Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 22:59
Static task
static1
Behavioral task
behavioral1
Sample
619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe
Resource
win10v2004-20241007-en
General
-
Target
619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe
-
Size
2.6MB
-
MD5
fbad5430cd662d3af22592e04b2bc074
-
SHA1
22e9540411b99d83a2fbe15c3377e483c44f2031
-
SHA256
619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80
-
SHA512
0e9431853152383f66ea06829ee052fac4bcb0404e45ae3e0703eabe01f0889909feb311d442d8c5bb094907926a37b3288df179729c459e2bd9f5b96ff0810b
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBZB/bSq:sxX7QnxrloE5dpUp6bV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe -
Executes dropped EXE 2 IoCs
pid Process 2364 ecabod.exe 2632 abodsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2980 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe 2980 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeGU\\abodsys.exe" 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ3N\\bodaloc.exe" 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2980 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe 2980 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe 2364 ecabod.exe 2632 abodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2364 2980 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe 30 PID 2980 wrote to memory of 2364 2980 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe 30 PID 2980 wrote to memory of 2364 2980 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe 30 PID 2980 wrote to memory of 2364 2980 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe 30 PID 2980 wrote to memory of 2632 2980 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe 31 PID 2980 wrote to memory of 2632 2980 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe 31 PID 2980 wrote to memory of 2632 2980 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe 31 PID 2980 wrote to memory of 2632 2980 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe"C:\Users\Admin\AppData\Local\Temp\619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2364
-
-
C:\AdobeGU\abodsys.exeC:\AdobeGU\abodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2632
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD52cd708e4ff32e3d09dc1c9c7e6fd416b
SHA1547c651fd3428d0baa9116226bce1e4a40eeb4b2
SHA2567158a3da685cd247f87dc181470fea0fe6d8a5c38239cbc5bc276d03e77f36cc
SHA512aa89316be22d759a8e4a0d6af16920eed8405356bf0a569c914c4897505ba1cb83c43e27599c1b755a67889c5e8ced7d05ea1b93e516e0b0aa65b40f4ae70a63
-
Filesize
1.4MB
MD557c7395c5235304b8a9c4dfdb0be6bb6
SHA1ad0d1cf780f78e82fd5d1d1e044596369610acf3
SHA256d8ecf665fbf945c90de70193765594e2ec06b0f3032954a720c2049176bbc6c1
SHA512021f5b5af0fd06c0aa0b68ef0ee7096725c0d27dd43cd0e4f46f54d2708adb13102ca4ef9ea20a2b82672dd0bddeec563120d2a3fa2c089ee3907029af255cc4
-
Filesize
2.6MB
MD5f24c0b6ad669a42c1544e3835b44b614
SHA1797b32edf1887291ddada0d431bb429d9347b586
SHA2565ec8f77064db9fed8be72e518c3a83ef900aaeb511f32462b15cf57bdf9fb855
SHA51248e9bbcbcdb69e0501f03878af52b09dcdbcd5c866fc31ba01d081325ff33d2374bcbbcc97487c1f1f4c4da3685d1a36133e367ed161838428a01277684468b6
-
Filesize
167B
MD53c658ed1dc203f73d1d7a271d6f6afc0
SHA15e5b2b68e41203cc8a607e46becc434133a40cea
SHA2569cb4c9a378309ae3c242e523f6d99e6873a2229c67c5ac80ce90424c5e1c810d
SHA5120cea844296e371120a3dc872ad5d6c93824cc5cc8e0d28545b671a79b14a8b4e798e380e9acb5b2c47bca43f3d3883a8870d40a6708a7c434fd3ebe68c31aa0e
-
Filesize
199B
MD529c830e5fcc11d1d79c20d11d4c48c39
SHA19ad39cbae20a0aae3349d3e1efe61b255652807f
SHA256d0e96fe42fc7b092d31fc9ed375dfebfb886e750d8f762da56aacbeb7d603313
SHA512429dd0c384dc474170009a93e02d93b2a56f7709435f63502f77a185754fecdae6cfe385634c3e9157e5681fa17cb1b1413ecd448ea5bb8dfaaf897e51f57294
-
Filesize
2.6MB
MD5c85addf524606f6e1a4feccc049e4b85
SHA1e8a52b8719d7c2670e84b16d9f9954bf4ea343ff
SHA25605a0fcba877f8abd6eac6eb2d3afc0da100a1e1417beedffe7f3194736f2b375
SHA5129a748474d2e92bf403a0fa49214f62df455f716255d5cf5ecd53538794783ababb665de1474b75e0cbaff618dc58596af807752e791234c13ffe02b3d87df613