Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 23:04
Static task
static1
Behavioral task
behavioral1
Sample
63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe
Resource
win10v2004-20241007-en
General
-
Target
63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe
-
Size
2.6MB
-
MD5
3e8d70a4fb9d4311e9399dc20cbffe51
-
SHA1
14c00f90eb01c6b534e4f8add39293875d11c8f1
-
SHA256
63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f
-
SHA512
29c9fbb7e6b213eefa51cdc6e3d03592045aff956cbfba22df84fb52fcb60156acd8c5e7e0e94d95defbb5cfa92e972ff0d94bed0b3eece78b33ebc2186de9b4
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bS:sxX7QnxrloE5dpUphb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe -
Executes dropped EXE 2 IoCs
pid Process 3148 ecadob.exe 2340 xbodec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeM4\\xbodec.exe" 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid6R\\boddevloc.exe" 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3820 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe 3820 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe 3820 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe 3820 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe 3148 ecadob.exe 3148 ecadob.exe 2340 xbodec.exe 2340 xbodec.exe 3148 ecadob.exe 3148 ecadob.exe 2340 xbodec.exe 2340 xbodec.exe 3148 ecadob.exe 3148 ecadob.exe 2340 xbodec.exe 2340 xbodec.exe 3148 ecadob.exe 3148 ecadob.exe 2340 xbodec.exe 2340 xbodec.exe 3148 ecadob.exe 3148 ecadob.exe 2340 xbodec.exe 2340 xbodec.exe 3148 ecadob.exe 3148 ecadob.exe 2340 xbodec.exe 2340 xbodec.exe 3148 ecadob.exe 3148 ecadob.exe 2340 xbodec.exe 2340 xbodec.exe 3148 ecadob.exe 3148 ecadob.exe 2340 xbodec.exe 2340 xbodec.exe 3148 ecadob.exe 3148 ecadob.exe 2340 xbodec.exe 2340 xbodec.exe 3148 ecadob.exe 3148 ecadob.exe 2340 xbodec.exe 2340 xbodec.exe 3148 ecadob.exe 3148 ecadob.exe 2340 xbodec.exe 2340 xbodec.exe 3148 ecadob.exe 3148 ecadob.exe 2340 xbodec.exe 2340 xbodec.exe 3148 ecadob.exe 3148 ecadob.exe 2340 xbodec.exe 2340 xbodec.exe 3148 ecadob.exe 3148 ecadob.exe 2340 xbodec.exe 2340 xbodec.exe 3148 ecadob.exe 3148 ecadob.exe 2340 xbodec.exe 2340 xbodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3820 wrote to memory of 3148 3820 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe 88 PID 3820 wrote to memory of 3148 3820 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe 88 PID 3820 wrote to memory of 3148 3820 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe 88 PID 3820 wrote to memory of 2340 3820 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe 90 PID 3820 wrote to memory of 2340 3820 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe 90 PID 3820 wrote to memory of 2340 3820 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe"C:\Users\Admin\AppData\Local\Temp\63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3148
-
-
C:\AdobeM4\xbodec.exeC:\AdobeM4\xbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2340
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
523KB
MD5500db616396fbaf4cc8551a12ca1f339
SHA134b6e6ab1d8882b75e109bb82397721d75adff12
SHA2560dfe6fa7b2f912ab1b30011ae1b08a0e060d182f8453c119aa27e6055d428359
SHA512d18d242bfe0f82f84834a533dbb5a0c71e7f741589d1798c7e6cadc8b3c31fff71b8e2d1cd20b5f604e13910600cc94233c1a4947598a170d66089e0aa7b06c9
-
Filesize
2.6MB
MD545c6a3d12383a4d712c09f2323ea6382
SHA182c3288e8af6d371373f8a105550115a4a2db4b9
SHA256f1e6304ea0e95634723fe9c8df68a6e18bbf81e1c65e27def8f118297f215e66
SHA512f538f1e6903767f0654bfbcb9bcea5f57e3f49dde343ac03cdbb77a7b1c17023e78af6cff76a0f04e35591f0625478e8a9704eaf201606da5e73906ad6b6efc4
-
Filesize
199B
MD5a3c3e567bdd42704c60b95954d2dd6dc
SHA15b38bf1ba8986b879cb9bfcefbf2e7ea03d14e01
SHA25670199a7eaa640f6a4aee28e66ad02bd84d29a877321df0d2d33468a5603b9625
SHA512450cd5fac8a76bd37191d09fa36a5dfed17cd32cfe1dd6f76521fa41f9ccda1d892239360bf80c14e2c8f812ec6041a73c5c38b57099beb7291f68caa3b8e33d
-
Filesize
167B
MD585828776686f9a00ac8a71d893c189ae
SHA154a19990344ba5e72706f21686a2a4f925c2bd80
SHA2563b9fefb7c27bead6e87a8de27b8109e50b994b562b719235a858c26239f6ea0b
SHA512adc3a086ad560dda18e2a0abdbf120a20911184ba602a67ae9388e01c61d04ad67f37be7dd018765fe90c4397b084876457ca31e716fa808cc8b984206354722
-
Filesize
2.6MB
MD5912a33f9fff9d2384b8dca75fe214f3f
SHA18823b933c9dab696e0fcad89cfd00082cd810156
SHA2560963a09d170392f67d272c10fd4492003f6e2282f2e0f6e73b883d13b14dc70d
SHA5121c4940ba9a72749ba7d2d48f1364df532b9493559f2b7704d5f7244e95a0ddf211dd1a1861d1612d9ee801b443e2b87e09c281a04c8040647ff12b9d9d2797ef
-
Filesize
2.6MB
MD581187fe23f0ffe1248dc09d7d4b61689
SHA196364c1ec1ba5071f6190a7f20eda03584fe91f3
SHA256b6a36642cadba0c74f8e29d6429b83649d63d2d45c69be683a5e5fdcfa61890b
SHA5125ded54249cff72c36c91a3613bbcc7684e631903378cbaea3c14aa8ceb4f6d54cf4b87e04d9bd69d94ec3d58fe93ee6d4712da274fbf32db027d74739a905f13
-
Filesize
172KB
MD59692e952c6f03dc5ee8b6b10364c77e1
SHA11451b57d59d5fd71d006e085584e7defceec4a34
SHA2563dcce264a07fe01e429a2be3df5ab2e8ca9600c48ae4e5fbbd25307198c460a9
SHA5129b20c805f27ab554dc9fc8df40bbf601ea099babc6b55c588c4278a4564916d2a3c64bdb2e90054903c3cbd058818fa3cc2706a23881009f2fb7d5f47e44cb18