Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 23:32

General

  • Target

    3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe

  • Size

    2.6MB

  • MD5

    595bcd0a806be82959f06afb72d6a4c0

  • SHA1

    b1e3af0a5df5e4ec1910c2be73a3f3e36422d6f8

  • SHA256

    3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517

  • SHA512

    b92379ef39290027d3509b91cceee0abc4b0ec73a6246c088d4232c641e11be6b493f3992e5e3a4287352aaae61cda95a7f89f9da9cc949afd092bc288ecc3c1

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bS:sxX7QnxrloE5dpUpRb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe
    "C:\Users\Admin\AppData\Local\Temp\3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2724
    • C:\FilesXO\abodec.exe
      C:\FilesXO\abodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2728

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesXO\abodec.exe

          Filesize

          10KB

          MD5

          a86336805b3d53c18600c251ef3cfa32

          SHA1

          69594cfc6347aa438b9319dfca41704cf4607aa6

          SHA256

          8f668b87e4832b3682e49e6eea02d09a2d52047043f9b41e1307714539fe88e5

          SHA512

          2289aa68a1720b6b54b1913d01bb230aec97ab071f17ff538689c6b271251aa3ed7892701d4e16f229faf7c3ae3b844cdb8bcd576a87134fff3c03d46ec4bc93

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          165B

          MD5

          0ad0c4483dbb6d676cef081a941de682

          SHA1

          102e9c3f45c845a2129548d8e43dc7d9f0140acb

          SHA256

          3e6fa955e30819ebeea1b7f68cbfce1e24f19c1a3e35b2d7df7d50dcc693519a

          SHA512

          1c76b16218dde2cb81dce4705a628201d5e48492a6ddce36629e41d2f820a79bfbaeb9269abf9749cc9c0301a6fe0996abd0f51c0d4dee2d5c38e122f20baa51

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          197B

          MD5

          e42fdd1efc1c8a2fd8e7d95dff068e0d

          SHA1

          52b048efecde55e45e912f6fbb2a5d94da68f0e9

          SHA256

          2d14cfaf561eb021b843c7e5209f6d37d43eec139cef28988b008f4b156b509b

          SHA512

          2020c5524aecd7355aadf472819c9cd894fb46d5e8943b557fe642e99eeeeceff16105c54e98fb8f045438c06835fcb05c95945fed288bf2cb50ff5f0f843b89

        • C:\VidHQ\bodasys.exe

          Filesize

          2.6MB

          MD5

          1a72ea23760a53fcd298811f8e903a80

          SHA1

          8857d8174ae2fedb3f59a5c6df2cdafcf8bfc1c3

          SHA256

          1b793aaa6fc322c6e9c32b4aaeed50766bfb0e26ad7bd4e3fe60a92cbf8a7a11

          SHA512

          9ad32d3e6728e639cf056430ef6eb6262f99733cf47cf8a0f567f8d0cd2a1bafba1ad7c5c7e3ddb1fc4ccc1c81aaae9e506a5b4cce1fbc28221c51c55deade23

        • C:\VidHQ\bodasys.exe

          Filesize

          2.6MB

          MD5

          50f60f5da304121471bd6de42a10b51b

          SHA1

          fb3c45a40baea1d5ec5ff98a5c33b590fdc0f069

          SHA256

          b26b9b995ead3a74352f1de531202e11bd699432a8408e84207fd1b7390bb997

          SHA512

          bb03bd4f7a3704fbb05daa0f2cb2d3130c9181d0d28ad6a07757ff6c141f1ae3206b4cf2b6ee08f1cae9325764cc2ca0461c0726938786e117daacfcd6fc5bce

        • \FilesXO\abodec.exe

          Filesize

          2.6MB

          MD5

          595d78cf20a7a932ea4079bb6e2f181e

          SHA1

          d5517e1df1147c80c1277c10d67185f7dd426e11

          SHA256

          816ad71270a368ebcea286f13c45545fec8664284217f82c30c614c859011a0c

          SHA512

          de64ae27fdba9ae7d51900510060353e500133d063e8625686a038d04b87f9c912fdd51540cfab062fcac2e38a3572f1a9e378a6f9aafcdae9a157b3287a567b

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

          Filesize

          2.6MB

          MD5

          90d1fe6bb03f4884bdef8e4e6544c6b3

          SHA1

          151e9d98c0ff7e5cdf62c8d15e1a4ebad5cf5411

          SHA256

          997af6b8024e5fd5838839f26a386fc94c77084e03af86255c2423a4c2a61a01

          SHA512

          77849ad7d2550ec585e5608f53fe3861429c5a0739d3f10ce985a30c36ac113163d5870275942cd560aeab85130a42b41735f4c6c334c423bff614f550b52615