Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 17:15

General

  • Target

    5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe

  • Size

    2.6MB

  • MD5

    1adc363340d141addd5da75bbabdcb50

  • SHA1

    37ae4b90d13aac1a98963a6577c209078230ebfc

  • SHA256

    5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6c

  • SHA512

    0cec4e680a693c24871bd786ac4ffeb36502ecbd69ab89686110699eaf6d37b2cb3a28dea4026ff86964bed114a817576df53243687e11b94d1853bd15150e31

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bS:sxX7QnxrloE5dpUp0b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe
    "C:\Users\Admin\AppData\Local\Temp\5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1900
    • C:\FilesIF\abodec.exe
      C:\FilesIF\abodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2224

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesIF\abodec.exe

          Filesize

          718KB

          MD5

          b38e8aeb17d02c09c52c077b376d5543

          SHA1

          711dcd5eec7052eff5659e0be1de372eacbe06fe

          SHA256

          c7ac5573fa0da1c15ca73e996940e79c720efeee018fd0615839a16dddcfffae

          SHA512

          9a60be4ef86dc91f02f5f729f5fb58d5af0bcf3ba63faaf119b14916638c2b8d62187ee28e20d198e7f3e82c2c6154e82d2569e206e0f8d6fde1f0bd7e9490cb

        • C:\FilesIF\abodec.exe

          Filesize

          2.6MB

          MD5

          28952d2e88351a61aca35b43c0b88e98

          SHA1

          7ea162178700c55aa383ee10fada9e7cb34c324a

          SHA256

          d3c429a380b76462605a57dc03ee6be60e34a500b44bbf0dca873b2bc32e57bb

          SHA512

          e4ab61faec08e63bc5c5de21ff7f201692b853e26cfb543d7f4fbc9a62487d331f9b4ba343ca701a0ebc64e953e5cf74c2a7ddcbe9a9d5bae7b48e29916f2dff

        • C:\Galax1R\dobdevsys.exe

          Filesize

          31KB

          MD5

          572f2f89fa83cd0e724756eb089249da

          SHA1

          cbfdd4e1e893e9f876d46a79247f38ade618a89b

          SHA256

          cf6be1e16babe319685181c0bc39e48b663392fba1475e11b83d9b9b772a2f54

          SHA512

          16d7748321e538202b878a175d219dd117f409a88d9ea0f79d0f873a9872b9c287f5166a26419d18ca54609ccd763dbef4b000816d7a243b0822fd78adb35950

        • C:\Galax1R\dobdevsys.exe

          Filesize

          2.6MB

          MD5

          328ec8cae72f3d13d97b465c4ecd1062

          SHA1

          3038eed3ddb1f73f38339efa3fd8369f4ca568fb

          SHA256

          db6937f8594238a0561fb7bb9764be50ce706005fbbe41f47411f2ca38e57ef8

          SHA512

          8fda65fcdf6cae9c8d2d38cab773887261ebdabb21150e882927a4444cc74d7407662b21d7ee08cee2fbe8897174efde01e1d5b4137bc9205043142d92b73a36

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          171B

          MD5

          7a4afc58c6694671ddc3a6279b13f680

          SHA1

          4373c90b64ebd1a8a87af1e8f3c14f4dca96a71c

          SHA256

          775a57a281947009a336778e823aa3eb1dd317843a527f77b18f5aac7df8ee91

          SHA512

          d377ab63e02ffb57a70978ecf91c4c640cbfa1e56cf4a0a3244ffeff41386778e15cac97343b3096e7c7147cdd562cbc2295fc648f8a0bd40b8c14effb25e1c7

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          203B

          MD5

          9d835f72e1500ba783fead9f724c5216

          SHA1

          23e37b78fc6624fc0f18e7f5a82231742d32b3ef

          SHA256

          8870236ff0cc0120755b9eb54321bbc6d46575e51b642dcac922d4b3fa463259

          SHA512

          8dac395e64520b082e863093db30dda7920a63ca9de672f5d52dd5e5a2c5382d3cdd221ba6257fa421635244a1f4ae021749df9a4743973b9f1a8ab12355357a

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

          Filesize

          2.6MB

          MD5

          c095cb15034b0bff72a9ad336d8d5691

          SHA1

          26804f04ececb7d3126f5cb547f4e9e3b42eca2a

          SHA256

          ed8a6347eeaf9813a728bbaa8c775bc5d220f2c983c5a74372665d3d97dfeaf2

          SHA512

          7b36952c15698e72adfca704049b2aefdf97d6c61b0f6e69e8cbb8bffbaa3d4b4c8f3ed09ce0f42ad3cd443b43c9c63a43d719ee4a4d4a14c789904976355ffe