Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 23:04

General

  • Target

    63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe

  • Size

    2.6MB

  • MD5

    3e8d70a4fb9d4311e9399dc20cbffe51

  • SHA1

    14c00f90eb01c6b534e4f8add39293875d11c8f1

  • SHA256

    63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f

  • SHA512

    29c9fbb7e6b213eefa51cdc6e3d03592045aff956cbfba22df84fb52fcb60156acd8c5e7e0e94d95defbb5cfa92e972ff0d94bed0b3eece78b33ebc2186de9b4

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bS:sxX7QnxrloE5dpUphb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe
    "C:\Users\Admin\AppData\Local\Temp\63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3820
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3148
    • C:\AdobeM4\xbodec.exe
      C:\AdobeM4\xbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2340

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeM4\xbodec.exe

          Filesize

          523KB

          MD5

          500db616396fbaf4cc8551a12ca1f339

          SHA1

          34b6e6ab1d8882b75e109bb82397721d75adff12

          SHA256

          0dfe6fa7b2f912ab1b30011ae1b08a0e060d182f8453c119aa27e6055d428359

          SHA512

          d18d242bfe0f82f84834a533dbb5a0c71e7f741589d1798c7e6cadc8b3c31fff71b8e2d1cd20b5f604e13910600cc94233c1a4947598a170d66089e0aa7b06c9

        • C:\AdobeM4\xbodec.exe

          Filesize

          2.6MB

          MD5

          45c6a3d12383a4d712c09f2323ea6382

          SHA1

          82c3288e8af6d371373f8a105550115a4a2db4b9

          SHA256

          f1e6304ea0e95634723fe9c8df68a6e18bbf81e1c65e27def8f118297f215e66

          SHA512

          f538f1e6903767f0654bfbcb9bcea5f57e3f49dde343ac03cdbb77a7b1c17023e78af6cff76a0f04e35591f0625478e8a9704eaf201606da5e73906ad6b6efc4

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          199B

          MD5

          a3c3e567bdd42704c60b95954d2dd6dc

          SHA1

          5b38bf1ba8986b879cb9bfcefbf2e7ea03d14e01

          SHA256

          70199a7eaa640f6a4aee28e66ad02bd84d29a877321df0d2d33468a5603b9625

          SHA512

          450cd5fac8a76bd37191d09fa36a5dfed17cd32cfe1dd6f76521fa41f9ccda1d892239360bf80c14e2c8f812ec6041a73c5c38b57099beb7291f68caa3b8e33d

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          167B

          MD5

          85828776686f9a00ac8a71d893c189ae

          SHA1

          54a19990344ba5e72706f21686a2a4f925c2bd80

          SHA256

          3b9fefb7c27bead6e87a8de27b8109e50b994b562b719235a858c26239f6ea0b

          SHA512

          adc3a086ad560dda18e2a0abdbf120a20911184ba602a67ae9388e01c61d04ad67f37be7dd018765fe90c4397b084876457ca31e716fa808cc8b984206354722

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

          Filesize

          2.6MB

          MD5

          912a33f9fff9d2384b8dca75fe214f3f

          SHA1

          8823b933c9dab696e0fcad89cfd00082cd810156

          SHA256

          0963a09d170392f67d272c10fd4492003f6e2282f2e0f6e73b883d13b14dc70d

          SHA512

          1c4940ba9a72749ba7d2d48f1364df532b9493559f2b7704d5f7244e95a0ddf211dd1a1861d1612d9ee801b443e2b87e09c281a04c8040647ff12b9d9d2797ef

        • C:\Vid6R\boddevloc.exe

          Filesize

          2.6MB

          MD5

          81187fe23f0ffe1248dc09d7d4b61689

          SHA1

          96364c1ec1ba5071f6190a7f20eda03584fe91f3

          SHA256

          b6a36642cadba0c74f8e29d6429b83649d63d2d45c69be683a5e5fdcfa61890b

          SHA512

          5ded54249cff72c36c91a3613bbcc7684e631903378cbaea3c14aa8ceb4f6d54cf4b87e04d9bd69d94ec3d58fe93ee6d4712da274fbf32db027d74739a905f13

        • C:\Vid6R\boddevloc.exe

          Filesize

          172KB

          MD5

          9692e952c6f03dc5ee8b6b10364c77e1

          SHA1

          1451b57d59d5fd71d006e085584e7defceec4a34

          SHA256

          3dcce264a07fe01e429a2be3df5ab2e8ca9600c48ae4e5fbbd25307198c460a9

          SHA512

          9b20c805f27ab554dc9fc8df40bbf601ea099babc6b55c588c4278a4564916d2a3c64bdb2e90054903c3cbd058818fa3cc2706a23881009f2fb7d5f47e44cb18