Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 19:51

General

  • Target

    2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe

  • Size

    2.6MB

  • MD5

    5aef48c6c4105e9bae2f75d303ad0794

  • SHA1

    d5e48de1a63ff8b1a73afeb8d3cb001ba2d9f0f4

  • SHA256

    2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106

  • SHA512

    b1f12aab628149631fcfa40921da2ee2be9357d91e9b9f2cb6756ba67108f55bd691fefc25e6f30c9a1d0d89eb3314b4aeca519516e7931b8bd25724260d51f3

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bS2:sxX7QnxrloE5dpUp/bX

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe
    "C:\Users\Admin\AppData\Local\Temp\2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2488
    • C:\FilesIF\abodec.exe
      C:\FilesIF\abodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesIF\abodec.exe

    Filesize

    2.6MB

    MD5

    d29e0dd61b3e407b96e7b0d6fb747379

    SHA1

    2b0b51d27993f4df123bf69d2e012dffe72775fb

    SHA256

    000ee6c915a2012adcde03651cdc9ded78b35e5383385fd35cfe65806d366285

    SHA512

    50648ad2f517be4bb750d8e4b616ac9010b3dec9bd94d239b776bef478990538e683c4d834e1c16ccb5f12213b00a0a9925cb20fc18706ce91ebb5ab8cdbd3cb

  • C:\Galax1R\dobdevsys.exe

    Filesize

    108KB

    MD5

    194d6a8580113088ee1cb16ce995b7eb

    SHA1

    82be3c34f30529bdf2e6b39f0c449d1962a96e53

    SHA256

    4468ab84670d2d1f1ef1345571ca92da2eccb7e97b84fbf6eba1fe50f5b8174d

    SHA512

    17a671fc890ce788cf6326eca6d2c6134cdfef5342edb6d44b21d1061f179172855d2fb3c96795e8995d482391519bd1edf26eb5cbefdca064cce1a39ab94edd

  • C:\Galax1R\dobdevsys.exe

    Filesize

    2.6MB

    MD5

    87fb4b911f1ccd440e8ba78b1472973f

    SHA1

    f24e9e37e0c0a12c6a8aa934549d82c2c98d639e

    SHA256

    63a0d1e652d24fed85c6e82428ede193dbc4a74bf8ed742821c6978f9ae478b8

    SHA512

    6cb0a4524a4cc4431de45e1165a5167bdb5c460573ae9ea98d20b240becb55ae61054d623baa0b8912d80e436e7e7c882f3ce5e75163444f416e8499387bf5dd

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    7a4afc58c6694671ddc3a6279b13f680

    SHA1

    4373c90b64ebd1a8a87af1e8f3c14f4dca96a71c

    SHA256

    775a57a281947009a336778e823aa3eb1dd317843a527f77b18f5aac7df8ee91

    SHA512

    d377ab63e02ffb57a70978ecf91c4c640cbfa1e56cf4a0a3244ffeff41386778e15cac97343b3096e7c7147cdd562cbc2295fc648f8a0bd40b8c14effb25e1c7

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    9d835f72e1500ba783fead9f724c5216

    SHA1

    23e37b78fc6624fc0f18e7f5a82231742d32b3ef

    SHA256

    8870236ff0cc0120755b9eb54321bbc6d46575e51b642dcac922d4b3fa463259

    SHA512

    8dac395e64520b082e863093db30dda7920a63ca9de672f5d52dd5e5a2c5382d3cdd221ba6257fa421635244a1f4ae021749df9a4743973b9f1a8ab12355357a

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

    Filesize

    2.6MB

    MD5

    f51b6c95576fc3919596ad4634544cef

    SHA1

    7c7b3649a9f8f9d85654db98598ed0342d63fbab

    SHA256

    76e413f95c140fee1cdacce443557d360fa2733d6aab8a5f2ed22c0db4e4d5fe

    SHA512

    4d1bffc3df4cd28101770025215460b7d234474955847d750ffb83819b4c6269cbac8d9ff1a1bd99d941be087f77517d4ab4b7e459f5c88bf6e94f887338d1cf