Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 23:31
Static task
static1
Behavioral task
behavioral1
Sample
8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe
Resource
win10v2004-20241007-en
General
-
Target
8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe
-
Size
2.6MB
-
MD5
a51a48199653b76b47bf55ae6abdb470
-
SHA1
53ca5ea420e3e5dd1ac9c0e2aeb4782030d9c753
-
SHA256
8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1
-
SHA512
002d6bd0632487ccc37e23903994b2ed8f81dda382a3e259ddca7022347814be4f73f09d6882da3f4fd38aecc4a90a14e4eefa6ec55ad294beeb48d483cdc30c
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bS:sxX7QnxrloE5dpUpXb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe -
Executes dropped EXE 2 IoCs
pid Process 2792 ecxbod.exe 2952 abodsys.exe -
Loads dropped DLL 2 IoCs
pid Process 1904 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe 1904 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeY1\\abodsys.exe" 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint2T\\dobxloc.exe" 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1904 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe 1904 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe 2792 ecxbod.exe 2952 abodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1904 wrote to memory of 2792 1904 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe 31 PID 1904 wrote to memory of 2792 1904 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe 31 PID 1904 wrote to memory of 2792 1904 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe 31 PID 1904 wrote to memory of 2792 1904 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe 31 PID 1904 wrote to memory of 2952 1904 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe 32 PID 1904 wrote to memory of 2952 1904 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe 32 PID 1904 wrote to memory of 2952 1904 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe 32 PID 1904 wrote to memory of 2952 1904 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe"C:\Users\Admin\AppData\Local\Temp\8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2792
-
-
C:\AdobeY1\abodsys.exeC:\AdobeY1\abodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2952
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD526e7bf3e613b7027bb3bb58a15941552
SHA162d00d33c6fa70a06524118dfd4aa7a90b591d90
SHA256f4861599f798d9d514a59fe335dc05f0853d8a99a499725c1f651908692d073d
SHA512d20b75958fff456eaeb260b9cec447175a85f234bb40d9526f84e38d2f854ebf71f5e992f77d9768691998a9abef4ad1b746fc7ec923308cc814af17cbdc912d
-
Filesize
1.7MB
MD5cdd97b53b5ff1c4c91ddadde33a72d19
SHA1e874795b48a2225d7a2708576fd4d0606378c736
SHA256438c7c7dea5c73e6703f67772e6ae3226277177616fe6469e4a85d7a37eb1fde
SHA512e74bbb0f1a6c70a85e4a19f9210eb0a23ba0e66948a6e4ed7d84876eb2015b382eddbad1ef6992eb2581bd54de559a61e47b322cd032e848d367ac45a3f59cc0
-
Filesize
2.6MB
MD524d749b80523864f0e855b70b03973c1
SHA1924423e4b407f9eb6aa645c7856d43acd0c483f8
SHA256082f8005cb019fed7c83e5e13bf51bb33dabf8e9f85d141187e024ea0decee71
SHA512b2c672860fab853ab538667f536bc0a8b89b598ed29fbc84b4794e41a0a360d617a8113c39f852934c66a2dfed1c1fb467a6157237b4bfb02eda16e10a4051e6
-
Filesize
167B
MD5e860f3e87fce4ffe654217cbb0535850
SHA1fd18fd535ac4b2c46605441c2127661d108ce242
SHA256133f6436d14526bae8df2bf19e0954b7ba2fab13dbd981f5ff29e7a903c4ea4e
SHA512974a361f6721b9eb861804d9ec822580670516d54b8345027c73213fb92353bcd13dd1dd5ab9b056df480c4308000dd9b08e637460c483b6f2325308b61e76ef
-
Filesize
199B
MD523f85c6a9aad35387834e26f23b23cda
SHA1436df2daa11505fbd1ff7dabafd7dbee36ab42ea
SHA256ddc72af530b3e4f41d9473ef7b31e17a70f18f20041a1fd8142b333ab11e1a2e
SHA512d428b4801a89bf9054cbb19cfbb980ad37907dce0c87f8145626fcda763fecc2042b0d57f721850e46464911cd789274ae86d65391a51353ef7cb9e2f8cba670
-
Filesize
2.6MB
MD58c10c8914e941dc3358bb6beee279bad
SHA12b0116a7b76dce79470d4ae9142a003a673ae456
SHA25622da153d36f3670b1338be5d9ad3a48cd35e1410317c94ef323bed536a731664
SHA512598f79f99a6706aad0caa3abb53aa12f3634a1d71d87213fe2db09c2742f06ad700d503bea123fdd830e4a6183b78f5ba8a86f335be40327eaff2b1d17ad47a6