Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 22:00
Static task
static1
Behavioral task
behavioral1
Sample
1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe
Resource
win10v2004-20241007-en
General
-
Target
1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe
-
Size
2.6MB
-
MD5
0ac1a0efc1023e6cecc0c6c6dde40980
-
SHA1
a0ad2ae3a452ad35b8ddf2708260cb0af99da89f
-
SHA256
1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ec
-
SHA512
c918a55040ff23b428814f621d774d3698c2cb2e66922bb7f79f7744d3c60717dd69e260189a48dade85b7dcbdf2ee1ce164baf0da96b82296573d72238e9cc5
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBhB/bSq:sxX7QnxrloE5dpUpWbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe -
Executes dropped EXE 2 IoCs
pid Process 1476 ecadob.exe 4200 xbodloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotT9\\xbodloc.exe" 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBCB\\bodxloc.exe" 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1260 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe 1260 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe 1260 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe 1260 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe 1476 ecadob.exe 1476 ecadob.exe 4200 xbodloc.exe 4200 xbodloc.exe 1476 ecadob.exe 1476 ecadob.exe 4200 xbodloc.exe 4200 xbodloc.exe 1476 ecadob.exe 1476 ecadob.exe 4200 xbodloc.exe 4200 xbodloc.exe 1476 ecadob.exe 1476 ecadob.exe 4200 xbodloc.exe 4200 xbodloc.exe 1476 ecadob.exe 1476 ecadob.exe 4200 xbodloc.exe 4200 xbodloc.exe 1476 ecadob.exe 1476 ecadob.exe 4200 xbodloc.exe 4200 xbodloc.exe 1476 ecadob.exe 1476 ecadob.exe 4200 xbodloc.exe 4200 xbodloc.exe 1476 ecadob.exe 1476 ecadob.exe 4200 xbodloc.exe 4200 xbodloc.exe 1476 ecadob.exe 1476 ecadob.exe 4200 xbodloc.exe 4200 xbodloc.exe 1476 ecadob.exe 1476 ecadob.exe 4200 xbodloc.exe 4200 xbodloc.exe 1476 ecadob.exe 1476 ecadob.exe 4200 xbodloc.exe 4200 xbodloc.exe 1476 ecadob.exe 1476 ecadob.exe 4200 xbodloc.exe 4200 xbodloc.exe 1476 ecadob.exe 1476 ecadob.exe 4200 xbodloc.exe 4200 xbodloc.exe 1476 ecadob.exe 1476 ecadob.exe 4200 xbodloc.exe 4200 xbodloc.exe 1476 ecadob.exe 1476 ecadob.exe 4200 xbodloc.exe 4200 xbodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1260 wrote to memory of 1476 1260 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe 88 PID 1260 wrote to memory of 1476 1260 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe 88 PID 1260 wrote to memory of 1476 1260 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe 88 PID 1260 wrote to memory of 4200 1260 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe 89 PID 1260 wrote to memory of 4200 1260 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe 89 PID 1260 wrote to memory of 4200 1260 1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe"C:\Users\Admin\AppData\Local\Temp\1b83c317988eee869f60a255876ff073a1b5a12a2ac386bcae9fe2905a21e1ecN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1476
-
-
C:\UserDotT9\xbodloc.exeC:\UserDotT9\xbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4200
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD56d8f5cf2091a9ee93796b28b998e1367
SHA19fda8243ddc4d1f4d983e8ab348597438510a6bf
SHA256fae0864da018624feabec4a286288748e27804e7d27a052dfcd00640b6b86732
SHA5123bd627b9e1cc485e787f39bd16c101aa74889cc29a55d32c3b1361be4394ec3def2ee8f713f44a10ba27d8624b185752173e826a30a88af702019c8918d098db
-
Filesize
2.6MB
MD599d9a0d16f5b460cfa632d4ad78fe001
SHA1bbe3aee9180a3a843f50e1d84d490e7a9eace0c2
SHA256ce06cd757c86c26a8900b6fd892429c96e2272a4c8a45131b13ad85905202bcd
SHA5127cc8ae63b0d3a8a640297307e087f4a6a569aef0669e7d062d4fe7a21966ba3b2a823d8b027c5a01084a93c14ff03889de6c57ee252b81a1ca1d3b75e95b31e9
-
Filesize
2.6MB
MD52d5775b3d35087ec03d0847e347f9cd6
SHA142f35f91acec84f8826511dd186f791e1427aea1
SHA256e36c677706615e01535fc20e7bf357ad624c6ff3942db9a859bb63fbf3c2032d
SHA51240375e71b573bd6cdd25fb21dd42265c7d7f9817282693bfbe2252ee0e013f474dea2a012a4f9de1a426dbf96c6146dd5d7b751cd6d9f13a736af33a1f002c86
-
Filesize
201B
MD517ffdb9427f30c7d109fd7b83291e749
SHA13684fcfba4ec06f7caf71ad609f8220348d4dedb
SHA256b3d88870ce1ce53100a1b5a94697b2ec8c85fed268ce341321729b28814c0e94
SHA5120da9962b9493b37cfbd37d051919a98223c7325a57fcbe891b0ffb16e670ae7a2278eac75bba7bb28667cae9022e7651b0dfa914c5a590315f23485b9432c293
-
Filesize
169B
MD516e0b0ff87242930a6da6c3ecd52a17a
SHA19306c4aa8966ed93f30f7be7dca8f07e982525e7
SHA256009b0818b04a40c48214ddfc7cedfe6ddee8c939bae262fc5a46113161e4ed5a
SHA512d50d3375e85de7a0a3bc2b82eb82f9a4e62e7b8e687312a6d5044e71ff253eac5f00ef366c96c0c78275cbd07a9f199e36a3ec19569333b5ab281d7e156d814f
-
Filesize
2.6MB
MD58a1e51c3a21e972b822271edb0274ede
SHA1273cf591897c2e5486febc8741cba38bea9af704
SHA256d2356b1a8e40ed286547ea575c9df01c343bd9b653e03eadd0e7b27d8b450a99
SHA51226d28a7004cb9a2c95aa743d3c022753759023504dacfef312118a95b5ec49d21eb750761e563daca53dd3b314521dca6686b4e11183469456d51d03610e5f09