Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 22:20
Static task
static1
Behavioral task
behavioral1
Sample
53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe
Resource
win10v2004-20241007-en
General
-
Target
53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe
-
Size
3.1MB
-
MD5
c284c6203db5dba4a4b6f1ea9720bd0d
-
SHA1
874f0a69066689da4cca052d116f4d7348159b1e
-
SHA256
53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a
-
SHA512
2b4fd26bade0a083a96075a1e21e40ad30377276ea3f68aef3466718c3bfa1ab38fb007899721101db57a0c99a4c9cce67deca5c5cf2f7854f542a05e8de10cd
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUphbVz8eLFc
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe -
Executes dropped EXE 2 IoCs
pid Process 3088 ecabod.exe 3884 adobsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBTQ\\bodasys.exe" 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesED\\adobsys.exe" 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecabod.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1212 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe 1212 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe 1212 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe 1212 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe 3088 ecabod.exe 3088 ecabod.exe 3884 adobsys.exe 3884 adobsys.exe 3088 ecabod.exe 3088 ecabod.exe 3884 adobsys.exe 3884 adobsys.exe 3088 ecabod.exe 3088 ecabod.exe 3884 adobsys.exe 3884 adobsys.exe 3088 ecabod.exe 3088 ecabod.exe 3884 adobsys.exe 3884 adobsys.exe 3088 ecabod.exe 3088 ecabod.exe 3884 adobsys.exe 3884 adobsys.exe 3088 ecabod.exe 3088 ecabod.exe 3884 adobsys.exe 3884 adobsys.exe 3088 ecabod.exe 3088 ecabod.exe 3884 adobsys.exe 3884 adobsys.exe 3088 ecabod.exe 3088 ecabod.exe 3884 adobsys.exe 3884 adobsys.exe 3088 ecabod.exe 3088 ecabod.exe 3884 adobsys.exe 3884 adobsys.exe 3088 ecabod.exe 3088 ecabod.exe 3884 adobsys.exe 3884 adobsys.exe 3088 ecabod.exe 3088 ecabod.exe 3884 adobsys.exe 3884 adobsys.exe 3088 ecabod.exe 3088 ecabod.exe 3884 adobsys.exe 3884 adobsys.exe 3088 ecabod.exe 3088 ecabod.exe 3884 adobsys.exe 3884 adobsys.exe 3088 ecabod.exe 3088 ecabod.exe 3884 adobsys.exe 3884 adobsys.exe 3088 ecabod.exe 3088 ecabod.exe 3884 adobsys.exe 3884 adobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1212 wrote to memory of 3088 1212 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe 89 PID 1212 wrote to memory of 3088 1212 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe 89 PID 1212 wrote to memory of 3088 1212 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe 89 PID 1212 wrote to memory of 3884 1212 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe 91 PID 1212 wrote to memory of 3884 1212 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe 91 PID 1212 wrote to memory of 3884 1212 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe"C:\Users\Admin\AppData\Local\Temp\53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3088
-
-
C:\FilesED\adobsys.exeC:\FilesED\adobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3884
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD5c706ba19dc437b61aa42f807d4e428d9
SHA1d554a5ae7dbad3500ef9813ff23d7c5b71d64404
SHA25612f9276a56f044689f8e697353cc275cb9b7e8e4ced91561008ed7532e0200d4
SHA512c3081d2d234ef692eb8c2649db79d25d5e6b2432b0455617423a433da7511ef00d433e331dea4d007dc2aa1b9ff21dade7e2dc2025a6e902593344420ad62f9a
-
Filesize
3.1MB
MD527009c11153c08eaa3ca716543923e9b
SHA17d7a79e2423bc8af53e142f7b7d7e4b190c857ef
SHA256f133a02488857265cf074df309b2fa1ad59fd40cfcee0cc8a2f3de580a76086c
SHA5127d615c3760d042cc586b51542a4d76c1fcfc64cd560d7c1b16cc96e5d11deec822aacf443c0fcab56ccebea46a878be52920676eae67510e4048834b2b6fe3dc
-
Filesize
54KB
MD5d428af90faba26430bad2e091cc230a7
SHA16b14c533413c37448be64c4c86ad7c6e9180e1d9
SHA256dbc10beaf06bfcee944e5a97f0fdb8da6e8b61752080f36cccb27a6f29b105a4
SHA51294c7886b0b60fa8ae0efb13ad6acd2492f7ebe565d23644fd702b6b4b695563a497caf5f80f63bc8658852f962eab1f46b9eaa43140507220da7667b984d4adf
-
Filesize
3.1MB
MD5d80b5b2a5287bee731546d179d0e7e31
SHA1113f5bcbb31c22e1758a0e9fe47732610a5a845a
SHA2566f4d176c002e560103da651fb6f2d871058508f7b2afbc190c74b0684911c6cd
SHA5124afe4d367594e45685fe873290a3860cc89f744823e8f756bc5987bff3bab142d2982177c42ac66b34e20642ac288bc1999b829003939188428ed2d1ce5f2ad8
-
Filesize
199B
MD56f340f89542f5e905004b4c8c0ad5e57
SHA1b635b6bd9f0eb7b890398d2aa4372dbe9c65f0b0
SHA2565624c4294b4951b0c5e82c817f1bf23751f9aca3dedf1198b082caa86f13eccb
SHA512ae9747de3245d41344e75bffdfa9cc63c8bf538ef956c0b1502a4dcb9f87a15f998fd801ae0e0e824cdc0d3f1135caa908a13c9b6cacdef1dde7b3f2e02b75c9
-
Filesize
167B
MD521d6cf8308bc9f20eef58e143d7dd9d6
SHA18111efbe7b161d8995b1a95e2359579098e9be88
SHA2562d972578dbfc0abaa167315dd35e36651d4e975b90880a6dfea68e03dcda9ecb
SHA51267c7181b2020329ad5af42c447679359cc121a3e7d51f293d97f89e391c53303d68ab5d54635c122389622d15ce5a946e6acac15e3af58012c45e42978c7f0d4
-
Filesize
3.1MB
MD52b1c4939970719361c8d8c541aac1715
SHA1dcbefaf395c95bb0f98da5fa5ff71dcfb7ae8f87
SHA2564f8501466023054165ba422e6301c575cf446b43b4edba9924ed85440fc10202
SHA5128ce6139377d05b9df59885f89e1ac2964d75a0f2654c0e2a782ade927f5be947e97d19f0a9249a933d0f5491ad117315a460aed1c3bc29f167982ba723caa231