Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 14:54
Static task
static1
Behavioral task
behavioral1
Sample
a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe
Resource
win10v2004-20241007-en
General
-
Target
a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe
-
Size
2.6MB
-
MD5
5fd1eaa5bafc7b3c881b91da1d0e0ae0
-
SHA1
fc34e90d58f6e4d457fea938a790713b58e43ee2
-
SHA256
a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04b
-
SHA512
87ca8039307e11b974a1c3fdb891defb14f7dd3096397813d80ae443c36a8dce4608d21db613ccf76371d183a1a099222eca2331fb2235d672bc1bfd16f36049
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBVB/bS:sxX7QnxrloE5dpUpKb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe -
Executes dropped EXE 2 IoCs
pid Process 1916 ecxdob.exe 4520 abodloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvGH\\abodloc.exe" a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax4X\\optiasys.exe" a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxdob.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2164 a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe 2164 a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe 2164 a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe 2164 a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe 1916 ecxdob.exe 1916 ecxdob.exe 4520 abodloc.exe 4520 abodloc.exe 1916 ecxdob.exe 1916 ecxdob.exe 4520 abodloc.exe 4520 abodloc.exe 1916 ecxdob.exe 1916 ecxdob.exe 4520 abodloc.exe 4520 abodloc.exe 1916 ecxdob.exe 1916 ecxdob.exe 4520 abodloc.exe 4520 abodloc.exe 1916 ecxdob.exe 1916 ecxdob.exe 4520 abodloc.exe 4520 abodloc.exe 1916 ecxdob.exe 1916 ecxdob.exe 4520 abodloc.exe 4520 abodloc.exe 1916 ecxdob.exe 1916 ecxdob.exe 4520 abodloc.exe 4520 abodloc.exe 1916 ecxdob.exe 1916 ecxdob.exe 4520 abodloc.exe 4520 abodloc.exe 1916 ecxdob.exe 1916 ecxdob.exe 4520 abodloc.exe 4520 abodloc.exe 1916 ecxdob.exe 1916 ecxdob.exe 4520 abodloc.exe 4520 abodloc.exe 1916 ecxdob.exe 1916 ecxdob.exe 4520 abodloc.exe 4520 abodloc.exe 1916 ecxdob.exe 1916 ecxdob.exe 4520 abodloc.exe 4520 abodloc.exe 1916 ecxdob.exe 1916 ecxdob.exe 4520 abodloc.exe 4520 abodloc.exe 1916 ecxdob.exe 1916 ecxdob.exe 4520 abodloc.exe 4520 abodloc.exe 1916 ecxdob.exe 1916 ecxdob.exe 4520 abodloc.exe 4520 abodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2164 wrote to memory of 1916 2164 a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe 90 PID 2164 wrote to memory of 1916 2164 a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe 90 PID 2164 wrote to memory of 1916 2164 a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe 90 PID 2164 wrote to memory of 4520 2164 a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe 91 PID 2164 wrote to memory of 4520 2164 a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe 91 PID 2164 wrote to memory of 4520 2164 a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe"C:\Users\Admin\AppData\Local\Temp\a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1916
-
-
C:\SysDrvGH\abodloc.exeC:\SysDrvGH\abodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4520
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD52532ba332214a67467b903e638299475
SHA1435f13f7c1d6d66241fe6c9271d84e29b63a6aed
SHA25690778c6f6b73765e81c517607f05d82ac7a92ce96ceb96a6b3a804d9dba0e50f
SHA51202636831644121e8282c1d04aa0168054f053dd2de8b3eb1f34679e88209c9599fcf541bc34bf11a4af07dfd2a7adf59b013d918a7cf7869d3bad9e84d0a7e13
-
Filesize
2.6MB
MD56c82f3650b5cf30235cb253b707db74f
SHA11e0626c3f9eb03ed891c183ab4544c32f040141a
SHA256c09521a0e53e51c05e8e940294f9fc4d50d4e81771d8705921e53221047f1ec5
SHA512c65ba5fbf68b2a38770c7e078cbf9d5dfbabc4d5f57162a44c81f6aa55fc7bbfd3626add3caa6ccb2ccb8aecfc19ff3c202585940e6552c0c0f91f4221d5bbfd
-
Filesize
118KB
MD549af68b42b3107ac792422c10fe0b74f
SHA15fc398ad18774ec4495f063f018f4db58862dbe8
SHA25683a7f31b8578e7a00a994f3dbe8e71747a382cf0e351c7d7fa0610dded8976c4
SHA51289a91aafb5af39699748f6b84a6bc5db955d5f5d4474447893b829c9fed9377a791c01483bbd890bff4c7e24d20a7a372137094dd20fe9de5c9057a61f4a37dc
-
Filesize
2.6MB
MD55071982951112da534f4bd261d07d4b0
SHA130d4985f1ca3dac846ed574f2eb3c038a8827a83
SHA2562ed1e4634893387959339cfc1e817f2a2a5d1a310f1e60a154de15916bc77926
SHA5124af81d6186eb3685d63465fc2830af6455f009729dc8361d5176f3db0cadee7da133999852242ecc2a55a5c5d0b12c44da14da052e237004f073684a2724e57d
-
Filesize
202B
MD599a20c320060b654a7d4715587b77b23
SHA1c7a29c481f392da50a08a658bb5a413b1ceca8c9
SHA2563fc0aee7a5816dfa745bcbf5cadbe9aa8c3b45d4951357ed93059be57412c637
SHA512e81ab6bc12c02499ec376cf9f289b7cfc9ba1812acbb3873fe3c5bec5e52a7ff9ded5cf247cc23738db04e5122167f04b461fc1ff52fcd6adb11bc0471a111ef
-
Filesize
170B
MD50bf4cb912a4f3618779c191cbb09f27c
SHA15cc6bc4d62c7d77351c72af511f5796612f8844f
SHA2561a0ed9056f11065774b2228374024f4ebf090bc6c96d2467468448f678646679
SHA512b1fb21ffe8bc246afad039c2e895a52d4b7ea9e6fea36b7307ccd30430c71f1bc3b6c6b70d2947f31ce1e7f0031d74643b38daabe14716b7aca1f6b2644c786c
-
Filesize
2.6MB
MD54f637034ec1cd5d6b73e5dba437f19c9
SHA18bee46bf82a5fc0b4bec40b7df6be7ff21d70ee8
SHA256fa3ebf440896d17da7d752981b3a35e25743cc23ff6af0aa0110e910a7db3228
SHA5128e0003c1a092b2eb0cd4b14540562b79b4ff712ed7af48c94554940319b1ced7e32213f0c29b5097d745b267c6c8f69ce1b7b9e96896a8c48c4020be650b2696