Overview

overview

7

Static

static

3

f45aef6ba7...8N.exe

windows7-x64

7

f45aef6ba7...8N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/11/2024, 14:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f45aef6ba76c6c99dd256d0b78fa0875cb5a1c24a10211c1323b33c6e849c868N.exe

  • Size

    2.6MB

  • MD5

    a567bf053ab7521a8188fda6e50974c0

  • SHA1

    6ea1f4f48797c80dad085098188f712f2486e2e9

  • SHA256

    f45aef6ba76c6c99dd256d0b78fa0875cb5a1c24a10211c1323b33c6e849c868

  • SHA512

    3d73ef606dbf223a368d0725c3cd72d898d653952fbd058113bfa00bb3b1059d1ebd882158e6caabc53e0e4c1a47a2ced65458e226377ee3bd406d4bb5eb1ffe

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBhB/bS:sxX7QnxrloE5dpUpib

Score
7/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f45aef6ba76c6c99dd256d0b78fa0875cb5a1c24a10211c1323b33c6e849c868N.exe
    "C:\Users\Admin\AppData\Local\Temp\f45aef6ba76c6c99dd256d0b78fa0875cb5a1c24a10211c1323b33c6e849c868N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:456
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2248
    • C:\FilesS2\abodloc.exe
      C:\FilesS2\abodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3212

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesS2\abodloc.exe
    Filesize

    172KB

    MD5

    906e3595156f9e420811629768bf2c11

    SHA1

    e7fee45fcf34468246ba5185127f2751af0c33c5

    SHA256

    8a64cd9ed65b9872807349266e85034ffa20b5bb92e12263ee9ba6a0b72c0da3

    SHA512

    dfed7178e0bb47cb2c2e89e638a77874116c879c1120ac7182cc8052b222b24c7d6c6da840d97e84a9dc6b2ff4452ba7ec0a4d9e1f632a4105149ec942fe752e

    Download Submit

  • C:\FilesS2\abodloc.exe
    Filesize

    2.6MB

    MD5

    0198f1ac92d5c9a4d4448d555fb76080

    SHA1

    a865f35d484a3bb22d20a89f62a622e1038d9632

    SHA256

    84fa351283908e3e150acb608021981ada8a95b877ff17c41725b7b1378a177d

    SHA512

    45e887ddee3a00ed38758e7593f22e91af88fe2fd144f387ef11e8ef42324d5e7147844d942a51cacf56e97ffaba733eed4d0f5305e279245ddb5fec6e812623

    Download Submit

  • C:\KaVBB0\dobaec.exe
    Filesize

    512B

    MD5

    e5f87ced043dbdc34bbd32a8dd98972e

    SHA1

    64802c7da01c2a964cff79e6e5038fd6aa5ba388

    SHA256

    481c17ffa324206b6ad488b63518822bcdb94e0b8487044790d29812cb164295

    SHA512

    1b6992d7e5a3b0472b16f5ac08ad73b4a5f15cbc0b383e94c2a67c7d35a779abd25b5a0551f1aa5716bab77a9dcd396e2131b700f7d679b9f8518f173b80613f

    Download Submit

  • C:\KaVBB0\dobaec.exe
    Filesize

    2.6MB

    MD5

    8186f4a310edff1ac6107118345d3403

    SHA1

    66fa9f10563a8c7d9eb51eecf386bc193686aa98

    SHA256

    0dce947f44ee80cc0ffe811f40253d8b15de2888c021830ae823d65fc2d47270

    SHA512

    c66e9c7663793ab14cfc073aa197d84bb7cbe6abc216d2a7797f304cc6736ff9982100bf4f2be8f81753b416dff535560211353fab86d80ea53b3ae308f6daa6

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    199B

    MD5

    ed332a2f80ee8042f88fd887386ab600

    SHA1

    7d03d26ef16806a5040b89bf5ca7e0b77e922bce

    SHA256

    9d77ba689b61f0e801c78f5754be585afe43459ca89cb227620b78c51755773e

    SHA512

    209b4aaac042c45806710b96ecddf78f031c413004da7b8be24ed9f54bd90a325630c1479207420a8f932990cc14e49d026d5b2d516d484d783df0992afe19a4

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    167B

    MD5

    78af4d46f75e73957194c7bc28e813bb

    SHA1

    4b9702842c37845813c09215203dad78595a71aa

    SHA256

    e63c925d5d0b40266e12016a780a585385bbf1cec208fc87754b93b840e09944

    SHA512

    9808df8deb3f731735bc5991ac3de4e4c12c6fed21bcd86a824efeb1add26236048f96e80ad180f8bf22617ac795cb141125b1b57565d0a20be10427577af40c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
    Filesize

    2.6MB

    MD5

    338354be7aa4498749e44abd27f519be

    SHA1

    42b5dc6a4d825189a8f59eb08a6a16348b3c27e9

    SHA256

    ebf834327cd31cb96c43f79dd68057b1d5b6386f58cb5103a11f768912729090

    SHA512

    949891e433b3671d3f0ac3269b3e985612f38258fbae2aa1430e50d1f797c47194aea28702c07fe4be18868bb62b8224c2371283219fd754c5436e762b261a7b

    Download Submit