Analysis

  • max time kernel
    119s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 13:43

General

  • Target

    254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe

  • Size

    2.6MB

  • MD5

    50131cfca770ed812e92c84b28025510

  • SHA1

    5faffb16ba57b2d99cd86f771a55c25a178138d1

  • SHA256

    254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9

  • SHA512

    8eaf537e83ab7f5e2cc2b29ee70a1e89fc1434a9891bfbfbf18012ba81dfdac607e2eba686c0eb08a222c37e8499a854716046baab8a8fff953eb6e8100cef65

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bSq:sxX7QnxrloE5dpUpBbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe
    "C:\Users\Admin\AppData\Local\Temp\254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2760
    • C:\AdobeRM\abodloc.exe
      C:\AdobeRM\abodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeRM\abodloc.exe

    Filesize

    2.6MB

    MD5

    00dba6ebfa579573b247364c15fd22a6

    SHA1

    17f6f39c89a59c9956ab2f2e78c344c2645e389c

    SHA256

    60ca215e194e40d1538f4620ba0ad51ee2a06b1249a7ff1650b3eca1f3d671bf

    SHA512

    707731e32e84c83afc1239f06543e53c7198bed19b85af28c19a6ea91b58cac45efecd5f16dc587f21797f5bbab63a91219fe6374cec44b544e8ee8a4d57c2cb

  • C:\GalaxMK\bodxec.exe

    Filesize

    2.6MB

    MD5

    35f9efa4c6c295a5a03185ba83ab3585

    SHA1

    5f005917eae6e6b3dd32ee7d7ff4f223046c2330

    SHA256

    f88c487994fad7af5b73de251151e5b54d664c2f361c55d777abb0acaa1cce55

    SHA512

    bf9aaf162949e9227d8375b9fccb63c32186d151807ddbe8a39ac0ad6d8481c3ee386f8c3f540c118a2522e8745074c945483de6b9433d1f2c64795ced95f134

  • C:\GalaxMK\bodxec.exe

    Filesize

    1.4MB

    MD5

    7f87faff6f5a4c6be9fa102366148ec4

    SHA1

    e26bf725165d640e64e19e49d0765bc9663f95e7

    SHA256

    a2ccb7f4b4eb6ce3efe5c44b143e518f0d5623c895a142120396fcd942c08a44

    SHA512

    304f2ccb267ea4b2e9f6b9dda5578a5f74e302d27c1d5f6cca6a5757e97af91e914d0ef7057f6c4ce286863bd24f2b39c6abb7cbbe91eb7be9e614c3a2111bea

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    168B

    MD5

    dd72145ca1a28a2057ba9ff9bbaa19b0

    SHA1

    655174722a687f4c18c670a89a49081f13a50fb5

    SHA256

    81889d0c638599faafe55b3baddc57f17cbadad673a9278c1870588852546ab7

    SHA512

    d50c558eb967ffa8ea90fae5203baafdfa128e19f21f65cf2d11a2da6798695c6c1ea7d1bdcd054c64d01a21d3f4f008515d8ce27fcaa969b9238d2c79f04c58

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    200B

    MD5

    4ad6b703d7980854b1064f85007e3955

    SHA1

    5162e6622a9550b818fa5399416e59431214c80c

    SHA256

    1e5f8648ed00b31b9257f0dbb34141435efe1c457be9adbb9b4c941202b40a6a

    SHA512

    d20694005f38e2a14f733d4e297224c3501cffb977819775c560f0d6cd42d80e0c493626ab9cb5ab5fc6e7b66ceb31f885166078589c2be6e0ddb0e35a607d7d

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

    Filesize

    2.6MB

    MD5

    36a15dfca77c71ff36f791f039c4eddc

    SHA1

    2697c8f840bffd8826b9bcc1fac3e9b4b00fd803

    SHA256

    5bcba13481c0db6843788f03676a544a315c74b7e7cecc42e57f10d325e8a7a0

    SHA512

    7a4a8d2dc3f2221a7be256aa35ca08f7cd141a332c81d1ec8f38af5debb5bd3a8e0e9fee6de5852b444470d8f8740d24ad709bd0dab9d1bce983cd716de64218