4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe
Size

4.1MB
MD5

88ff053add827f525cb99740b26cc056
SHA1

da9f98795713cb42c7ff68b112de863cd9e3b6f4
SHA256

4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94
SHA512

bff162de8ca248b3ced9c0387ff31fd71a1328d7bae74ab2d1248d8269f224822058e4cfa96898b79848df04306e0661ff1436e5a91af142d291c12c90e50e29
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpDbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe

Executes dropped EXE 2 IoCs

pid	Process
1300	ecxbod.exe
4800	abodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZXK\\dobxsys.exe"	4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc3Z\\abodsys.exe"	4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3928	4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe
3928	4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe
3928	4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe
3928	4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe
1300	ecxbod.exe
1300	ecxbod.exe
4800	abodsys.exe
4800	abodsys.exe
1300	ecxbod.exe
1300	ecxbod.exe
4800	abodsys.exe
4800	abodsys.exe
1300	ecxbod.exe
1300	ecxbod.exe
4800	abodsys.exe
4800	abodsys.exe
1300	ecxbod.exe
1300	ecxbod.exe
4800	abodsys.exe
4800	abodsys.exe
1300	ecxbod.exe
1300	ecxbod.exe
4800	abodsys.exe
4800	abodsys.exe
1300	ecxbod.exe
1300	ecxbod.exe
4800	abodsys.exe
4800	abodsys.exe
1300	ecxbod.exe
1300	ecxbod.exe
4800	abodsys.exe
4800	abodsys.exe
1300	ecxbod.exe
1300	ecxbod.exe
4800	abodsys.exe
4800	abodsys.exe
1300	ecxbod.exe
1300	ecxbod.exe
4800	abodsys.exe
4800	abodsys.exe
1300	ecxbod.exe
1300	ecxbod.exe
4800	abodsys.exe
4800	abodsys.exe
1300	ecxbod.exe
1300	ecxbod.exe
4800	abodsys.exe
4800	abodsys.exe
1300	ecxbod.exe
1300	ecxbod.exe
4800	abodsys.exe
4800	abodsys.exe
1300	ecxbod.exe
1300	ecxbod.exe
4800	abodsys.exe
4800	abodsys.exe
1300	ecxbod.exe
1300	ecxbod.exe
4800	abodsys.exe
4800	abodsys.exe
1300	ecxbod.exe
1300	ecxbod.exe
4800	abodsys.exe
4800	abodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 1300	3928	4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe	85
PID 3928 wrote to memory of 1300	3928	4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe	85
PID 3928 wrote to memory of 1300	3928	4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe	85
PID 3928 wrote to memory of 4800	3928	4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe	86
PID 3928 wrote to memory of 4800	3928	4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe	86
PID 3928 wrote to memory of 4800	3928	4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe	86

C:\Users\Admin\AppData\Local\Temp\4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe
"C:\Users\Admin\AppData\Local\Temp\4c9cdd61249483c4ef050c43a664fdfe8322cf82b07b914b94c9002e2979cd94.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1300
- C:\Intelproc3Z\abodsys.exe
  C:\Intelproc3Z\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc3Z\abodsys.exe

Filesize
4.1MB

MD5
dff37d062494f2840ab1aa6fe08701b4

SHA1
8add810497b2abaefd9c91ecc160fa0afddd3178

SHA256
176d5957ecb2f13a89bd201c02bcdc00bbcf47f7d7b53fe4021cfe649abcb57c

SHA512
a1abc335876e5eebaac463a683f9992636b71ab732a94749b48eb3657d4263f70fbf1922dc74c2fced96162df787e217509e8460771220580d2a3211d0f0556f

Download Submit
C:\LabZXK\dobxsys.exe

Filesize
2.2MB

MD5
7939d3bfe664a764b5f6d691844d969f

SHA1
0d3f3020d7dfaa4502eaa462c01bb60dccbee309

SHA256
08cc79d2b1d9d7bca67b5deca4c711eae882180c774834ef6b88bf6cce12e6f4

SHA512
c26b87a4797bd85626ac6b7afbfa999a1f0625a5c538aa241645b11f1a3a13837d9a66a1718d5afb2c6941b267d7db37eddf9f381377a0c2761e0ea285c3e524

Download Submit
C:\LabZXK\dobxsys.exe

Filesize
26KB

MD5
fd22ff16faa670189ad5472d046eefc3

SHA1
af5985a64f7b062d09005a38866558d03e8c9187

SHA256
eaeda1f937ebcde5091367ec243ec949046efb5fda41d977e79a7d193cdf98c4

SHA512
1fb354379abd6b0096371230a45f04facee9b7148001672781feff0301ab5c94b65f8f0b2e4f8b440530e07677939477ac83217e35e55b1944305bafcda71e72

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
370202a85e49458e6712c4c0aab7db48

SHA1
aad1548cdef0689bd44dcc08c43eb173509e0599

SHA256
3d5ceb7149cbfa013873ef8aec112785d1662af0361b991d4a8643fd83b9a4cf

SHA512
80927847daf53cd3ca0e5dd9a9c8ac0bee3d1e28eba9d840662e98386e5649ded0b9d9048a6bbb3d96fb5e59f51090fcb9a9471fb5421aa2fa1c57fd4a9dea7f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
8f9324f14f9ba9daa5ac38b1e2a2e592

SHA1
42ed23ec226b0b0d7a675cd14019da06c6f2ba51

SHA256
d4bdfb6ea4cdd163b4b411332b2b099ef653006482375d06ce047d3cfa93101e

SHA512
ad1811e14ad84a70f6f47d47d3b1a30e7a3faa90c0fda91604843c1a1f18f7cf4965c9026a8d34e8ccef985458c3cfca68e8b7e8a2fa93b50e6753c2cf1e2619

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
4.1MB

MD5
03d7724542e8b8a77f05df5b4f9ae22e

SHA1
b2ce4f10c2af02ff022c7ffb6ca08bc781f5fd06

SHA256
80b302033d098b89310bbd448d7b63cdb2439085027d2948ad27dcab86769888

SHA512
d64d022ce32d590ce50e5f5c0cc7f8f6582ad628950a11fb8d0ccebfc5315855f2b0865a3bfe4739eebd0c9ce65ec81d60f66ecc425b7e44d3e126e91c1a4874

Download Submit