ecd9ab4926fe90483c61380a25b2648408cf4ea8735255efbe1afc3d14d4b027

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecd9ab4926fe90483c61380a25b2648408cf4ea8735255efbe1afc3d14d4b027.exe
Size

2.6MB
MD5

bef79d648bdeb58a0bc004525085d3ce
SHA1

5b7a996a951409a7cc1e104527ff68d2ac411d16
SHA256

ecd9ab4926fe90483c61380a25b2648408cf4ea8735255efbe1afc3d14d4b027
SHA512

a271301c4a291ad87ad8a75304143720ac1bb471ecb4655c2ae03fa239afd2f523b3b3a7e897a6efb65e1d2f21efd2d4704911de227cb65db82fed7151e106f3
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpeb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	ecd9ab4926fe90483c61380a25b2648408cf4ea8735255efbe1afc3d14d4b027.exe

Executes dropped EXE 2 IoCs

pid	Process
2204	ecdevdob.exe
2560	abodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2512	ecd9ab4926fe90483c61380a25b2648408cf4ea8735255efbe1afc3d14d4b027.exe
2512	ecd9ab4926fe90483c61380a25b2648408cf4ea8735255efbe1afc3d14d4b027.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot0I\\abodloc.exe"	ecd9ab4926fe90483c61380a25b2648408cf4ea8735255efbe1afc3d14d4b027.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxTV\\dobxloc.exe"	ecd9ab4926fe90483c61380a25b2648408cf4ea8735255efbe1afc3d14d4b027.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecd9ab4926fe90483c61380a25b2648408cf4ea8735255efbe1afc3d14d4b027.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2512	ecd9ab4926fe90483c61380a25b2648408cf4ea8735255efbe1afc3d14d4b027.exe
2512	ecd9ab4926fe90483c61380a25b2648408cf4ea8735255efbe1afc3d14d4b027.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe
2204	ecdevdob.exe
2560	abodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2204	2512	ecd9ab4926fe90483c61380a25b2648408cf4ea8735255efbe1afc3d14d4b027.exe	30
PID 2512 wrote to memory of 2204	2512	ecd9ab4926fe90483c61380a25b2648408cf4ea8735255efbe1afc3d14d4b027.exe	30
PID 2512 wrote to memory of 2204	2512	ecd9ab4926fe90483c61380a25b2648408cf4ea8735255efbe1afc3d14d4b027.exe	30
PID 2512 wrote to memory of 2204	2512	ecd9ab4926fe90483c61380a25b2648408cf4ea8735255efbe1afc3d14d4b027.exe	30
PID 2512 wrote to memory of 2560	2512	ecd9ab4926fe90483c61380a25b2648408cf4ea8735255efbe1afc3d14d4b027.exe	31
PID 2512 wrote to memory of 2560	2512	ecd9ab4926fe90483c61380a25b2648408cf4ea8735255efbe1afc3d14d4b027.exe	31
PID 2512 wrote to memory of 2560	2512	ecd9ab4926fe90483c61380a25b2648408cf4ea8735255efbe1afc3d14d4b027.exe	31
PID 2512 wrote to memory of 2560	2512	ecd9ab4926fe90483c61380a25b2648408cf4ea8735255efbe1afc3d14d4b027.exe	31

C:\Users\Admin\AppData\Local\Temp\ecd9ab4926fe90483c61380a25b2648408cf4ea8735255efbe1afc3d14d4b027.exe
"C:\Users\Admin\AppData\Local\Temp\ecd9ab4926fe90483c61380a25b2648408cf4ea8735255efbe1afc3d14d4b027.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2204
- C:\UserDot0I\abodloc.exe
  C:\UserDot0I\abodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxTV\dobxloc.exe

Filesize
2.6MB

MD5
2926c4b1f043f996be7197164040dce5

SHA1
a8ad2e151837ac139caab715fcec743b6fef9c48

SHA256
e690002f4c6d22459f35ee4f12f82eb3deb4d5de533cf11fa368817d5774aead

SHA512
28721f39c072ce6923afaa6ad6fed390ec7dce5453bf94e7f2b647b92130bc21a355c3197debfab55a0c5ae7f11595f72e516e2dc1b1b20e3ed108e76c549770

Download Submit
C:\UserDot0I\abodloc.exe

Filesize
2.6MB

MD5
91bb5c48f5686ba86e78aa075f643e06

SHA1
88dcd503ef7b9608edadd728c8c0c065195143c7

SHA256
723d88d186bb0eb85b32b049de28697346dfe09896d6e8ddaafd34a9330fa495

SHA512
1ac519d41bce52d019cda316c21518ed6efb048be529efb92894f63dc371bc1c04b944eb3680523f94b504be07d2c45d04a451db365fb698f62e16b954f4de65

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
ba546b2b26777afb44ed7728b729038d

SHA1
dc95b468fb6ddb0a161f956f7d3612e3c9ebca34

SHA256
aff5ce4016b5406a29aebd9b6c1e1be1b7a5a4218cd1d381bb488923f5803466

SHA512
84674accf497a552c8050dffa1142cdcdbbc39c9eeb8f232a1dce43e4a172b595d87e7e6b0c498165ed89bb96604b4730d78d5fbad9fb8f8b5518376e95acb58

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
284174317699b071de14f23e906f4382

SHA1
9945345fbb34e292113d117dd188dc58a6bfc400

SHA256
b9c02664a50666f18d907a71d1bfbaae5231cc8a71065095db6c606e702898b2

SHA512
230809cac7b6013ba7097e725903df3801f08da9477e5a1af5af8513a1b0af43ffa8af4eafb3374e14b03752ccb6a7a95dfdba689a739238f3868b33bf901728

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
2.6MB

MD5
b3870a07a8599d635baeb40b0b823b63

SHA1
2285bffab61e0f2e244147b399effa89e3b98028

SHA256
a85d4325a68775fe54e05a52280daa36c5ced761ff635b46447d5d821549cb84

SHA512
fe097ef32b0c0c887fcab46c2e40ced8a3ccf14de7fbbbb2e37a88bebdc6087b4ccc736fd80b1a92a98da1d6518e2eccd4923864d645c3d7ebfffd8d387cba27

Download Submit