191c2b68a0304d605
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bS:sxX7QnxrloE5dpUpMb
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe -
Executes dropped EXE 2 IoCs
pid Process 3744 ecabod.exe 1888 abodloc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint7Q\\boddevloc.exe" ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot4S\\abodloc.exe" ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 628 ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe 628 ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe 628 ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe 628 ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe 3744 ecabod.exe 3744 ecabod.exe 1888 abodloc.exe 1888 abodloc.exe 3744 ecabod.exe 3744 ecabod.exe 1888 abodloc.exe 1888 abodloc.exe 3744 ecabod.exe 3744 ecabod.exe 1888 abodloc.exe 1888 abodloc.exe 3744 ecabod.exe 3744 ecabod.exe 1888 abodloc.exe 1888 abodloc.exe 3744 ecabod.exe 3744 ecabod.exe 1888 abodloc.exe 1888 abodloc.exe 3744 ecabod.exe 3744 ecabod.exe 1888 abodloc.exe 1888 abodloc.exe 3744 ecabod.exe 3744 ecabod.exe 1888 abodloc.exe 1888 abodloc.exe 3744 ecabod.exe 3744 ecabod.exe 1888 abodloc.exe 1888 abodloc.exe 3744 ecabod.exe 3744 ecabod.exe 1888 abodloc.exe 1888 abodloc.exe 3744 ecabod.exe 3744 ecabod.exe 1888 abodloc.exe 1888 abodloc.exe 3744 ecabod.exe 3744 ecabod.exe 1888 abodloc.exe 1888 abodloc.exe 3744 ecabod.exe 3744 ecabod.exe 1888 abodloc.exe 1888 abodloc.exe 3744 ecabod.exe 3744 ecabod.exe 1888 abodloc.exe 1888 abodloc.exe 3744 ecabod.exe 3744 ecabod.exe 1888 abodloc.exe 1888 abodloc.exe 3744 ecabod.exe 3744 ecabod.exe 1888 abodloc.exe 1888 abodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 628 wrote to memory of 3744 628 ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe 86 PID 628 wrote to memory of 3744 628 ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe 86 PID 628 wrote to memory of 3744 628 ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe 86 PID 628 wrote to memory of 1888 628 ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe 87 PID 628 wrote to memory of 1888 628 ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe 87 PID 628 wrote to memory of 1888 628 ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe"C:\Users\Admin\AppData\Local\Temp\ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3744
-
-
C:\UserDot4S\abodloc.exeC:\UserDot4S\abodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1888
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD55369e0b55aeaf14f76d0137af6e8a0d1
SHA1fead6d7bdf128f6a146b989e90c3a21c1ede7b6f
SHA256d6154a27e5ab172a170273fb95fd57d73a78f4c051c041fcc7023d6c08f157b8
SHA5129a5856b182295c0fba2536a56b0af8661341cab964ebd80cd34f2cf85d73023d3f5a5844dcb802b84dcbea56d86809a110170c386d38bf3b19d70400608ad12d
-
Filesize
16KB
MD57194af4ca8b5784e038c373119d798e5
SHA19c114add88126c1358d7020ca7697c5b0528ea2d
SHA256f49a5b25906bde4ad4744acd2ddf6b578eb40dcaee1e76a6cce91e836ac9e050
SHA512dea51aa435f72ea947472a3d1ccdf8ab4c514fe964d86c9fdfb0484772ee56ab728d2b0ca997da1d392b38e9abbc4526ec702dbc83c527a01e04264766012992
-
Filesize
2.6MB
MD552ca94fa6b6385d763178807a4ad1db9
SHA1da17fd99a7ca5ad9ec9e0f79ac3b911e099a7610
SHA256614aaf9ac567d23f7754ca341325d9b13dc538434f782666e7ed0630d2891872
SHA5129aea4373af478364e04ee5d97fe93db8cf2a5e4d0bf45357aadcf9a26bc9bf1c305ab036f794c64e4815fcca28ae18eed88d277b5570e4a896f8ae84fdf5c680
-
Filesize
203B
MD574993698a16bf66f0d95bf33324c141e
SHA1616b0074f15be768a9b0879a7e26b1755865238e
SHA25678b8c30983b7a5f49a9e6d372a3e77ff4ed0a4587213e55d038ccfa9c97be64f
SHA512b12808ad2d542674efff6a78b4e326fe3b0ba360d0d273b6ff887aa204c368ffe1cbb7ef2ab6e52c2073f96cd842c4fb127a7acad072d3abcf77681d4dde102c
-
Filesize
171B
MD54eab212b02f1e5eb42718bc5a445e31d
SHA1297357164e8c26d96b0194ee49eea84876d0e9b8
SHA2561710f160560df7f586b4128959133438955ddd2cccb6fd412d14c86768c9b25e
SHA512295aebad42518e4659950a3fdde7cbad74b6be2c37211be7c7d8efd76368a192f12abc7eeada070fc17ec33e6232972781d21d66e44e94800e2548bb59dafe9a
-
Filesize
2.6MB
MD5217770b2c24e8b9639794f6c63881f47
SHA1d62bda020d5c04375d7d4f379fb25ff6f0247e28
SHA256d79519806249cfb9e39b4c53d6adffd9dfa8a61e8a903024eb05d0fe46600b52
SHA51251f2b0ed7078252835a38d2824e04553b7883cc1e6b7f4767bd62817d58f10d39e3a063dda61a52d2b98873e8e68fb45eccb8e40d41d300981fddf5f8ac02037