Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 19:51
Static task
static1
Behavioral task
behavioral1
Sample
2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe
Resource
win10v2004-20241007-en
General
-
Target
2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe
-
Size
2.6MB
-
MD5
5aef48c6c4105e9bae2f75d303ad0794
-
SHA1
d5e48de1a63ff8b1a73afeb8d3cb001ba2d9f0f4
-
SHA256
2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106
-
SHA512
b1f12aab628149631fcfa40921da2ee2be9357d91e9b9f2cb6756ba67108f55bd691fefc25e6f30c9a1d0d89eb3314b4aeca519516e7931b8bd25724260d51f3
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bS2:sxX7QnxrloE5dpUp/bX
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe -
Executes dropped EXE 2 IoCs
Processes:
ecdevbod.exeabodec.exepid Process 2488 ecdevbod.exe 2032 abodec.exe -
Loads dropped DLL 2 IoCs
Processes:
2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exepid Process 2844 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe 2844 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesIF\\abodec.exe" 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax1R\\dobdevsys.exe" 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exeecdevbod.exeabodec.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exeecdevbod.exeabodec.exepid Process 2844 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe 2844 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe 2488 ecdevbod.exe 2032 abodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exedescription pid Process procid_target PID 2844 wrote to memory of 2488 2844 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe 28 PID 2844 wrote to memory of 2488 2844 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe 28 PID 2844 wrote to memory of 2488 2844 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe 28 PID 2844 wrote to memory of 2488 2844 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe 28 PID 2844 wrote to memory of 2032 2844 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe 29 PID 2844 wrote to memory of 2032 2844 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe 29 PID 2844 wrote to memory of 2032 2844 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe 29 PID 2844 wrote to memory of 2032 2844 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe"C:\Users\Admin\AppData\Local\Temp\2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2488
-
-
C:\FilesIF\abodec.exeC:\FilesIF\abodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2032
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5d29e0dd61b3e407b96e7b0d6fb747379
SHA12b0b51d27993f4df123bf69d2e012dffe72775fb
SHA256000ee6c915a2012adcde03651cdc9ded78b35e5383385fd35cfe65806d366285
SHA51250648ad2f517be4bb750d8e4b616ac9010b3dec9bd94d239b776bef478990538e683c4d834e1c16ccb5f12213b00a0a9925cb20fc18706ce91ebb5ab8cdbd3cb
-
Filesize
108KB
MD5194d6a8580113088ee1cb16ce995b7eb
SHA182be3c34f30529bdf2e6b39f0c449d1962a96e53
SHA2564468ab84670d2d1f1ef1345571ca92da2eccb7e97b84fbf6eba1fe50f5b8174d
SHA51217a671fc890ce788cf6326eca6d2c6134cdfef5342edb6d44b21d1061f179172855d2fb3c96795e8995d482391519bd1edf26eb5cbefdca064cce1a39ab94edd
-
Filesize
2.6MB
MD587fb4b911f1ccd440e8ba78b1472973f
SHA1f24e9e37e0c0a12c6a8aa934549d82c2c98d639e
SHA25663a0d1e652d24fed85c6e82428ede193dbc4a74bf8ed742821c6978f9ae478b8
SHA5126cb0a4524a4cc4431de45e1165a5167bdb5c460573ae9ea98d20b240becb55ae61054d623baa0b8912d80e436e7e7c882f3ce5e75163444f416e8499387bf5dd
-
Filesize
171B
MD57a4afc58c6694671ddc3a6279b13f680
SHA14373c90b64ebd1a8a87af1e8f3c14f4dca96a71c
SHA256775a57a281947009a336778e823aa3eb1dd317843a527f77b18f5aac7df8ee91
SHA512d377ab63e02ffb57a70978ecf91c4c640cbfa1e56cf4a0a3244ffeff41386778e15cac97343b3096e7c7147cdd562cbc2295fc648f8a0bd40b8c14effb25e1c7
-
Filesize
203B
MD59d835f72e1500ba783fead9f724c5216
SHA123e37b78fc6624fc0f18e7f5a82231742d32b3ef
SHA2568870236ff0cc0120755b9eb54321bbc6d46575e51b642dcac922d4b3fa463259
SHA5128dac395e64520b082e863093db30dda7920a63ca9de672f5d52dd5e5a2c5382d3cdd221ba6257fa421635244a1f4ae021749df9a4743973b9f1a8ab12355357a
-
Filesize
2.6MB
MD5f51b6c95576fc3919596ad4634544cef
SHA17c7b3649a9f8f9d85654db98598ed0342d63fbab
SHA25676e413f95c140fee1cdacce443557d360fa2733d6aab8a5f2ed22c0db4e4d5fe
SHA5124d1bffc3df4cd28101770025215460b7d234474955847d750ffb83819b4c6269cbac8d9ff1a1bd99d941be087f77517d4ab4b7e459f5c88bf6e94f887338d1cf