Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 04:10
Static task
static1
Behavioral task
behavioral1
Sample
aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe
Resource
win10v2004-20241007-en
General
-
Target
aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe
-
Size
2.6MB
-
MD5
26234f25757607a2c6e9c2a664b824f0
-
SHA1
52a21524c60502ac26b5c9ff807d8546d9c1b339
-
SHA256
aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cd
-
SHA512
b8d7c5be067efcdeed501c4eda0e29b4e3f8b38a2ec12eae7a1df8857cb13a9da06dace621cc9de397943cdda6e7f01d5c155caa6714b73c3f7b5e3add792ff2
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bS:sxX7QnxrloE5dpUpFb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe -
Executes dropped EXE 2 IoCs
pid Process 2588 ecxbod.exe 2780 abodloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2792 aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe 2792 aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotBZ\\abodloc.exe" aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid52\\dobxec.exe" aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2792 aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe 2792 aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe 2588 ecxbod.exe 2780 abodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2792 wrote to memory of 2588 2792 aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe 28 PID 2792 wrote to memory of 2588 2792 aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe 28 PID 2792 wrote to memory of 2588 2792 aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe 28 PID 2792 wrote to memory of 2588 2792 aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe 28 PID 2792 wrote to memory of 2780 2792 aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe 29 PID 2792 wrote to memory of 2780 2792 aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe 29 PID 2792 wrote to memory of 2780 2792 aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe 29 PID 2792 wrote to memory of 2780 2792 aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe"C:\Users\Admin\AppData\Local\Temp\aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2588
-
-
C:\UserDotBZ\abodloc.exeC:\UserDotBZ\abodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2780
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5397864bf775f654c32970aeaeb5773d5
SHA1af69980a966beaa7d1ff405f297b0e6c6a20f61d
SHA256a4b062b523182323a9f39667081b06da24133eb0b72fc182f29cac6c21e5b19b
SHA5125d60c4ad89bd04e6c9efaeaec6a3bcc07a9e620e435e3b6a46445dc2935dbb20ea6ca3a181d54df1a2824d14805cb319273951eaa71e1d80785a8e99e5baad28
-
Filesize
167B
MD592c4b010fb0c6f09f07c8bc25ae5347a
SHA18c5f12d043ba6e61fdab5318dfcddd51ef0f8104
SHA2564ea55b7c5fc1ee347e71129cb5dd578c110f22f1d4958ef2189e00fd331646e0
SHA512322f57aebc43cca24369a301df6195b753ee5052126fac52a830291efad3f83a45bc8a8330a2ba017ecc10788cc681bd9d0c830c0d0645f43c7202ea727dbc03
-
Filesize
199B
MD5ff4d421683b4118ac212c2cd65885aed
SHA12b872c1659a5ffda83e5fa7c71f0ad9beb973da2
SHA25629aac207e7f0b6b4ac1c9b0ab8cef692d392af63e7afc53f76ba1a9da93512de
SHA5123417109c889a4d69a0c91ef9da8e78e284b510dca3a3de65c32dfd64c65b768401f672cc992c1a50836a8c29c094bffb44649d7e0ffffb1da1a53e2faa671eb3
-
Filesize
2.6MB
MD53020a0b48fecb07f934b0e72f71556a5
SHA196f167383f3b8c3a40d5c863a1621dd4525598ec
SHA256cfb4f6f135a196260b98eef1e1a8d6d477718d2e51de25f4d1d6070a71ae6018
SHA5122f725db8aeaba87d2a8b5ea82944c83ad502eed75c1886187f508951579f788c38003faa28a80ab65d8dd2f427327e7dcae1bf62ac1f307175772d9f8bb35682
-
Filesize
2.6MB
MD5b2ea5c939cedc90761e6e4ffd8884193
SHA16005272bfee16697476a692e1ed6bdc02c300885
SHA25658e24ca59b8e52712beadd860e95a296c0a3490d8e49f6ac5f55f85613c2980d
SHA5125cdb91f1f749706c4b4adc13bf31bd1c94a9126b23cfa157524dc4669a11f79b916f03e086ebf2fd11d22b9db6ed588be769724d57fa92dec2d08f5a840dbe1b
-
Filesize
2.6MB
MD560d981fe7cfe3fda017f028a5717ac4e
SHA15d2ffa89049068e048f0cb7b6e48b16e8fb3f764
SHA256108aec8fdfa8537f5fb3891994ffcafe2ea5f366809d7f197bfd1869ffe06347
SHA5120dd2ed5a6e89a6c8247dc28b5fdfd7a0525235c838feb8ca51ab16b54cf23bc5d51a1997f652d46a44e87aa6fbcdec9341708131fa795671dbf6449a494c3b59