Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 22:20

General

  • Target

    53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe

  • Size

    3.1MB

  • MD5

    c284c6203db5dba4a4b6f1ea9720bd0d

  • SHA1

    874f0a69066689da4cca052d116f4d7348159b1e

  • SHA256

    53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a

  • SHA512

    2b4fd26bade0a083a96075a1e21e40ad30377276ea3f68aef3466718c3bfa1ab38fb007899721101db57a0c99a4c9cce67deca5c5cf2f7854f542a05e8de10cd

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUphbVz8eLFc

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe
    "C:\Users\Admin\AppData\Local\Temp\53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3088
    • C:\FilesED\adobsys.exe
      C:\FilesED\adobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesED\adobsys.exe

    Filesize

    2.8MB

    MD5

    c706ba19dc437b61aa42f807d4e428d9

    SHA1

    d554a5ae7dbad3500ef9813ff23d7c5b71d64404

    SHA256

    12f9276a56f044689f8e697353cc275cb9b7e8e4ced91561008ed7532e0200d4

    SHA512

    c3081d2d234ef692eb8c2649db79d25d5e6b2432b0455617423a433da7511ef00d433e331dea4d007dc2aa1b9ff21dade7e2dc2025a6e902593344420ad62f9a

  • C:\FilesED\adobsys.exe

    Filesize

    3.1MB

    MD5

    27009c11153c08eaa3ca716543923e9b

    SHA1

    7d7a79e2423bc8af53e142f7b7d7e4b190c857ef

    SHA256

    f133a02488857265cf074df309b2fa1ad59fd40cfcee0cc8a2f3de580a76086c

    SHA512

    7d615c3760d042cc586b51542a4d76c1fcfc64cd560d7c1b16cc96e5d11deec822aacf443c0fcab56ccebea46a878be52920676eae67510e4048834b2b6fe3dc

  • C:\KaVBTQ\bodasys.exe

    Filesize

    54KB

    MD5

    d428af90faba26430bad2e091cc230a7

    SHA1

    6b14c533413c37448be64c4c86ad7c6e9180e1d9

    SHA256

    dbc10beaf06bfcee944e5a97f0fdb8da6e8b61752080f36cccb27a6f29b105a4

    SHA512

    94c7886b0b60fa8ae0efb13ad6acd2492f7ebe565d23644fd702b6b4b695563a497caf5f80f63bc8658852f962eab1f46b9eaa43140507220da7667b984d4adf

  • C:\KaVBTQ\bodasys.exe

    Filesize

    3.1MB

    MD5

    d80b5b2a5287bee731546d179d0e7e31

    SHA1

    113f5bcbb31c22e1758a0e9fe47732610a5a845a

    SHA256

    6f4d176c002e560103da651fb6f2d871058508f7b2afbc190c74b0684911c6cd

    SHA512

    4afe4d367594e45685fe873290a3860cc89f744823e8f756bc5987bff3bab142d2982177c42ac66b34e20642ac288bc1999b829003939188428ed2d1ce5f2ad8

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    199B

    MD5

    6f340f89542f5e905004b4c8c0ad5e57

    SHA1

    b635b6bd9f0eb7b890398d2aa4372dbe9c65f0b0

    SHA256

    5624c4294b4951b0c5e82c817f1bf23751f9aca3dedf1198b082caa86f13eccb

    SHA512

    ae9747de3245d41344e75bffdfa9cc63c8bf538ef956c0b1502a4dcb9f87a15f998fd801ae0e0e824cdc0d3f1135caa908a13c9b6cacdef1dde7b3f2e02b75c9

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    167B

    MD5

    21d6cf8308bc9f20eef58e143d7dd9d6

    SHA1

    8111efbe7b161d8995b1a95e2359579098e9be88

    SHA256

    2d972578dbfc0abaa167315dd35e36651d4e975b90880a6dfea68e03dcda9ecb

    SHA512

    67c7181b2020329ad5af42c447679359cc121a3e7d51f293d97f89e391c53303d68ab5d54635c122389622d15ce5a946e6acac15e3af58012c45e42978c7f0d4

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

    Filesize

    3.1MB

    MD5

    2b1c4939970719361c8d8c541aac1715

    SHA1

    dcbefaf395c95bb0f98da5fa5ff71dcfb7ae8f87

    SHA256

    4f8501466023054165ba422e6301c575cf446b43b4edba9924ed85440fc10202

    SHA512

    8ce6139377d05b9df59885f89e1ac2964d75a0f2654c0e2a782ade927f5be947e97d19f0a9249a933d0f5491ad117315a460aed1c3bc29f167982ba723caa231