Analysis

  • max time kernel
    119s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 13:52

General

  • Target

    88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe

  • Size

    2.6MB

  • MD5

    49333303d89ee476bb4c0530413e26f0

  • SHA1

    20e7e5e65bf92a7566f733c9b1abf5253e56bcf9

  • SHA256

    88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109

  • SHA512

    1befd8176f259a8bf390c0901a26ee350b046877318cc626e1c82e3a03eb2745d867f3d64b3450d7ac391b8f834d6e32ee3d680081c677ac6c6f15a246827601

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSq:sxX7QnxrloE5dpUpUbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe
    "C:\Users\Admin\AppData\Local\Temp\88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3860
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3176
    • C:\IntelprocEH\abodsys.exe
      C:\IntelprocEH\abodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3084

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocEH\abodsys.exe

    Filesize

    2.6MB

    MD5

    8c1c896a5eded367b0123e57e80f8942

    SHA1

    58b9ec3001e2af2ba7f99089d4b60c945dace020

    SHA256

    f9912008bcb976ba2798d7a276cc276b6ac32c80860d60352ae6ad7dd05dd7aa

    SHA512

    6902c3b9d5523950ff08a7b155e6e36ba5ba99e81ca94d7742a410c37812cbd2c522ccaf499f89cfafb5f594d56caa21c57ce63a98125987acd1ad4de00754e3

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    203B

    MD5

    73518b704a0166169030cb137348c03e

    SHA1

    81151da524a900bfaa3891ee7b1bcc506626d687

    SHA256

    0c380269a32570ccadb2cd759013b7e3fd371e49a4d705d55c2e7943c5999a9f

    SHA512

    0081bc10c20a542b1e0fb7b76d7d03b3b5878d9b227db49f6142cfb182613dbb27f69ab3ab9c1333ac3c4049f4fc4f4d1d620fd4b99f7b01ae9fcdd58e9756d9

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    171B

    MD5

    51bc193499e6a2b803b9ea4b75e64907

    SHA1

    5ea0fcd9fcff8c275f60ce76facadb7bc6f843e6

    SHA256

    9bce529778e39ca4244e5292e6e5d99424cdfac6c3563d777e23c8ed7354461c

    SHA512

    f85b924070b8b4d85d574fd83c2fe36f920f8de829d77118dafb72f522926a80b6e09f44d45bd2e3d232f3f022cee617d2d73993852ae74d597d27e3daff2c67

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

    Filesize

    2.6MB

    MD5

    e543027f8915a2e2e51aa7ba7bf4985d

    SHA1

    565b9a01f89627ee0a1cb016f75c62e69188a7ef

    SHA256

    268ca18b5169469cc562c405fdfb48b51e300e76dbfffbf99ee9f1f0cf389c57

    SHA512

    28a1bab01118e5fa5d6d30bb45160e1dc34b81793d423740fa83e34461b48e8d3c54cc6d0220ec7308d21af567bca3e764ce88039a77c79c3a7a2542e823c107

  • C:\VidZT\bodaloc.exe

    Filesize

    2.6MB

    MD5

    ccde3e37a4a69ee82e64c70e983fd4af

    SHA1

    6e48f17ce495e4dc994ce309767055db42d9c957

    SHA256

    11576c48ef7443acb159726500dff23d5d3ac5a3612af6aea7c6232ca5ec055d

    SHA512

    3229559a864172c26ff4be7e7c61257347dad751672d244f0b1c1a409f1474156203e616a5cd66c33e6bd1c93656be310d3b014813b398f1649e0d5bf38eb637

  • C:\VidZT\bodaloc.exe

    Filesize

    6KB

    MD5

    eca5ea25f6a32a95c09d2d11f140c43b

    SHA1

    fc7c4ffc46b345747cc079073a62c80c129f2442

    SHA256

    7d956fbd2f73b9d56dbb1fa91bb438857ce1495cd868cdc6d6daea38edfcff17

    SHA512

    27d28a94c6c9d88714e07d1c5d856b348aaffe7164a680aa4aa760c4a738cf9fed9f373ea895b3dfa3e80ea1b8702679ff32bafeb7e84ada4fe30ff30b1add61