Analysis

  • max time kernel
    120s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2024 04:12

General

  • Target

    47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe

  • Size

    2.6MB

  • MD5

    cd24d042147b423f240b3eea6c3b1000

  • SHA1

    bbd5ad7d83dad70b59a617ce1f1f3b19b26bd158

  • SHA256

    47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8e

  • SHA512

    ef89a132e2acb36832f5457138462a5335bc593a569f47a42e1d30ed899b0c457084a5137a54b225e89ac0dc00744c138735bc4810bff289057482dbb5580fc7

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBpB/bS:sxX7QnxrloE5dpUpGb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe
    "C:\Users\Admin\AppData\Local\Temp\47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3228
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2972
    • C:\FilesMM\abodloc.exe
      C:\FilesMM\abodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesMM\abodloc.exe

    Filesize

    2.2MB

    MD5

    588c92f6f007ea9dfda0013a82b3f6b2

    SHA1

    f585081343aa3869ebc1ed86bf7805abc8b9917e

    SHA256

    a0e9fbd1638f2ae85b1881cfc8a07d4724c49a0dd8560710eb35c1d486d27f48

    SHA512

    f08cde780a0bd03db5b18dc7ffa5ee01e810a2161e61e9a1dfaa7b3f19b2a893822b4cae3b8d627d700f90d7a67ee72d403ff69a3f937d67caf424c2ed08ca76

  • C:\FilesMM\abodloc.exe

    Filesize

    2.6MB

    MD5

    19c30179b01b9eb6a6027d078fd9e42c

    SHA1

    47adaffb74faee6ceec93ada1d96c05bd6860fc3

    SHA256

    b429709503063e2f05ca76bc5d5e9fec11a0bc3a69aabc4064bdba627a9dc673

    SHA512

    91e4462f0c2d29fc38cb545c44aab88f319dd7ff17ab1c2b9430afff7951b7e4f2429487417a07f8e008c9faec6a12494d50b5bab8be4c9ab298a4d751763276

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    200B

    MD5

    6d79ab039689bb32ca868c1f8761756c

    SHA1

    324fa5bb85fd8393a48ad446e23f50bac9d56425

    SHA256

    befcd4cb9d17872b97a83b773ae5c34041ba38b395df0058dd147579d74ebd65

    SHA512

    09b299089daec0aeafaa74cfb852efc756b134482da62a1faf33a1f54785c85208426220aec940914ccfe6cc077b257f2b2e199eae0ceb5215c6f4189d8a1b0e

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    168B

    MD5

    6f7a736741eb844b1ebc87fbee4ae9f7

    SHA1

    1b01bd026638a5c08574be5808009ab73c8bf0e5

    SHA256

    917030f1778f17245978b7157345538c0357b49aa9124a07178335aa925999c2

    SHA512

    be9a67e1c3a8ad2ec10df552d3e4945345378c7bde7ba17140c5e79a99ccdffa3a8ab63e16d7bd36f593bdac838ec630c72ea78117488382cca1e759536fcf65

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

    Filesize

    2.6MB

    MD5

    19ec1c36a62f9cb47f374c2ae988484e

    SHA1

    5373c718948767e266a64ecf59db9e4f937d4d96

    SHA256

    6c2a366702e495d509f94e54692b38f53afd1076f77d3fd11e12ed3719fd7e34

    SHA512

    33ea116976d31f24a969fbf3c195e63b58268a4951c27595bb0375aafe4b661e5f991bf7d6a5d26faeb1291641d77779c70759890203799ede7bae0a4559fcd1

  • C:\Vid7X\boddevloc.exe

    Filesize

    2.6MB

    MD5

    1196388aed32996b10e51572892c0495

    SHA1

    1781377fa83fbe69a76b183c86b5766aecfa29d1

    SHA256

    d0b83cd28dffcc45176c54477313049d7919bee14b846fea36fbc77ccfef8585

    SHA512

    431dba4bce6a9bc374b3460728d7a9943a055da5416d4de8c2da814b56b4888fb903be804211a28f49bff6536175469c08487ef36e57e29c99e8666706fb6f09

  • C:\Vid7X\boddevloc.exe

    Filesize

    2.6MB

    MD5

    62bb3576e21ef9a6eb275a26aef0dda0

    SHA1

    c1515f786ebd643c3322b826f4426bb9fa06a8ca

    SHA256

    74d9385df541384f93f2ac5a93c746eb6ec9adff2fb9641ce7b06bb552f60763

    SHA512

    47eb601062d88281ecc30af0c77367f224fc5e16de9ce4bf28f1218f325444ef7fd5143bbb2b0ddd0a84524884e08e8e5389ba1311f8bc043ddddc3223795429