ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3

Analysis

max time kernel
148s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe
Size

3.6MB
MD5

854495e9b6b427e26813d567c4b1ea53
SHA1

7afaf89691e942a739253144c87629ec8fe58ad2
SHA256

ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3
SHA512

1503ea391240b6d369e95f3475e49fdd0c0580b0ca135540a8a82cd64b7c8d20ea6aeaa30234f0d260aa7852b671a83ee57f21bd5cd21e3f39c8c33012f73bd0
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBBB/bSqz8:sxX7QnxrloE5dpUpObVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe

Executes dropped EXE 2 IoCs

pid	Process
3140	ecxbod.exe
964	abodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvW0\\abodsys.exe"	ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxT3\\bodxloc.exe"	ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4544	ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe
4544	ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe
4544	ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe
4544	ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe
3140	ecxbod.exe
3140	ecxbod.exe
964	abodsys.exe
964	abodsys.exe
3140	ecxbod.exe
3140	ecxbod.exe
964	abodsys.exe
964	abodsys.exe
3140	ecxbod.exe
3140	ecxbod.exe
964	abodsys.exe
964	abodsys.exe
3140	ecxbod.exe
3140	ecxbod.exe
964	abodsys.exe
964	abodsys.exe
3140	ecxbod.exe
3140	ecxbod.exe
964	abodsys.exe
964	abodsys.exe
3140	ecxbod.exe
3140	ecxbod.exe
964	abodsys.exe
964	abodsys.exe
3140	ecxbod.exe
3140	ecxbod.exe
964	abodsys.exe
964	abodsys.exe
3140	ecxbod.exe
3140	ecxbod.exe
964	abodsys.exe
964	abodsys.exe
3140	ecxbod.exe
3140	ecxbod.exe
964	abodsys.exe
964	abodsys.exe
3140	ecxbod.exe
3140	ecxbod.exe
964	abodsys.exe
964	abodsys.exe
3140	ecxbod.exe
3140	ecxbod.exe
964	abodsys.exe
964	abodsys.exe
3140	ecxbod.exe
3140	ecxbod.exe
964	abodsys.exe
964	abodsys.exe
3140	ecxbod.exe
3140	ecxbod.exe
964	abodsys.exe
964	abodsys.exe
3140	ecxbod.exe
3140	ecxbod.exe
964	abodsys.exe
964	abodsys.exe
3140	ecxbod.exe
3140	ecxbod.exe
964	abodsys.exe
964	abodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 3140	4544	ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe	87
PID 4544 wrote to memory of 3140	4544	ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe	87
PID 4544 wrote to memory of 3140	4544	ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe	87
PID 4544 wrote to memory of 964	4544	ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe	90
PID 4544 wrote to memory of 964	4544	ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe	90
PID 4544 wrote to memory of 964	4544	ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe	90

C:\Users\Admin\AppData\Local\Temp\ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe
"C:\Users\Admin\AppData\Local\Temp\ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3140
- C:\SysDrvW0\abodsys.exe
  C:\SysDrvW0\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxT3\bodxloc.exe

Filesize
662KB

MD5
224e06f58b05a21fbfeba5b4bb078236

SHA1
c2183660848d2d2c7b8ad73f4b62e4f742b0f430

SHA256
368937f656851c4ea10884ccdd7bd802678f6aaca1c5c096975fc5cad110d954

SHA512
253e52bd4a7492521f4e5ac6323b077cf99bb23763fcc90131048b199a5f4b965c7169e17e66ac204881c48b6ea8125e5e86f746e539038dedf86ef0033d298a

Download Submit
C:\GalaxT3\bodxloc.exe

Filesize
91KB

MD5
fb7f2522262eab1987611196daffd123

SHA1
3ed66b817ca0d5b602d6548b0385aa4b231b320f

SHA256
6e43d47c35122b554763c39b2b42fc5c8663f275e5782477e0b925d490f71780

SHA512
58870e85f8a1ee8e25e6996e921ee6d5f06ad79fa902016ad5e0e6f21c246780d6d8530caee356f48af0018437ae16253b23627ab4ca2e179cd4482dbde37b0f

Download Submit
C:\SysDrvW0\abodsys.exe

Filesize
3.6MB

MD5
c9a4483ab967c8c611fec45cefc2fe81

SHA1
45e9bd6ddff5ae3f7fb5076ade947432de3e70db

SHA256
e4632bb771af408b084c310da4ea351ac5d74a3d2f65c735535c0fb40bff1cb0

SHA512
7c1103866144d356bf1c743178d148f7d37dab7e06d4dd52477c4ac4f4dba90829499fc0feaad3a845c237f85adf5639ec2441853e7138d50afbd155d2783e11

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
e94908ed9539aab1d34704804ab933ff

SHA1
9e3c22df65d75ceb4c8c1c26cb1c21a006f77525

SHA256
bd42f885de602e690f808a5062b329757a4751fd75d306671726f589d38c7cb0

SHA512
230481c880f121c5f8100a7f1ba4afe83f8775b2f5a2af5e411080cf318012faaba7b099505a9b3266c5a29d117ceb63bff204147a56e76680cbee370e457649

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
f4d464ec3d3e86e7c1acc1d713897fba

SHA1
f152c679b0c360c3d23bddb8c42beda8ae8e61e3

SHA256
2d0f5e0afffdeb7fc94fa1496742774f05dc9cf0b9f36342cba1827196d216f3

SHA512
4168752d2ecd23288d8696c2ad7febfb375815e7d16050117573ae807116d96f39ea2cfb769a0c74d5896ac5f0ffdc75a1cd38cd8aed74571077ea3ebd28add1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
3.6MB

MD5
b1f71c4472f46e1955df8958a16ad26e

SHA1
bc0f1b01884dd1bb08d1de5c6d544eb08fab9d7c

SHA256
328d302c620efec8def3724817875a705ab90ae0fca74cbfc8ffb046aadb7900

SHA512
da2872ae8f4a7f9384e76e4fd71f9eb6e5022be51d35feecfcddd98badf99b508a6933f1f2a653edf35f419601fa6e3a496bb6c58c07b0bba6b560ec5e86ddb7

Download Submit