Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 17:15
Static task
static1
Behavioral task
behavioral1
Sample
5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe
Resource
win10v2004-20241007-en
General
-
Target
5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe
-
Size
2.6MB
-
MD5
1adc363340d141addd5da75bbabdcb50
-
SHA1
37ae4b90d13aac1a98963a6577c209078230ebfc
-
SHA256
5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6c
-
SHA512
0cec4e680a693c24871bd786ac4ffeb36502ecbd69ab89686110699eaf6d37b2cb3a28dea4026ff86964bed114a817576df53243687e11b94d1853bd15150e31
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bS:sxX7QnxrloE5dpUp0b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe -
Executes dropped EXE 2 IoCs
pid Process 1900 ecdevbod.exe 2224 abodec.exe -
Loads dropped DLL 2 IoCs
pid Process 2844 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe 2844 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesIF\\abodec.exe" 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax1R\\dobdevsys.exe" 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevbod.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2844 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe 2844 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe 1900 ecdevbod.exe 2224 abodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2844 wrote to memory of 1900 2844 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe 28 PID 2844 wrote to memory of 1900 2844 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe 28 PID 2844 wrote to memory of 1900 2844 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe 28 PID 2844 wrote to memory of 1900 2844 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe 28 PID 2844 wrote to memory of 2224 2844 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe 29 PID 2844 wrote to memory of 2224 2844 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe 29 PID 2844 wrote to memory of 2224 2844 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe 29 PID 2844 wrote to memory of 2224 2844 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe"C:\Users\Admin\AppData\Local\Temp\5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1900
-
-
C:\FilesIF\abodec.exeC:\FilesIF\abodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2224
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
718KB
MD5b38e8aeb17d02c09c52c077b376d5543
SHA1711dcd5eec7052eff5659e0be1de372eacbe06fe
SHA256c7ac5573fa0da1c15ca73e996940e79c720efeee018fd0615839a16dddcfffae
SHA5129a60be4ef86dc91f02f5f729f5fb58d5af0bcf3ba63faaf119b14916638c2b8d62187ee28e20d198e7f3e82c2c6154e82d2569e206e0f8d6fde1f0bd7e9490cb
-
Filesize
2.6MB
MD528952d2e88351a61aca35b43c0b88e98
SHA17ea162178700c55aa383ee10fada9e7cb34c324a
SHA256d3c429a380b76462605a57dc03ee6be60e34a500b44bbf0dca873b2bc32e57bb
SHA512e4ab61faec08e63bc5c5de21ff7f201692b853e26cfb543d7f4fbc9a62487d331f9b4ba343ca701a0ebc64e953e5cf74c2a7ddcbe9a9d5bae7b48e29916f2dff
-
Filesize
31KB
MD5572f2f89fa83cd0e724756eb089249da
SHA1cbfdd4e1e893e9f876d46a79247f38ade618a89b
SHA256cf6be1e16babe319685181c0bc39e48b663392fba1475e11b83d9b9b772a2f54
SHA51216d7748321e538202b878a175d219dd117f409a88d9ea0f79d0f873a9872b9c287f5166a26419d18ca54609ccd763dbef4b000816d7a243b0822fd78adb35950
-
Filesize
2.6MB
MD5328ec8cae72f3d13d97b465c4ecd1062
SHA13038eed3ddb1f73f38339efa3fd8369f4ca568fb
SHA256db6937f8594238a0561fb7bb9764be50ce706005fbbe41f47411f2ca38e57ef8
SHA5128fda65fcdf6cae9c8d2d38cab773887261ebdabb21150e882927a4444cc74d7407662b21d7ee08cee2fbe8897174efde01e1d5b4137bc9205043142d92b73a36
-
Filesize
171B
MD57a4afc58c6694671ddc3a6279b13f680
SHA14373c90b64ebd1a8a87af1e8f3c14f4dca96a71c
SHA256775a57a281947009a336778e823aa3eb1dd317843a527f77b18f5aac7df8ee91
SHA512d377ab63e02ffb57a70978ecf91c4c640cbfa1e56cf4a0a3244ffeff41386778e15cac97343b3096e7c7147cdd562cbc2295fc648f8a0bd40b8c14effb25e1c7
-
Filesize
203B
MD59d835f72e1500ba783fead9f724c5216
SHA123e37b78fc6624fc0f18e7f5a82231742d32b3ef
SHA2568870236ff0cc0120755b9eb54321bbc6d46575e51b642dcac922d4b3fa463259
SHA5128dac395e64520b082e863093db30dda7920a63ca9de672f5d52dd5e5a2c5382d3cdd221ba6257fa421635244a1f4ae021749df9a4743973b9f1a8ab12355357a
-
Filesize
2.6MB
MD5c095cb15034b0bff72a9ad336d8d5691
SHA126804f04ececb7d3126f5cb547f4e9e3b42eca2a
SHA256ed8a6347eeaf9813a728bbaa8c775bc5d220f2c983c5a74372665d3d97dfeaf2
SHA5127b36952c15698e72adfca704049b2aefdf97d6c61b0f6e69e8cbb8bffbaa3d4b4c8f3ed09ce0f42ad3cd443b43c9c63a43d719ee4a4d4a14c789904976355ffe