Analysis
-
max time kernel
150s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 05:37
Static task
static1
Behavioral task
behavioral1
Sample
f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe
Resource
win10v2004-20240508-en
General
-
Target
f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe
-
Size
3.1MB
-
MD5
4f5d3df84940771701815930ef5fd25a
-
SHA1
5e304be597a6e89fe2ab986e61bf9ea571226d59
-
SHA256
f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d
-
SHA512
aa6dac202564b89ae6a8eed1a6baf45d39264b83dde37f1c0641eee76f01ac54a46a2cb292ea4fc385955ae6005fd2a186454113d11b06c50f4bd555751a8be1
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBtB/bSqz8:sxX7QnxrloE5dpUp2bVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe -
Executes dropped EXE 2 IoCs
Processes:
ecxdob.exexbodsys.exepid Process 4904 ecxdob.exe 4708 xbodsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvBU\\xbodsys.exe" f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZL7\\dobdevec.exe" f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exeecxdob.exexbodsys.exepid Process 3024 f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe 3024 f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe 3024 f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe 3024 f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe 4904 ecxdob.exe 4904 ecxdob.exe 4708 xbodsys.exe 4708 xbodsys.exe 4904 ecxdob.exe 4904 ecxdob.exe 4708 xbodsys.exe 4708 xbodsys.exe 4904 ecxdob.exe 4904 ecxdob.exe 4708 xbodsys.exe 4708 xbodsys.exe 4904 ecxdob.exe 4904 ecxdob.exe 4708 xbodsys.exe 4708 xbodsys.exe 4904 ecxdob.exe 4904 ecxdob.exe 4708 xbodsys.exe 4708 xbodsys.exe 4904 ecxdob.exe 4904 ecxdob.exe 4708 xbodsys.exe 4708 xbodsys.exe 4904 ecxdob.exe 4904 ecxdob.exe 4708 xbodsys.exe 4708 xbodsys.exe 4904 ecxdob.exe 4904 ecxdob.exe 4708 xbodsys.exe 4708 xbodsys.exe 4904 ecxdob.exe 4904 ecxdob.exe 4708 xbodsys.exe 4708 xbodsys.exe 4904 ecxdob.exe 4904 ecxdob.exe 4708 xbodsys.exe 4708 xbodsys.exe 4904 ecxdob.exe 4904 ecxdob.exe 4708 xbodsys.exe 4708 xbodsys.exe 4904 ecxdob.exe 4904 ecxdob.exe 4708 xbodsys.exe 4708 xbodsys.exe 4904 ecxdob.exe 4904 ecxdob.exe 4708 xbodsys.exe 4708 xbodsys.exe 4904 ecxdob.exe 4904 ecxdob.exe 4708 xbodsys.exe 4708 xbodsys.exe 4904 ecxdob.exe 4904 ecxdob.exe 4708 xbodsys.exe 4708 xbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exedescription pid Process procid_target PID 3024 wrote to memory of 4904 3024 f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe 88 PID 3024 wrote to memory of 4904 3024 f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe 88 PID 3024 wrote to memory of 4904 3024 f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe 88 PID 3024 wrote to memory of 4708 3024 f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe 89 PID 3024 wrote to memory of 4708 3024 f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe 89 PID 3024 wrote to memory of 4708 3024 f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe"C:\Users\Admin\AppData\Local\Temp\f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4904
-
-
C:\SysDrvBU\xbodsys.exeC:\SysDrvBU\xbodsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5aaedede3a7463fa055564ae81c88e0a8
SHA1556409add98d921214941a55e8b2f3a72bc149a2
SHA25616786a2674e82e8f5c636ba81b790bf38c0ecf0e85bd1b56dd6633f49f014d91
SHA5122ff7b8514fdeef78d38d173341e0a71ec2e50c1e7e0659f584b9c676085f9d31ffb512ef9ee771eb192cff46cddc3c9f1aeb0557bb9c9a6033756ddff51c48e7
-
Filesize
3.1MB
MD50aa5a815675b6a9a7f0f0b5b21c3abd9
SHA1fac6efb6eb6204d09544375f2c35c78819e7b128
SHA256d83adab733e1f2267839b343014b77db170fdf18f4bc6e59942a73cb87764917
SHA512fb46bcdfae47f4997a0a49b91178add4a2c4ff75fde5f1107dde44d176a2454ffc9a871bcbd60b73eb0a8121e5f7128b51d18241f4be8b0a44a80cb4fa527f49
-
Filesize
3.1MB
MD55fbfb37b60da244c4efb7559d05838c5
SHA1651061a69c867a5af865246e08fb15f480b2eb68
SHA256f742fc1f369f1f02f139f5f6e54ab3f8295cf92e596bafec35954a2872211840
SHA512e2c035807d6d3f43ed6b52beb29a0f8e1eae1af18ba40687b1a5bdaa974a0963f2f92a5e59ee914ec308a580eb97a13a34a122dab7370c9a801ff649309a9ee2
-
Filesize
201B
MD5ce74f1e5a22ea516df4089613662b67b
SHA17024a03246353610ef48f10fe0b0e7952d874dfd
SHA256be4d5dc07824c8187b05fe0439a27e0025b2d605b7b7a0ba73aa4b1f47f5d3ea
SHA5123e0e9edbaa8507aaf610b5b3c5b052ebbc560d9f78e97714c9e618567f7f62fa56c5a795c3c22e0083d2fce20a8dc842fc19cdc6051024bba2e8ecd4c1ef9533
-
Filesize
169B
MD5f8f94075521cd80bcd51f9e46611ffe3
SHA1af95178df36995b9869c99ceda32abe44ea2d457
SHA25601c559c4d8fe414161578d72dae07c482464637e6bc651b786cf9a45e7fa17f4
SHA51229782b35c5bda9b14e2ee81dd12536f4119a24f1f71f557591f1f3eba1388d6b8d9b45fafb2291c9352f2ad27325120df249e10fef643ed7751e58c57730d207
-
Filesize
3.1MB
MD563a53346ade424b350b8a3717b6c5dc2
SHA13406862b0a70790d24a5e4f7dce43978c801cfc2
SHA2567c4624d694381a6d0fd0adf31d45647ea686b25e6537959040545d8663501144
SHA512b29029352250cc559971f6f4405dc905a8a82f15705599e19866f389fdb656178d318bc4c6da42f8a58a83e0641b2f87637bbedbd35b874cb597a5843540781d