Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 22:57
Static task
static1
Behavioral task
behavioral1
Sample
610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe
Resource
win10v2004-20241007-en
General
-
Target
610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe
-
Size
2.6MB
-
MD5
7f3b3e0c2939bdb22859057479fc4b16
-
SHA1
a8963f9e46a95618868ac6ebb62e40f972bf2198
-
SHA256
610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d
-
SHA512
36ece480a50115ac49180eb3ffea6fadc3f4310d4af2408fb2d714e7a66a86a32808e21402533fd85a8a89210b0a977443049db35a93b3b746266bfd86820d9f
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB3B/bS:sxX7QnxrloE5dpUpMb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe -
Executes dropped EXE 2 IoCs
pid Process 2896 ecxopti.exe 1784 abodloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesS2\\abodloc.exe" 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBB0\\dobaec.exe" 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4376 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe 4376 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe 4376 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe 4376 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe 2896 ecxopti.exe 2896 ecxopti.exe 1784 abodloc.exe 1784 abodloc.exe 2896 ecxopti.exe 2896 ecxopti.exe 1784 abodloc.exe 1784 abodloc.exe 2896 ecxopti.exe 2896 ecxopti.exe 1784 abodloc.exe 1784 abodloc.exe 2896 ecxopti.exe 2896 ecxopti.exe 1784 abodloc.exe 1784 abodloc.exe 2896 ecxopti.exe 2896 ecxopti.exe 1784 abodloc.exe 1784 abodloc.exe 2896 ecxopti.exe 2896 ecxopti.exe 1784 abodloc.exe 1784 abodloc.exe 2896 ecxopti.exe 2896 ecxopti.exe 1784 abodloc.exe 1784 abodloc.exe 2896 ecxopti.exe 2896 ecxopti.exe 1784 abodloc.exe 1784 abodloc.exe 2896 ecxopti.exe 2896 ecxopti.exe 1784 abodloc.exe 1784 abodloc.exe 2896 ecxopti.exe 2896 ecxopti.exe 1784 abodloc.exe 1784 abodloc.exe 2896 ecxopti.exe 2896 ecxopti.exe 1784 abodloc.exe 1784 abodloc.exe 2896 ecxopti.exe 2896 ecxopti.exe 1784 abodloc.exe 1784 abodloc.exe 2896 ecxopti.exe 2896 ecxopti.exe 1784 abodloc.exe 1784 abodloc.exe 2896 ecxopti.exe 2896 ecxopti.exe 1784 abodloc.exe 1784 abodloc.exe 2896 ecxopti.exe 2896 ecxopti.exe 1784 abodloc.exe 1784 abodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4376 wrote to memory of 2896 4376 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe 87 PID 4376 wrote to memory of 2896 4376 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe 87 PID 4376 wrote to memory of 2896 4376 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe 87 PID 4376 wrote to memory of 1784 4376 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe 90 PID 4376 wrote to memory of 1784 4376 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe 90 PID 4376 wrote to memory of 1784 4376 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe"C:\Users\Admin\AppData\Local\Temp\610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2896
-
-
C:\FilesS2\abodloc.exeC:\FilesS2\abodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1784
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5c8190a91500bb1d9caa61e3b11eaf128
SHA1ab7eb6ce00d2fb8ec932dee7fe6f72551ada8684
SHA2566396e1bd18ed0ea864d8f56b7885ef5813fe836854b68c3ebafb7d49b8580b1e
SHA512bc143ae225ca8cceb9e90f7dc6f36a8608eafed2d7e67396657444f3a004832c0c51921fe8c0487de4ca21430686dbc62c6a304de00cbbfb8c0e8dc538f5492b
-
Filesize
2.6MB
MD5586b9bdb34197526061b10914b2dfa7b
SHA178db242714b5fe1e1cc13d40084c748832f037bb
SHA2564ee727b979c8e4e986e6f0fee69d8055a8b0b4db5443a6a1bde26a5151f20042
SHA512b4173a599647bbb9d7bf012f4208cc72ff326f3a6e2ae37484cbf4c119005cfe75e480be4b485feaafe8c6ebdbda685849076261e0410d76ca7dfd4b9473e92d
-
Filesize
2.6MB
MD5fabed5f7f88b4a13753523a4c8bcb6e9
SHA17bd70e85cf43f0f5794ce5055a4a413c46472163
SHA256d8fbb735ff4160769fe16acd49759028fed5c8e161665e89075ecce6ccbf537f
SHA5124720ac31917e0571b436d13913fd79a9c4d4744306c82ee322985fbe2c834d8077072a699d14007e3db71565478041cf6020a808d9b59bd2085c9ef9d0f7140d
-
Filesize
1.9MB
MD53df976d93d72a84a5d4bad281bf4bbf1
SHA15b8f34f1464f72d0bd50d45b10e88c6da5ce0052
SHA2565de4cbd153bb554c80b9424f08ddd749c745ab9f15d339bbe9098148af0b69c0
SHA512d5415af3045b6dc3bedfaff04959420ddc45dd0018d843cf8ac7e4805089ef30a52345f060c1b97f3106c0a00c76f39444d9a26ba5bd508df9bc38a538b4d05e
-
Filesize
199B
MD5ed332a2f80ee8042f88fd887386ab600
SHA17d03d26ef16806a5040b89bf5ca7e0b77e922bce
SHA2569d77ba689b61f0e801c78f5754be585afe43459ca89cb227620b78c51755773e
SHA512209b4aaac042c45806710b96ecddf78f031c413004da7b8be24ed9f54bd90a325630c1479207420a8f932990cc14e49d026d5b2d516d484d783df0992afe19a4
-
Filesize
167B
MD578af4d46f75e73957194c7bc28e813bb
SHA14b9702842c37845813c09215203dad78595a71aa
SHA256e63c925d5d0b40266e12016a780a585385bbf1cec208fc87754b93b840e09944
SHA5129808df8deb3f731735bc5991ac3de4e4c12c6fed21bcd86a824efeb1add26236048f96e80ad180f8bf22617ac795cb141125b1b57565d0a20be10427577af40c
-
Filesize
2.6MB
MD5481070519ae3f39fc57b00167d8f20dd
SHA1599963b1e1c6914f1051c25ff32b6a6d38a78a40
SHA256e15b312d4f9cfe47b948e5690a17608040a30aa6e02ebbfbf3a58125003f8f7b
SHA512d4077a86d8f7fc96c3c4292952899d74813a0a031ac4977d0eecdbf698aa0c9e83bd66a9640f04b1db1fac2f1f7f11873c110e0977b47a045f740e5d3a731d44