Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 23:31

General

  • Target

    8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe

  • Size

    2.6MB

  • MD5

    a51a48199653b76b47bf55ae6abdb470

  • SHA1

    53ca5ea420e3e5dd1ac9c0e2aeb4782030d9c753

  • SHA256

    8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1

  • SHA512

    002d6bd0632487ccc37e23903994b2ed8f81dda382a3e259ddca7022347814be4f73f09d6882da3f4fd38aecc4a90a14e4eefa6ec55ad294beeb48d483cdc30c

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bS:sxX7QnxrloE5dpUpXb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe
    "C:\Users\Admin\AppData\Local\Temp\8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2792
    • C:\AdobeY1\abodsys.exe
      C:\AdobeY1\abodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2952

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeY1\abodsys.exe

          Filesize

          2.6MB

          MD5

          26e7bf3e613b7027bb3bb58a15941552

          SHA1

          62d00d33c6fa70a06524118dfd4aa7a90b591d90

          SHA256

          f4861599f798d9d514a59fe335dc05f0853d8a99a499725c1f651908692d073d

          SHA512

          d20b75958fff456eaeb260b9cec447175a85f234bb40d9526f84e38d2f854ebf71f5e992f77d9768691998a9abef4ad1b746fc7ec923308cc814af17cbdc912d

        • C:\Mint2T\dobxloc.exe

          Filesize

          1.7MB

          MD5

          cdd97b53b5ff1c4c91ddadde33a72d19

          SHA1

          e874795b48a2225d7a2708576fd4d0606378c736

          SHA256

          438c7c7dea5c73e6703f67772e6ae3226277177616fe6469e4a85d7a37eb1fde

          SHA512

          e74bbb0f1a6c70a85e4a19f9210eb0a23ba0e66948a6e4ed7d84876eb2015b382eddbad1ef6992eb2581bd54de559a61e47b322cd032e848d367ac45a3f59cc0

        • C:\Mint2T\dobxloc.exe

          Filesize

          2.6MB

          MD5

          24d749b80523864f0e855b70b03973c1

          SHA1

          924423e4b407f9eb6aa645c7856d43acd0c483f8

          SHA256

          082f8005cb019fed7c83e5e13bf51bb33dabf8e9f85d141187e024ea0decee71

          SHA512

          b2c672860fab853ab538667f536bc0a8b89b598ed29fbc84b4794e41a0a360d617a8113c39f852934c66a2dfed1c1fb467a6157237b4bfb02eda16e10a4051e6

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          167B

          MD5

          e860f3e87fce4ffe654217cbb0535850

          SHA1

          fd18fd535ac4b2c46605441c2127661d108ce242

          SHA256

          133f6436d14526bae8df2bf19e0954b7ba2fab13dbd981f5ff29e7a903c4ea4e

          SHA512

          974a361f6721b9eb861804d9ec822580670516d54b8345027c73213fb92353bcd13dd1dd5ab9b056df480c4308000dd9b08e637460c483b6f2325308b61e76ef

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          199B

          MD5

          23f85c6a9aad35387834e26f23b23cda

          SHA1

          436df2daa11505fbd1ff7dabafd7dbee36ab42ea

          SHA256

          ddc72af530b3e4f41d9473ef7b31e17a70f18f20041a1fd8142b333ab11e1a2e

          SHA512

          d428b4801a89bf9054cbb19cfbb980ad37907dce0c87f8145626fcda763fecc2042b0d57f721850e46464911cd789274ae86d65391a51353ef7cb9e2f8cba670

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

          Filesize

          2.6MB

          MD5

          8c10c8914e941dc3358bb6beee279bad

          SHA1

          2b0116a7b76dce79470d4ae9142a003a673ae456

          SHA256

          22da153d36f3670b1338be5d9ad3a48cd35e1410317c94ef323bed536a731664

          SHA512

          598f79f99a6706aad0caa3abb53aa12f3634a1d71d87213fe2db09c2742f06ad700d503bea123fdd830e4a6183b78f5ba8a86f335be40327eaff2b1d17ad47a6