Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-10-2024 04:10

General

  • Target

    aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe

  • Size

    2.6MB

  • MD5

    26234f25757607a2c6e9c2a664b824f0

  • SHA1

    52a21524c60502ac26b5c9ff807d8546d9c1b339

  • SHA256

    aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cd

  • SHA512

    b8d7c5be067efcdeed501c4eda0e29b4e3f8b38a2ec12eae7a1df8857cb13a9da06dace621cc9de397943cdda6e7f01d5c155caa6714b73c3f7b5e3add792ff2

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bS:sxX7QnxrloE5dpUpFb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe
    "C:\Users\Admin\AppData\Local\Temp\aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2588
    • C:\UserDotBZ\abodloc.exe
      C:\UserDotBZ\abodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2780

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\UserDotBZ\abodloc.exe

    Filesize

    2.6MB

    MD5

    397864bf775f654c32970aeaeb5773d5

    SHA1

    af69980a966beaa7d1ff405f297b0e6c6a20f61d

    SHA256

    a4b062b523182323a9f39667081b06da24133eb0b72fc182f29cac6c21e5b19b

    SHA512

    5d60c4ad89bd04e6c9efaeaec6a3bcc07a9e620e435e3b6a46445dc2935dbb20ea6ca3a181d54df1a2824d14805cb319273951eaa71e1d80785a8e99e5baad28

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    167B

    MD5

    92c4b010fb0c6f09f07c8bc25ae5347a

    SHA1

    8c5f12d043ba6e61fdab5318dfcddd51ef0f8104

    SHA256

    4ea55b7c5fc1ee347e71129cb5dd578c110f22f1d4958ef2189e00fd331646e0

    SHA512

    322f57aebc43cca24369a301df6195b753ee5052126fac52a830291efad3f83a45bc8a8330a2ba017ecc10788cc681bd9d0c830c0d0645f43c7202ea727dbc03

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    199B

    MD5

    ff4d421683b4118ac212c2cd65885aed

    SHA1

    2b872c1659a5ffda83e5fa7c71f0ad9beb973da2

    SHA256

    29aac207e7f0b6b4ac1c9b0ab8cef692d392af63e7afc53f76ba1a9da93512de

    SHA512

    3417109c889a4d69a0c91ef9da8e78e284b510dca3a3de65c32dfd64c65b768401f672cc992c1a50836a8c29c094bffb44649d7e0ffffb1da1a53e2faa671eb3

  • C:\Vid52\dobxec.exe

    Filesize

    2.6MB

    MD5

    3020a0b48fecb07f934b0e72f71556a5

    SHA1

    96f167383f3b8c3a40d5c863a1621dd4525598ec

    SHA256

    cfb4f6f135a196260b98eef1e1a8d6d477718d2e51de25f4d1d6070a71ae6018

    SHA512

    2f725db8aeaba87d2a8b5ea82944c83ad502eed75c1886187f508951579f788c38003faa28a80ab65d8dd2f427327e7dcae1bf62ac1f307175772d9f8bb35682

  • C:\Vid52\dobxec.exe

    Filesize

    2.6MB

    MD5

    b2ea5c939cedc90761e6e4ffd8884193

    SHA1

    6005272bfee16697476a692e1ed6bdc02c300885

    SHA256

    58e24ca59b8e52712beadd860e95a296c0a3490d8e49f6ac5f55f85613c2980d

    SHA512

    5cdb91f1f749706c4b4adc13bf31bd1c94a9126b23cfa157524dc4669a11f79b916f03e086ebf2fd11d22b9db6ed588be769724d57fa92dec2d08f5a840dbe1b

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

    Filesize

    2.6MB

    MD5

    60d981fe7cfe3fda017f028a5717ac4e

    SHA1

    5d2ffa89049068e048f0cb7b6e48b16e8fb3f764

    SHA256

    108aec8fdfa8537f5fb3891994ffcafe2ea5f366809d7f197bfd1869ffe06347

    SHA512

    0dd2ed5a6e89a6c8247dc28b5fdfd7a0525235c838feb8ca51ab16b54cf23bc5d51a1997f652d46a44e87aa6fbcdec9341708131fa795671dbf6449a494c3b59