Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 22:59

General

  • Target

    619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe

  • Size

    2.6MB

  • MD5

    fbad5430cd662d3af22592e04b2bc074

  • SHA1

    22e9540411b99d83a2fbe15c3377e483c44f2031

  • SHA256

    619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80

  • SHA512

    0e9431853152383f66ea06829ee052fac4bcb0404e45ae3e0703eabe01f0889909feb311d442d8c5bb094907926a37b3288df179729c459e2bd9f5b96ff0810b

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBZB/bSq:sxX7QnxrloE5dpUp6bV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe
    "C:\Users\Admin\AppData\Local\Temp\619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2364
    • C:\AdobeGU\abodsys.exe
      C:\AdobeGU\abodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2632

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\AdobeGU\abodsys.exe

          Filesize

          2.6MB

          MD5

          2cd708e4ff32e3d09dc1c9c7e6fd416b

          SHA1

          547c651fd3428d0baa9116226bce1e4a40eeb4b2

          SHA256

          7158a3da685cd247f87dc181470fea0fe6d8a5c38239cbc5bc276d03e77f36cc

          SHA512

          aa89316be22d759a8e4a0d6af16920eed8405356bf0a569c914c4897505ba1cb83c43e27599c1b755a67889c5e8ced7d05ea1b93e516e0b0aa65b40f4ae70a63

        • C:\LabZ3N\bodaloc.exe

          Filesize

          1.4MB

          MD5

          57c7395c5235304b8a9c4dfdb0be6bb6

          SHA1

          ad0d1cf780f78e82fd5d1d1e044596369610acf3

          SHA256

          d8ecf665fbf945c90de70193765594e2ec06b0f3032954a720c2049176bbc6c1

          SHA512

          021f5b5af0fd06c0aa0b68ef0ee7096725c0d27dd43cd0e4f46f54d2708adb13102ca4ef9ea20a2b82672dd0bddeec563120d2a3fa2c089ee3907029af255cc4

        • C:\LabZ3N\bodaloc.exe

          Filesize

          2.6MB

          MD5

          f24c0b6ad669a42c1544e3835b44b614

          SHA1

          797b32edf1887291ddada0d431bb429d9347b586

          SHA256

          5ec8f77064db9fed8be72e518c3a83ef900aaeb511f32462b15cf57bdf9fb855

          SHA512

          48e9bbcbcdb69e0501f03878af52b09dcdbcd5c866fc31ba01d081325ff33d2374bcbbcc97487c1f1f4c4da3685d1a36133e367ed161838428a01277684468b6

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          167B

          MD5

          3c658ed1dc203f73d1d7a271d6f6afc0

          SHA1

          5e5b2b68e41203cc8a607e46becc434133a40cea

          SHA256

          9cb4c9a378309ae3c242e523f6d99e6873a2229c67c5ac80ce90424c5e1c810d

          SHA512

          0cea844296e371120a3dc872ad5d6c93824cc5cc8e0d28545b671a79b14a8b4e798e380e9acb5b2c47bca43f3d3883a8870d40a6708a7c434fd3ebe68c31aa0e

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          199B

          MD5

          29c830e5fcc11d1d79c20d11d4c48c39

          SHA1

          9ad39cbae20a0aae3349d3e1efe61b255652807f

          SHA256

          d0e96fe42fc7b092d31fc9ed375dfebfb886e750d8f762da56aacbeb7d603313

          SHA512

          429dd0c384dc474170009a93e02d93b2a56f7709435f63502f77a185754fecdae6cfe385634c3e9157e5681fa17cb1b1413ecd448ea5bb8dfaaf897e51f57294

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

          Filesize

          2.6MB

          MD5

          c85addf524606f6e1a4feccc049e4b85

          SHA1

          e8a52b8719d7c2670e84b16d9f9954bf4ea343ff

          SHA256

          05a0fcba877f8abd6eac6eb2d3afc0da100a1e1417beedffe7f3194736f2b375

          SHA512

          9a748474d2e92bf403a0fa49214f62df455f716255d5cf5ecd53538794783ababb665de1474b75e0cbaff618dc58596af807752e791234c13ffe02b3d87df613