Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 22:40

General

  • Target

    8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe

  • Size

    2.6MB

  • MD5

    11f66d938dd1beae0be6c023b9aacd50

  • SHA1

    968b5292f31dbb428accd5999f271c76b72196bf

  • SHA256

    8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fec

  • SHA512

    446f2c0cdafa16a915bdb676020f46665ad10dc5d652cfd5385b5ab21d23743cad78be47457b2cec0cfdc784d70175ceaaa8ff968e0794a1bbc24c9018fbdd9d

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bS:sxX7QnxrloE5dpUpIb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe
    "C:\Users\Admin\AppData\Local\Temp\8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2916
    • C:\UserDot7B\abodloc.exe
      C:\UserDot7B\abodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4696

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\KaVB4N\boddevsys.exe

          Filesize

          142KB

          MD5

          85034e0c40cfa21c258fdec503d76978

          SHA1

          cc9776b7fdaaadc5c074d93907900300e58005ea

          SHA256

          3c881cfadace041d098c4afc7bee1ad9f528c50c9be8f3f9f2394e3b0193e061

          SHA512

          5e8fc2786763be53f6827728cf28e4bdd63830b41fedfe18e854298d0ad8d2f77890a36131ee0e78c3e6e5b1e4626066d5a095154fe3502da47eeadcdec55b59

        • C:\KaVB4N\boddevsys.exe

          Filesize

          2.6MB

          MD5

          a822030c119347f99d4201d50bc16b24

          SHA1

          0e441e7e217f33b783b9a98e58be94fe51c6a02a

          SHA256

          53026b67e6e26280821686c5e9e2a1ca3626607d217dce3e22e99d031d206903

          SHA512

          5c6911b5a754d9b92c8b09e1cecfc855c3b3fa0e420aee815e708d69797f6533196f50410f17401164f5d7759708a4c443b908dbf490c036f585ef4b292bf886

        • C:\UserDot7B\abodloc.exe

          Filesize

          2.6MB

          MD5

          974cfbfe2ed7dfc3d59b16e39a09b1b3

          SHA1

          6b611d24765b1b6f0198366b98080de7881cfd13

          SHA256

          f0336202b8ac395ababac8da4e0575e1d3de9984f8db025bfbb6daf1e2151c4e

          SHA512

          fafe94c878717457623bd2650d638e5e9fe6cc763dfaa0b5226730af816eba3a6c3fcd1c0a326975181172f957d994ee3aa9cbb07f8e223347b447e06d446dbf

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          203B

          MD5

          0dbd9589fa9e75a8694324c01393783d

          SHA1

          75bdd0cdc5f412151bc60764c75fc724474fd2e4

          SHA256

          afefdbf80aa850b40a5f1a694852121e201a011274db1837df33c78c3a857c83

          SHA512

          50593eace73793197a7ffbb87db9076058db4e55cb91d0c82b372fdb59abada09f0615017f17d86ddd723d7beda88d25e286ef46690da48278609eae6d29a475

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          171B

          MD5

          612172d7c60a31bcc9733c7ac01409b1

          SHA1

          e4a55765d4fa3cb3f5fdc9021a0e48708afcdadf

          SHA256

          184e27da420ab9a2876930acd57b8be73b5276ef8786f2ee6cc16bc38b4e3a85

          SHA512

          6163f604a9b0b2e57e139a5e86928ca6bc8eb1431c8b13b8c2f0f53489c96b30f203d1a6e950f3dc24aa4e4d2aecda6a61280fb93ea3fa4c995898af5b067428

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

          Filesize

          2.6MB

          MD5

          0bc3299cb1f53ed46e48f480df2bbb15

          SHA1

          6355e59edd3033612f26130fe5a3f7a95b6b0649

          SHA256

          cb1b3b7ff845d623d0506f573e67ec1fa979fce05f5d3f03aa096c76fe2f7a4d

          SHA512

          8e9628e4c5b8efb4215e0cec7ab50e5a8bc6195e80309e071d7727e81c764e07d41b1fa924a77d772f8d55d692ad5d3e540db0a40593ace62f4210bf901ed8b3