Analysis
-
max time kernel
120s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 04:12
Static task
static1
Behavioral task
behavioral1
Sample
47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe
Resource
win10v2004-20241007-en
General
-
Target
47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe
-
Size
2.6MB
-
MD5
cd24d042147b423f240b3eea6c3b1000
-
SHA1
bbd5ad7d83dad70b59a617ce1f1f3b19b26bd158
-
SHA256
47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8e
-
SHA512
ef89a132e2acb36832f5457138462a5335bc593a569f47a42e1d30ed899b0c457084a5137a54b225e89ac0dc00744c138735bc4810bff289057482dbb5580fc7
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBpB/bS:sxX7QnxrloE5dpUpGb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe -
Executes dropped EXE 2 IoCs
pid Process 2972 ecabod.exe 2836 abodloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesMM\\abodloc.exe" 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid7X\\boddevloc.exe" 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecabod.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3228 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe 3228 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe 3228 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe 3228 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe 2972 ecabod.exe 2972 ecabod.exe 2836 abodloc.exe 2836 abodloc.exe 2972 ecabod.exe 2972 ecabod.exe 2836 abodloc.exe 2836 abodloc.exe 2972 ecabod.exe 2972 ecabod.exe 2836 abodloc.exe 2836 abodloc.exe 2972 ecabod.exe 2972 ecabod.exe 2836 abodloc.exe 2836 abodloc.exe 2972 ecabod.exe 2972 ecabod.exe 2836 abodloc.exe 2836 abodloc.exe 2972 ecabod.exe 2972 ecabod.exe 2836 abodloc.exe 2836 abodloc.exe 2972 ecabod.exe 2972 ecabod.exe 2836 abodloc.exe 2836 abodloc.exe 2972 ecabod.exe 2972 ecabod.exe 2836 abodloc.exe 2836 abodloc.exe 2972 ecabod.exe 2972 ecabod.exe 2836 abodloc.exe 2836 abodloc.exe 2972 ecabod.exe 2972 ecabod.exe 2836 abodloc.exe 2836 abodloc.exe 2972 ecabod.exe 2972 ecabod.exe 2836 abodloc.exe 2836 abodloc.exe 2972 ecabod.exe 2972 ecabod.exe 2836 abodloc.exe 2836 abodloc.exe 2972 ecabod.exe 2972 ecabod.exe 2836 abodloc.exe 2836 abodloc.exe 2972 ecabod.exe 2972 ecabod.exe 2836 abodloc.exe 2836 abodloc.exe 2972 ecabod.exe 2972 ecabod.exe 2836 abodloc.exe 2836 abodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3228 wrote to memory of 2972 3228 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe 88 PID 3228 wrote to memory of 2972 3228 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe 88 PID 3228 wrote to memory of 2972 3228 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe 88 PID 3228 wrote to memory of 2836 3228 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe 91 PID 3228 wrote to memory of 2836 3228 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe 91 PID 3228 wrote to memory of 2836 3228 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe"C:\Users\Admin\AppData\Local\Temp\47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2972
-
-
C:\FilesMM\abodloc.exeC:\FilesMM\abodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2836
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5588c92f6f007ea9dfda0013a82b3f6b2
SHA1f585081343aa3869ebc1ed86bf7805abc8b9917e
SHA256a0e9fbd1638f2ae85b1881cfc8a07d4724c49a0dd8560710eb35c1d486d27f48
SHA512f08cde780a0bd03db5b18dc7ffa5ee01e810a2161e61e9a1dfaa7b3f19b2a893822b4cae3b8d627d700f90d7a67ee72d403ff69a3f937d67caf424c2ed08ca76
-
Filesize
2.6MB
MD519c30179b01b9eb6a6027d078fd9e42c
SHA147adaffb74faee6ceec93ada1d96c05bd6860fc3
SHA256b429709503063e2f05ca76bc5d5e9fec11a0bc3a69aabc4064bdba627a9dc673
SHA51291e4462f0c2d29fc38cb545c44aab88f319dd7ff17ab1c2b9430afff7951b7e4f2429487417a07f8e008c9faec6a12494d50b5bab8be4c9ab298a4d751763276
-
Filesize
200B
MD56d79ab039689bb32ca868c1f8761756c
SHA1324fa5bb85fd8393a48ad446e23f50bac9d56425
SHA256befcd4cb9d17872b97a83b773ae5c34041ba38b395df0058dd147579d74ebd65
SHA51209b299089daec0aeafaa74cfb852efc756b134482da62a1faf33a1f54785c85208426220aec940914ccfe6cc077b257f2b2e199eae0ceb5215c6f4189d8a1b0e
-
Filesize
168B
MD56f7a736741eb844b1ebc87fbee4ae9f7
SHA11b01bd026638a5c08574be5808009ab73c8bf0e5
SHA256917030f1778f17245978b7157345538c0357b49aa9124a07178335aa925999c2
SHA512be9a67e1c3a8ad2ec10df552d3e4945345378c7bde7ba17140c5e79a99ccdffa3a8ab63e16d7bd36f593bdac838ec630c72ea78117488382cca1e759536fcf65
-
Filesize
2.6MB
MD519ec1c36a62f9cb47f374c2ae988484e
SHA15373c718948767e266a64ecf59db9e4f937d4d96
SHA2566c2a366702e495d509f94e54692b38f53afd1076f77d3fd11e12ed3719fd7e34
SHA51233ea116976d31f24a969fbf3c195e63b58268a4951c27595bb0375aafe4b661e5f991bf7d6a5d26faeb1291641d77779c70759890203799ede7bae0a4559fcd1
-
Filesize
2.6MB
MD51196388aed32996b10e51572892c0495
SHA11781377fa83fbe69a76b183c86b5766aecfa29d1
SHA256d0b83cd28dffcc45176c54477313049d7919bee14b846fea36fbc77ccfef8585
SHA512431dba4bce6a9bc374b3460728d7a9943a055da5416d4de8c2da814b56b4888fb903be804211a28f49bff6536175469c08487ef36e57e29c99e8666706fb6f09
-
Filesize
2.6MB
MD562bb3576e21ef9a6eb275a26aef0dda0
SHA1c1515f786ebd643c3322b826f4426bb9fa06a8ca
SHA25674d9385df541384f93f2ac5a93c746eb6ec9adff2fb9641ce7b06bb552f60763
SHA51247eb601062d88281ecc30af0c77367f224fc5e16de9ce4bf28f1218f325444ef7fd5143bbb2b0ddd0a84524884e08e8e5389ba1311f8bc043ddddc3223795429