Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 22:40
Static task
static1
Behavioral task
behavioral1
Sample
8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe
Resource
win10v2004-20241007-en
General
-
Target
8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe
-
Size
2.6MB
-
MD5
11f66d938dd1beae0be6c023b9aacd50
-
SHA1
968b5292f31dbb428accd5999f271c76b72196bf
-
SHA256
8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fec
-
SHA512
446f2c0cdafa16a915bdb676020f46665ad10dc5d652cfd5385b5ab21d23743cad78be47457b2cec0cfdc784d70175ceaaa8ff968e0794a1bbc24c9018fbdd9d
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bS:sxX7QnxrloE5dpUpIb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe -
Executes dropped EXE 2 IoCs
pid Process 2916 ecxbod.exe 4696 abodloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot7B\\abodloc.exe" 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB4N\\boddevsys.exe" 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2008 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe 2008 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe 2008 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe 2008 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe 2916 ecxbod.exe 2916 ecxbod.exe 4696 abodloc.exe 4696 abodloc.exe 2916 ecxbod.exe 2916 ecxbod.exe 4696 abodloc.exe 4696 abodloc.exe 2916 ecxbod.exe 2916 ecxbod.exe 4696 abodloc.exe 4696 abodloc.exe 2916 ecxbod.exe 2916 ecxbod.exe 4696 abodloc.exe 4696 abodloc.exe 2916 ecxbod.exe 2916 ecxbod.exe 4696 abodloc.exe 4696 abodloc.exe 2916 ecxbod.exe 2916 ecxbod.exe 4696 abodloc.exe 4696 abodloc.exe 2916 ecxbod.exe 2916 ecxbod.exe 4696 abodloc.exe 4696 abodloc.exe 2916 ecxbod.exe 2916 ecxbod.exe 4696 abodloc.exe 4696 abodloc.exe 2916 ecxbod.exe 2916 ecxbod.exe 4696 abodloc.exe 4696 abodloc.exe 2916 ecxbod.exe 2916 ecxbod.exe 4696 abodloc.exe 4696 abodloc.exe 2916 ecxbod.exe 2916 ecxbod.exe 4696 abodloc.exe 4696 abodloc.exe 2916 ecxbod.exe 2916 ecxbod.exe 4696 abodloc.exe 4696 abodloc.exe 2916 ecxbod.exe 2916 ecxbod.exe 4696 abodloc.exe 4696 abodloc.exe 2916 ecxbod.exe 2916 ecxbod.exe 4696 abodloc.exe 4696 abodloc.exe 2916 ecxbod.exe 2916 ecxbod.exe 4696 abodloc.exe 4696 abodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2008 wrote to memory of 2916 2008 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe 86 PID 2008 wrote to memory of 2916 2008 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe 86 PID 2008 wrote to memory of 2916 2008 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe 86 PID 2008 wrote to memory of 4696 2008 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe 87 PID 2008 wrote to memory of 4696 2008 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe 87 PID 2008 wrote to memory of 4696 2008 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe"C:\Users\Admin\AppData\Local\Temp\8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2916
-
-
C:\UserDot7B\abodloc.exeC:\UserDot7B\abodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4696
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
142KB
MD585034e0c40cfa21c258fdec503d76978
SHA1cc9776b7fdaaadc5c074d93907900300e58005ea
SHA2563c881cfadace041d098c4afc7bee1ad9f528c50c9be8f3f9f2394e3b0193e061
SHA5125e8fc2786763be53f6827728cf28e4bdd63830b41fedfe18e854298d0ad8d2f77890a36131ee0e78c3e6e5b1e4626066d5a095154fe3502da47eeadcdec55b59
-
Filesize
2.6MB
MD5a822030c119347f99d4201d50bc16b24
SHA10e441e7e217f33b783b9a98e58be94fe51c6a02a
SHA25653026b67e6e26280821686c5e9e2a1ca3626607d217dce3e22e99d031d206903
SHA5125c6911b5a754d9b92c8b09e1cecfc855c3b3fa0e420aee815e708d69797f6533196f50410f17401164f5d7759708a4c443b908dbf490c036f585ef4b292bf886
-
Filesize
2.6MB
MD5974cfbfe2ed7dfc3d59b16e39a09b1b3
SHA16b611d24765b1b6f0198366b98080de7881cfd13
SHA256f0336202b8ac395ababac8da4e0575e1d3de9984f8db025bfbb6daf1e2151c4e
SHA512fafe94c878717457623bd2650d638e5e9fe6cc763dfaa0b5226730af816eba3a6c3fcd1c0a326975181172f957d994ee3aa9cbb07f8e223347b447e06d446dbf
-
Filesize
203B
MD50dbd9589fa9e75a8694324c01393783d
SHA175bdd0cdc5f412151bc60764c75fc724474fd2e4
SHA256afefdbf80aa850b40a5f1a694852121e201a011274db1837df33c78c3a857c83
SHA51250593eace73793197a7ffbb87db9076058db4e55cb91d0c82b372fdb59abada09f0615017f17d86ddd723d7beda88d25e286ef46690da48278609eae6d29a475
-
Filesize
171B
MD5612172d7c60a31bcc9733c7ac01409b1
SHA1e4a55765d4fa3cb3f5fdc9021a0e48708afcdadf
SHA256184e27da420ab9a2876930acd57b8be73b5276ef8786f2ee6cc16bc38b4e3a85
SHA5126163f604a9b0b2e57e139a5e86928ca6bc8eb1431c8b13b8c2f0f53489c96b30f203d1a6e950f3dc24aa4e4d2aecda6a61280fb93ea3fa4c995898af5b067428
-
Filesize
2.6MB
MD50bc3299cb1f53ed46e48f480df2bbb15
SHA16355e59edd3033612f26130fe5a3f7a95b6b0649
SHA256cb1b3b7ff845d623d0506f573e67ec1fa979fce05f5d3f03aa096c76fe2f7a4d
SHA5128e9628e4c5b8efb4215e0cec7ab50e5a8bc6195e80309e071d7727e81c764e07d41b1fa924a77d772f8d55d692ad5d3e540db0a40593ace62f4210bf901ed8b3