Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 23:32
Static task
static1
Behavioral task
behavioral1
Sample
3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe
Resource
win10v2004-20241007-en
General
-
Target
3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe
-
Size
2.6MB
-
MD5
595bcd0a806be82959f06afb72d6a4c0
-
SHA1
b1e3af0a5df5e4ec1910c2be73a3f3e36422d6f8
-
SHA256
3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517
-
SHA512
b92379ef39290027d3509b91cceee0abc4b0ec73a6246c088d4232c641e11be6b493f3992e5e3a4287352aaae61cda95a7f89f9da9cc949afd092bc288ecc3c1
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bS:sxX7QnxrloE5dpUpRb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe -
Executes dropped EXE 2 IoCs
pid Process 2724 ecadob.exe 2728 abodec.exe -
Loads dropped DLL 2 IoCs
pid Process 2224 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe 2224 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesXO\\abodec.exe" 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidHQ\\bodasys.exe" 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2224 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe 2224 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe 2724 ecadob.exe 2728 abodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2224 wrote to memory of 2724 2224 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe 30 PID 2224 wrote to memory of 2724 2224 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe 30 PID 2224 wrote to memory of 2724 2224 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe 30 PID 2224 wrote to memory of 2724 2224 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe 30 PID 2224 wrote to memory of 2728 2224 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe 31 PID 2224 wrote to memory of 2728 2224 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe 31 PID 2224 wrote to memory of 2728 2224 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe 31 PID 2224 wrote to memory of 2728 2224 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe"C:\Users\Admin\AppData\Local\Temp\3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2724
-
-
C:\FilesXO\abodec.exeC:\FilesXO\abodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2728
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5a86336805b3d53c18600c251ef3cfa32
SHA169594cfc6347aa438b9319dfca41704cf4607aa6
SHA2568f668b87e4832b3682e49e6eea02d09a2d52047043f9b41e1307714539fe88e5
SHA5122289aa68a1720b6b54b1913d01bb230aec97ab071f17ff538689c6b271251aa3ed7892701d4e16f229faf7c3ae3b844cdb8bcd576a87134fff3c03d46ec4bc93
-
Filesize
165B
MD50ad0c4483dbb6d676cef081a941de682
SHA1102e9c3f45c845a2129548d8e43dc7d9f0140acb
SHA2563e6fa955e30819ebeea1b7f68cbfce1e24f19c1a3e35b2d7df7d50dcc693519a
SHA5121c76b16218dde2cb81dce4705a628201d5e48492a6ddce36629e41d2f820a79bfbaeb9269abf9749cc9c0301a6fe0996abd0f51c0d4dee2d5c38e122f20baa51
-
Filesize
197B
MD5e42fdd1efc1c8a2fd8e7d95dff068e0d
SHA152b048efecde55e45e912f6fbb2a5d94da68f0e9
SHA2562d14cfaf561eb021b843c7e5209f6d37d43eec139cef28988b008f4b156b509b
SHA5122020c5524aecd7355aadf472819c9cd894fb46d5e8943b557fe642e99eeeeceff16105c54e98fb8f045438c06835fcb05c95945fed288bf2cb50ff5f0f843b89
-
Filesize
2.6MB
MD51a72ea23760a53fcd298811f8e903a80
SHA18857d8174ae2fedb3f59a5c6df2cdafcf8bfc1c3
SHA2561b793aaa6fc322c6e9c32b4aaeed50766bfb0e26ad7bd4e3fe60a92cbf8a7a11
SHA5129ad32d3e6728e639cf056430ef6eb6262f99733cf47cf8a0f567f8d0cd2a1bafba1ad7c5c7e3ddb1fc4ccc1c81aaae9e506a5b4cce1fbc28221c51c55deade23
-
Filesize
2.6MB
MD550f60f5da304121471bd6de42a10b51b
SHA1fb3c45a40baea1d5ec5ff98a5c33b590fdc0f069
SHA256b26b9b995ead3a74352f1de531202e11bd699432a8408e84207fd1b7390bb997
SHA512bb03bd4f7a3704fbb05daa0f2cb2d3130c9181d0d28ad6a07757ff6c141f1ae3206b4cf2b6ee08f1cae9325764cc2ca0461c0726938786e117daacfcd6fc5bce
-
Filesize
2.6MB
MD5595d78cf20a7a932ea4079bb6e2f181e
SHA1d5517e1df1147c80c1277c10d67185f7dd426e11
SHA256816ad71270a368ebcea286f13c45545fec8664284217f82c30c614c859011a0c
SHA512de64ae27fdba9ae7d51900510060353e500133d063e8625686a038d04b87f9c912fdd51540cfab062fcac2e38a3572f1a9e378a6f9aafcdae9a157b3287a567b
-
Filesize
2.6MB
MD590d1fe6bb03f4884bdef8e4e6544c6b3
SHA1151e9d98c0ff7e5cdf62c8d15e1a4ebad5cf5411
SHA256997af6b8024e5fd5838839f26a386fc94c77084e03af86255c2423a4c2a61a01
SHA51277849ad7d2550ec585e5608f53fe3861429c5a0739d3f10ce985a30c36ac113163d5870275942cd560aeab85130a42b41735f4c6c334c423bff614f550b52615