e1c38c9e8abf131c9d9dbac4a65127b5292d6a3b86f56d11161498cdd75f0dbc

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1c38c9e8abf131c9d9dbac4a65127b5292d6a3b86f56d11161498cdd75f0dbc.exe
Size

4.0MB
MD5

d62977d01287e3c305db1bb01055b0c9
SHA1

99be6ecf4f44cb319db29e672d896e8c6bf1925e
SHA256

e1c38c9e8abf131c9d9dbac4a65127b5292d6a3b86f56d11161498cdd75f0dbc
SHA512

aefe72d2fa6785c40366d892b443ae5816a6303f597fd4104015971ad45a2368e3a6e21c24c55b5d82bc28f58651e529c9bb754c35903f0ca29ee6d0188d0bc3
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp+bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	e1c38c9e8abf131c9d9dbac4a65127b5292d6a3b86f56d11161498cdd75f0dbc.exe

Executes dropped EXE 2 IoCs

pid	Process
4904	ecxbod.exe
3852	xdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvBL\\xdobsys.exe"	e1c38c9e8abf131c9d9dbac4a65127b5292d6a3b86f56d11161498cdd75f0dbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBEW\\boddevloc.exe"	e1c38c9e8abf131c9d9dbac4a65127b5292d6a3b86f56d11161498cdd75f0dbc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5100	e1c38c9e8abf131c9d9dbac4a65127b5292d6a3b86f56d11161498cdd75f0dbc.exe
5100	e1c38c9e8abf131c9d9dbac4a65127b5292d6a3b86f56d11161498cdd75f0dbc.exe
5100	e1c38c9e8abf131c9d9dbac4a65127b5292d6a3b86f56d11161498cdd75f0dbc.exe
5100	e1c38c9e8abf131c9d9dbac4a65127b5292d6a3b86f56d11161498cdd75f0dbc.exe
4904	ecxbod.exe
4904	ecxbod.exe
3852	xdobsys.exe
3852	xdobsys.exe
4904	ecxbod.exe
4904	ecxbod.exe
3852	xdobsys.exe
3852	xdobsys.exe
4904	ecxbod.exe
4904	ecxbod.exe
3852	xdobsys.exe
3852	xdobsys.exe
4904	ecxbod.exe
4904	ecxbod.exe
3852	xdobsys.exe
3852	xdobsys.exe
4904	ecxbod.exe
4904	ecxbod.exe
3852	xdobsys.exe
3852	xdobsys.exe
4904	ecxbod.exe
4904	ecxbod.exe
3852	xdobsys.exe
3852	xdobsys.exe
4904	ecxbod.exe
4904	ecxbod.exe
3852	xdobsys.exe
3852	xdobsys.exe
4904	ecxbod.exe
4904	ecxbod.exe
3852	xdobsys.exe
3852	xdobsys.exe
4904	ecxbod.exe
4904	ecxbod.exe
3852	xdobsys.exe
3852	xdobsys.exe
4904	ecxbod.exe
4904	ecxbod.exe
3852	xdobsys.exe
3852	xdobsys.exe
4904	ecxbod.exe
4904	ecxbod.exe
3852	xdobsys.exe
3852	xdobsys.exe
4904	ecxbod.exe
4904	ecxbod.exe
3852	xdobsys.exe
3852	xdobsys.exe
4904	ecxbod.exe
4904	ecxbod.exe
3852	xdobsys.exe
3852	xdobsys.exe
4904	ecxbod.exe
4904	ecxbod.exe
3852	xdobsys.exe
3852	xdobsys.exe
4904	ecxbod.exe
4904	ecxbod.exe
3852	xdobsys.exe
3852	xdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 4904	5100	e1c38c9e8abf131c9d9dbac4a65127b5292d6a3b86f56d11161498cdd75f0dbc.exe	93
PID 5100 wrote to memory of 4904	5100	e1c38c9e8abf131c9d9dbac4a65127b5292d6a3b86f56d11161498cdd75f0dbc.exe	93
PID 5100 wrote to memory of 4904	5100	e1c38c9e8abf131c9d9dbac4a65127b5292d6a3b86f56d11161498cdd75f0dbc.exe	93
PID 5100 wrote to memory of 3852	5100	e1c38c9e8abf131c9d9dbac4a65127b5292d6a3b86f56d11161498cdd75f0dbc.exe	94
PID 5100 wrote to memory of 3852	5100	e1c38c9e8abf131c9d9dbac4a65127b5292d6a3b86f56d11161498cdd75f0dbc.exe	94
PID 5100 wrote to memory of 3852	5100	e1c38c9e8abf131c9d9dbac4a65127b5292d6a3b86f56d11161498cdd75f0dbc.exe	94

C:\Users\Admin\AppData\Local\Temp\e1c38c9e8abf131c9d9dbac4a65127b5292d6a3b86f56d11161498cdd75f0dbc.exe
"C:\Users\Admin\AppData\Local\Temp\e1c38c9e8abf131c9d9dbac4a65127b5292d6a3b86f56d11161498cdd75f0dbc.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4904
- C:\SysDrvBL\xdobsys.exe
  C:\SysDrvBL\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBEW\boddevloc.exe

Filesize
4.0MB

MD5
db3259e3dbba07ab720d5d9dfd4d4fe3

SHA1
83dd4fd747c347d708c03354eba436be99fb54b8

SHA256
a897edb7519661f8c89b93df6761b0ecac035fabd1fcabfceb12b5d543aedf92

SHA512
4d0af8a2204e25290bffb8bf007a762d9044411246f6f29875988848d8d83d60703cf964a33f716ebbc1ca6237f3d9d661b76cfc02ba4c0193c31250190cfae3

Download Submit
C:\KaVBEW\boddevloc.exe

Filesize
4.0MB

MD5
d2312e7ee99d29b02c10e12b904ee040

SHA1
8bfffe048ef6973a07ae009f629e90cab05bdc78

SHA256
7f9cb02e69199ce78df99acf33b4d8a7fc6a84f001b74c6f11c48170cc380c64

SHA512
8d4ae66b192fde02845f67c807a157680b64d28b1ce51f6feb721c4014a3dbada10d24b40d63d625757cf76ffeb460d4928236f1ba7ba274ea36060a4e22051d

Download Submit
C:\SysDrvBL\xdobsys.exe

Filesize
4.0MB

MD5
e056f06910a15c8cbbb9bf2295b8e941

SHA1
194a7e8831a3f3121ee25ce5b57a1e7e70e0ca1d

SHA256
6aaa23c3feb5ab68543fb9fac3696eae5dc6e0493a80943a2faf1547d6a79e80

SHA512
5fc75b9c7be8b2b6f49b1fb7bddb304e368f617c04e8e851342e216b2f115fd6b45ffa98bfa53d306cd99a5cb9b7b5f2bef1baa8633de56fbc99f6c57f46ee8b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
01a74a24c27f37aa4096eb7acbb92936

SHA1
195015ef84adcf0d91fdc852393971e2d71a1adc

SHA256
86a1b248b55298f44302cb797941090b6ab85217f2c2aeb596979b7d32c30d72

SHA512
7ef66933526417c6c917d33d1db083afe8979c1cac4878d03f60522ce2eac9af050595e7001308e735b5b77b9e79639a378966d5e327fc997e39d92112de1606

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
b1ac48df705c4e44c9f6f7129a5a9b76

SHA1
dd192eb75769287b9a9f92c6e907d73f155d795c

SHA256
cc5dc2b112f123d06f25ba112b164373456339b2b1e216185832b215b3e2f427

SHA512
7d5e56a0855fddbb95f4814fead59ac8085f734dc3c6eec03180fdcb603cc97d3fd51209104b5041c01e1eddfdefac7822846e525dd4da201de24dfee49f24e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
4.0MB

MD5
5ecf4e0b0ef0c364ed966d1a136d33dd

SHA1
2cb4a9406e58cc5fe61c891a794ef1fa11c9652a

SHA256
2f328426b831bd6ab2f33c55398712f2f4ff4ba7ab03b8089f819227676a4f55

SHA512
304730cc1c4dd24ec0d99f1eba53ea594a183492c7563800731c7cc4ee3768b5560f9747275f793ce089c0fba9af55e727bf81fd518825115a24ca90488a9d2a

Download Submit