Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 07:04
Static task
static1
Behavioral task
behavioral1
Sample
f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe
Resource
win10v2004-20240802-en
General
-
Target
f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe
-
Size
2.6MB
-
MD5
a5036f5b6a68443b3bc0b943593759dc
-
SHA1
72b024f1a9778ec9ce0c57e65003b4a31656fb45
-
SHA256
f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225
-
SHA512
b63e62b93d81c65ec1726832939cc6ac2f2ab3bbecc191909f4225613c8b1e4c49248587d42d58c227fa28cf674798a075a941dac7a417dc552b026202fb1546
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bS:sxX7QnxrloE5dpUpMb
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe -
Executes dropped EXE 2 IoCs
pid Process 2528 ecxbod.exe 4296 abodsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvFL\\abodsys.exe" f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZPP\\dobaloc.exe" f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4828 f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe 4828 f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe 4828 f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe 4828 f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe 2528 ecxbod.exe 2528 ecxbod.exe 4296 abodsys.exe 4296 abodsys.exe 2528 ecxbod.exe 2528 ecxbod.exe 4296 abodsys.exe 4296 abodsys.exe 2528 ecxbod.exe 2528 ecxbod.exe 4296 abodsys.exe 4296 abodsys.exe 2528 ecxbod.exe 2528 ecxbod.exe 4296 abodsys.exe 4296 abodsys.exe 2528 ecxbod.exe 2528 ecxbod.exe 4296 abodsys.exe 4296 abodsys.exe 2528 ecxbod.exe 2528 ecxbod.exe 4296 abodsys.exe 4296 abodsys.exe 2528 ecxbod.exe 2528 ecxbod.exe 4296 abodsys.exe 4296 abodsys.exe 2528 ecxbod.exe 2528 ecxbod.exe 4296 abodsys.exe 4296 abodsys.exe 2528 ecxbod.exe 2528 ecxbod.exe 4296 abodsys.exe 4296 abodsys.exe 2528 ecxbod.exe 2528 ecxbod.exe 4296 abodsys.exe 4296 abodsys.exe 2528 ecxbod.exe 2528 ecxbod.exe 4296 abodsys.exe 4296 abodsys.exe 2528 ecxbod.exe 2528 ecxbod.exe 4296 abodsys.exe 4296 abodsys.exe 2528 ecxbod.exe 2528 ecxbod.exe 4296 abodsys.exe 4296 abodsys.exe 2528 ecxbod.exe 2528 ecxbod.exe 4296 abodsys.exe 4296 abodsys.exe 2528 ecxbod.exe 2528 ecxbod.exe 4296 abodsys.exe 4296 abodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4828 wrote to memory of 2528 4828 f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe 88 PID 4828 wrote to memory of 2528 4828 f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe 88 PID 4828 wrote to memory of 2528 4828 f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe 88 PID 4828 wrote to memory of 4296 4828 f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe 89 PID 4828 wrote to memory of 4296 4828 f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe 89 PID 4828 wrote to memory of 4296 4828 f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe"C:\Users\Admin\AppData\Local\Temp\f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2528
-
-
C:\SysDrvFL\abodsys.exeC:\SysDrvFL\abodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4296
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5586dc09d5804dc54d44fbabe2f70a2f5
SHA11b5a9a763950331479ac1c498b03264cda1e5e0e
SHA25633712f6263ec98ae8ff353abc33c5a663b2c766cbe5c8a49229dad2fbfb8f079
SHA51254a9d8562e63f9b26ca5680b6e9a17abb896ba1d76fd279957335198bab32efc42361d0585349bd615b1859a022b024d4629234b578a41c99310d0b00c64998a
-
Filesize
2.6MB
MD51107e0ac0ebbd970bbb14fe5eabcd274
SHA16ed74a3eb3cafe3576a300a3a1f89e929bdd1c0d
SHA256f8334f4324693f1fbfa1ec9e296a46fff16dc341a763e5b8b66c59075069c209
SHA5126914a82aa49ce211eadf4397e8a619d23e11e462c876433ba9d2ad84fac207e67c7ea6cdf38ebb9828966a6cf4f46311e5797d10ad3efdcfb95b83e1380b113e
-
Filesize
2.6MB
MD5882b72099260b49de76675836a9a7df8
SHA15d3c971abf0e9567dbffc7c7ac55a705c500c38c
SHA2567363687a6698ead8e3bbe37a48c2572d0bc5c65fa89ed9befd4685998ec371f9
SHA512d522b9c10f4c4f19ae1a28fc94ef3d6e9c48f0a5c65c3733f2d3db4ab47bec3025ac9dba2e7c1d3cf60b958f326243bbff8315aeee90ff30aade35bfc38822ac
-
Filesize
200B
MD593526364e84b625e9a2feb304eebf3f1
SHA1a495869c6cba1526a4011f5ddeefb3e19f1a9ffe
SHA256fadb807a5410c88b92cc7b6994df5a33a4db0841351c1eb7c0be971bb63850d4
SHA5124c6dbe9ab5d51138905ef9f771d77f97069a07d641c0cc69378bae7043d96804d821744b97bdebca7af697090fe974f5feee7097d4072225aef8939ed2185cc5
-
Filesize
168B
MD503de829a117d0740091a2ddac6acd48c
SHA13a3eab48dafc0588150282ef20d15278aa59a665
SHA2565963e3b19fcc5828a056ad200ebe5d23551975a0db4ec55e15403ad46671ca4f
SHA512f45dfa706434f64d81256bbcb74bec1b58e0d6769e788e94deb37e13b22e720d6d4089b2510c8b23b6cb2332034fa4a8c5a320cd67edc0036f58f475ba258690
-
Filesize
2.6MB
MD5c9999282d54f79500817c321ae2751ab
SHA159aa01331c46216bed5e75b1e2d23c64a583d26b
SHA256b9d274974bbceb08fc7bab9eb426cf8ee48a517ae6378ac9a2eff89e0eee8a4c
SHA5128562f924731f1a76c956e6ee05a1f9dbc7907aa8a45d7c01784c89331dd6391b62df926dbc7d9ab5821527a62560eea3f04f0ffd2edb2d9b9f8a63d482dd53fd