Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 17:21
Static task
static1
Behavioral task
behavioral1
Sample
f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe
Resource
win10v2004-20241007-en
General
-
Target
f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe
-
Size
2.6MB
-
MD5
b02acf8834d13c489e9d68c88e408a00
-
SHA1
1138f824f9ea808c7c7456c09168672f04a6a07a
-
SHA256
f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59
-
SHA512
6dd195588b647e254b454d6017c20c22177e912fbe7280fd0638dac9496ecbe323c90b64577f1879634d1ae75493326636a2ddd74f33dd6a00a1e22d6e56bb89
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBkB/bS:sxX7QnxrloE5dpUpDb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe -
Executes dropped EXE 2 IoCs
pid Process 2156 ecxdob.exe 2948 abodloc.exe -
Loads dropped DLL 2 IoCs
pid Process 1740 f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe 1740 f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files8L\\abodloc.exe" f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxGU\\optixec.exe" f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1740 f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe 1740 f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe 2156 ecxdob.exe 2948 abodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2156 1740 f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe 30 PID 1740 wrote to memory of 2156 1740 f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe 30 PID 1740 wrote to memory of 2156 1740 f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe 30 PID 1740 wrote to memory of 2156 1740 f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe 30 PID 1740 wrote to memory of 2948 1740 f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe 31 PID 1740 wrote to memory of 2948 1740 f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe 31 PID 1740 wrote to memory of 2948 1740 f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe 31 PID 1740 wrote to memory of 2948 1740 f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe"C:\Users\Admin\AppData\Local\Temp\f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2156
-
-
C:\Files8L\abodloc.exeC:\Files8L\abodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2948
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD589ca8e830854f8012259773a61dc967f
SHA14b1f18f8884a4386f9c1d3f783e64c0ce5465b4c
SHA2565d31f1cbd39bdcc27c869391feea93cb3196b358d1840342cd608f924c30c35b
SHA512b27170accc643bb635b6ac658e7c4d9e60b9dd84218f8df34f467f70e836f398a18b32957cdda68a460310069d765b9b6cc8054e3328456e6687c875260d40c2
-
Filesize
2.6MB
MD533696980be08d5cdb6dcee573706ba56
SHA183a39601efa6bfa2ba8411f1163bb79cb9e70e7a
SHA2567698eb111cbf3b2cb8b54316741983a72def0d0a5328fe04178328bd727a8c0a
SHA5121a468048aadd7b4269b5f4399a4609b9471fbb2e66648aefe1dc981214f2a4c0b733f677c3b2302c08889d9f59a6a3445df528a779288c7aee7417be0c1e0ba7
-
Filesize
1.8MB
MD5dde4a13fa75a2b5e813b5ca62b1ad98c
SHA1dcf35fac07d7c9c4f286b575647b71fae7d6988e
SHA2563fbbc23426607535e589c5bdc94808807cb759e33b2a943ed1b532f6c0e1c643
SHA5126f43ecda17cc5a3074a9ace8333a848829b60254ee71cd953b0263334e7a25bb34e7424bd4a8f995127f9d7cb973daa5fc36573e68a9f2836758d6ae0e1297ba
-
Filesize
168B
MD5a4adcc1d879c6d2ed5a199b9f2e0695c
SHA111221ce860e6460d14327a7fd260afd843e90d26
SHA256ef1516b072fd86c047980be60a7d836b2ca3fb0521dd69c682aa878f17df779c
SHA5124b3413f7c256758b8fa6eebe9e431e4f9c4af0e1c1b3aed579993fe1919cecedb892daf64af0f8a24cf84e41ada4a7dcae02eb2129d840da137ceaa55dcb4c44
-
Filesize
200B
MD549e043eab4cd37be3bf7196f5b57dfe7
SHA1067094ade56f3a914e745549b74e4b46ad28f46f
SHA25636df1efce577221afa9e2f48587406af339b87cc8d3ab49b723a798e4215607a
SHA5127eb611245db2d4b1d5d98f82da53a51e3ff7395bed0434c7d9b10a8d6bb4ea466dd425bef2b4ad63be468c776e17e9f3a4bbf719c0f2f19a09529ef49860b798
-
Filesize
2.6MB
MD582fcae6015a681b350226948f5e3f935
SHA11a32d4f9702fa5822e14a579e59bb13062a0b6ee
SHA256152d10d2e6a0290b3a7ed08c777a089baab1709e8f2f5d8e7251d1a90f55a173
SHA5129803b951c9f66747e80de51e7a6fc400f29b0ca24478619a59dc904f5e21ed4c7ff7d184f118d1fe658fa54d0ce2e4f42d0590a503f1ba2bf4f8eaf631a5ee13