43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe
Size

3.0MB
MD5

44baab70116f04bf66825695716ac7d7
SHA1

e82790893da33573ed32d0ed8fbd1d3565fc0ea8
SHA256

43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a
SHA512

1175955d67bcda448a1890c09e2e99aeaba2864b3ee63c449a0039837f519b13b49a6bdaeb89e0f95ae8f676da6c092a83b3e2f22d229b53acd8ace61734d0a6
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bSqz8b6LNX:sxX7QnxrloE5dpUpVbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe

Executes dropped EXE 2 IoCs

pid	Process
1996	locabod.exe
2660	xbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
840	43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe
840	43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocVX\\xbodec.exe"	43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxIJ\\bodxec.exe"	43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
840	43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe
840	43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe
1996	locabod.exe
2660	xbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 1996	840	43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe	28
PID 840 wrote to memory of 1996	840	43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe	28
PID 840 wrote to memory of 1996	840	43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe	28
PID 840 wrote to memory of 1996	840	43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe	28
PID 840 wrote to memory of 2660	840	43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe	29
PID 840 wrote to memory of 2660	840	43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe	29
PID 840 wrote to memory of 2660	840	43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe	29
PID 840 wrote to memory of 2660	840	43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe	29

C:\Users\Admin\AppData\Local\Temp\43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe
"C:\Users\Admin\AppData\Local\Temp\43106d0e8bcc809ca1846b8f8f337c9115a9ee1fb37b30fc0bba4074cca79b8a.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:840
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1996
- C:\IntelprocVX\xbodec.exe
  C:\IntelprocVX\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxIJ\bodxec.exe

Filesize
3.0MB

MD5
2ac4a7e22bbba2c452f63118efae7bb3

SHA1
68cc1ed9873f8516e1e40c56755920c8037a046a

SHA256
f60daee20886b295fb124c1bd22a4af322ae4c74e9ef952785cc9ff64d097e5b

SHA512
c90e4de4df4a10dc17720d69859da7c5a680b59a2f72d30132aa91b262791a30c2b07a23afbd57de3fde1ec99127d4c2f678f8d7eb29367fbe252646f22d2d54

Download Submit
C:\GalaxIJ\bodxec.exe

Filesize
211KB

MD5
81a8de2ac1440aa2dd378d64a83bd1d4

SHA1
e57cd57949fc4550c16fc99f6936bc3c7ed289f9

SHA256
41d3113a9ba6ac0285b580443c7d2ed6982b9f536194e34d23a539c12c9e14bb

SHA512
21c63172c1d7b242d3f63d9de68571feca4c6dafc2d8331dc5363813733d772ca65706ea84a087e9dcd74e69abad6fd258a32d85b5e96e0577eba0215afc6127

Download Submit
C:\IntelprocVX\xbodec.exe

Filesize
3.0MB

MD5
3e9e16b4e9457c2c2a191610f21595ab

SHA1
3d67c1bc0518f3517eb59503f95f94249537df63

SHA256
270aedc2446dd52a0ff52502bd02ac6afbebd98babb88fdb0c99cf227e6dc946

SHA512
f0f365d1c1a16270de592b0bb8baf5e45a8f99f0bd0551e402721d31094f0b6aa82f896009c353316d176b178d9c9e63c8478fbf41918b2d55e0b7ba6f0ecd6b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
aac6268db057f01bdd058337d25add68

SHA1
79862542bbbbb078355b65e3eb8c68f9933f82a6

SHA256
55adeffc5f8b5691e327ca1f59369b715e90e2d71b6d54f308f95e750ff6f44e

SHA512
0a917617a49a57836cbe755aae6b6a1f8eb627afb15ca0f816c7f2dc566c44d95062c0cee8f6e98b9d4276654437d5e03b3a7a2d1da9fb81da837fe364be00c7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
8814094b2093510d2163120d105ff8da

SHA1
678d656f9aefbc9abbd2880b23b26f5b2ef458d9

SHA256
0381f176d49224e41f60d6b33d425b24dce2b2b78cbc8ea3c91c524649c54e53

SHA512
b1e7729ef8432ad6f49287202b8c26db4d9d9e17f442daaf304c500630a037bb89021a8efc97dfdcb67a8c0dfb41f479c16113a8afd2975a4619294dbb2dcd6d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
3.0MB

MD5
07faa693aaf740a931ea86eacc4edacc

SHA1
43c7d7691b93d2eb6bc256d2c1de0a12a53ddcbc

SHA256
1a15ff38ed08e766f758f8dc9643c31e7bfe653357243ac949c5370b4fc29af6

SHA512
f69450b47e6778b448c61d1e3c62abe68cc24f0de7f0c9d7e91da141b0581cd63fab5e20910b4a6ee035278b1a2325cfae0646ad53dda05dec7a31c10f81ea3d

Download Submit