Analysis

  • max time kernel
    150s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 05:37

General

  • Target

    f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe

  • Size

    3.1MB

  • MD5

    4f5d3df84940771701815930ef5fd25a

  • SHA1

    5e304be597a6e89fe2ab986e61bf9ea571226d59

  • SHA256

    f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d

  • SHA512

    aa6dac202564b89ae6a8eed1a6baf45d39264b83dde37f1c0641eee76f01ac54a46a2cb292ea4fc385955ae6005fd2a186454113d11b06c50f4bd555751a8be1

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBtB/bSqz8:sxX7QnxrloE5dpUp2bVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe
    "C:\Users\Admin\AppData\Local\Temp\f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4904
    • C:\SysDrvBU\xbodsys.exe
      C:\SysDrvBU\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZL7\dobdevec.exe

    Filesize

    3.1MB

    MD5

    aaedede3a7463fa055564ae81c88e0a8

    SHA1

    556409add98d921214941a55e8b2f3a72bc149a2

    SHA256

    16786a2674e82e8f5c636ba81b790bf38c0ecf0e85bd1b56dd6633f49f014d91

    SHA512

    2ff7b8514fdeef78d38d173341e0a71ec2e50c1e7e0659f584b9c676085f9d31ffb512ef9ee771eb192cff46cddc3c9f1aeb0557bb9c9a6033756ddff51c48e7

  • C:\LabZL7\dobdevec.exe

    Filesize

    3.1MB

    MD5

    0aa5a815675b6a9a7f0f0b5b21c3abd9

    SHA1

    fac6efb6eb6204d09544375f2c35c78819e7b128

    SHA256

    d83adab733e1f2267839b343014b77db170fdf18f4bc6e59942a73cb87764917

    SHA512

    fb46bcdfae47f4997a0a49b91178add4a2c4ff75fde5f1107dde44d176a2454ffc9a871bcbd60b73eb0a8121e5f7128b51d18241f4be8b0a44a80cb4fa527f49

  • C:\SysDrvBU\xbodsys.exe

    Filesize

    3.1MB

    MD5

    5fbfb37b60da244c4efb7559d05838c5

    SHA1

    651061a69c867a5af865246e08fb15f480b2eb68

    SHA256

    f742fc1f369f1f02f139f5f6e54ab3f8295cf92e596bafec35954a2872211840

    SHA512

    e2c035807d6d3f43ed6b52beb29a0f8e1eae1af18ba40687b1a5bdaa974a0963f2f92a5e59ee914ec308a580eb97a13a34a122dab7370c9a801ff649309a9ee2

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    201B

    MD5

    ce74f1e5a22ea516df4089613662b67b

    SHA1

    7024a03246353610ef48f10fe0b0e7952d874dfd

    SHA256

    be4d5dc07824c8187b05fe0439a27e0025b2d605b7b7a0ba73aa4b1f47f5d3ea

    SHA512

    3e0e9edbaa8507aaf610b5b3c5b052ebbc560d9f78e97714c9e618567f7f62fa56c5a795c3c22e0083d2fce20a8dc842fc19cdc6051024bba2e8ecd4c1ef9533

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    169B

    MD5

    f8f94075521cd80bcd51f9e46611ffe3

    SHA1

    af95178df36995b9869c99ceda32abe44ea2d457

    SHA256

    01c559c4d8fe414161578d72dae07c482464637e6bc651b786cf9a45e7fa17f4

    SHA512

    29782b35c5bda9b14e2ee81dd12536f4119a24f1f71f557591f1f3eba1388d6b8d9b45fafb2291c9352f2ad27325120df249e10fef643ed7751e58c57730d207

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

    Filesize

    3.1MB

    MD5

    63a53346ade424b350b8a3717b6c5dc2

    SHA1

    3406862b0a70790d24a5e4f7dce43978c801cfc2

    SHA256

    7c4624d694381a6d0fd0adf31d45647ea686b25e6537959040545d8663501144

    SHA512

    b29029352250cc559971f6f4405dc905a8a82f15705599e19866f389fdb656178d318bc4c6da42f8a58a83e0641b2f87637bbedbd35b874cb597a5843540781d