ef2885d857be415cbd4ed3aea244ad17e8b8d9d960d0376288772c508962a0f7

Analysis

max time kernel
151s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07ff24f8d3031ecaf2030cc570b54be0.exe
Size

3.0MB
MD5

07ff24f8d3031ecaf2030cc570b54be0
SHA1

bbf6d0279a9e0af663a6cea372f34279c852145a
SHA256

ef2885d857be415cbd4ed3aea244ad17e8b8d9d960d0376288772c508962a0f7
SHA512

480f77077e20bd9ea3ae664776c378fee0f5d26a5b6191c66959fc694860d0b39d93aea5061374848237d8970501f2c6e03da8087e96b2b69b4af29b2445451d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBkB/bSqz8b6LNX:sxX7QnxrloE5dpUpbbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	07ff24f8d3031ecaf2030cc570b54be0.exe

Executes dropped EXE 2 IoCs

pid	Process
2928	ecabod.exe
528	xbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv5V\\xbodsys.exe"	07ff24f8d3031ecaf2030cc570b54be0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint0Y\\dobasys.exe"	07ff24f8d3031ecaf2030cc570b54be0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3248	07ff24f8d3031ecaf2030cc570b54be0.exe
3248	07ff24f8d3031ecaf2030cc570b54be0.exe
3248	07ff24f8d3031ecaf2030cc570b54be0.exe
3248	07ff24f8d3031ecaf2030cc570b54be0.exe
2928	ecabod.exe
2928	ecabod.exe
528	xbodsys.exe
528	xbodsys.exe
2928	ecabod.exe
2928	ecabod.exe
528	xbodsys.exe
528	xbodsys.exe
2928	ecabod.exe
2928	ecabod.exe
528	xbodsys.exe
528	xbodsys.exe
2928	ecabod.exe
2928	ecabod.exe
528	xbodsys.exe
528	xbodsys.exe
2928	ecabod.exe
2928	ecabod.exe
528	xbodsys.exe
528	xbodsys.exe
2928	ecabod.exe
2928	ecabod.exe
528	xbodsys.exe
528	xbodsys.exe
2928	ecabod.exe
2928	ecabod.exe
528	xbodsys.exe
528	xbodsys.exe
2928	ecabod.exe
2928	ecabod.exe
528	xbodsys.exe
528	xbodsys.exe
2928	ecabod.exe
2928	ecabod.exe
528	xbodsys.exe
528	xbodsys.exe
2928	ecabod.exe
2928	ecabod.exe
528	xbodsys.exe
528	xbodsys.exe
2928	ecabod.exe
2928	ecabod.exe
528	xbodsys.exe
528	xbodsys.exe
2928	ecabod.exe
2928	ecabod.exe
528	xbodsys.exe
528	xbodsys.exe
2928	ecabod.exe
2928	ecabod.exe
528	xbodsys.exe
528	xbodsys.exe
2928	ecabod.exe
2928	ecabod.exe
528	xbodsys.exe
528	xbodsys.exe
2928	ecabod.exe
2928	ecabod.exe
528	xbodsys.exe
528	xbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3248 wrote to memory of 2928	3248	07ff24f8d3031ecaf2030cc570b54be0.exe	91
PID 3248 wrote to memory of 2928	3248	07ff24f8d3031ecaf2030cc570b54be0.exe	91
PID 3248 wrote to memory of 2928	3248	07ff24f8d3031ecaf2030cc570b54be0.exe	91
PID 3248 wrote to memory of 528	3248	07ff24f8d3031ecaf2030cc570b54be0.exe	92
PID 3248 wrote to memory of 528	3248	07ff24f8d3031ecaf2030cc570b54be0.exe	92
PID 3248 wrote to memory of 528	3248	07ff24f8d3031ecaf2030cc570b54be0.exe	92

C:\Users\Admin\AppData\Local\Temp\07ff24f8d3031ecaf2030cc570b54be0.exe
"C:\Users\Admin\AppData\Local\Temp\07ff24f8d3031ecaf2030cc570b54be0.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2928
- C:\SysDrv5V\xbodsys.exe
  C:\SysDrv5V\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint0Y\dobasys.exe

Filesize
90KB

MD5
32f586246cb3a614ded23a28690a6af6

SHA1
1dd9bf6d4e2022dd861ba1f40499bedf5454a861

SHA256
27e972d37adf65d995e2da17be2c8816d349ae712c812b5037bddf8cda87165c

SHA512
1b98aac6eae89a52329b2cc096faef7b816b48cbf26437901124557c2ac4fba1f65b005ea996c637fbe6d9c198d7953ce302cb5280253b2e6e75002de7ccf7a1

Download Submit
C:\Mint0Y\dobasys.exe

Filesize
110KB

MD5
33dac41aa735b6169f9f0692d880ab85

SHA1
7797ad9cda39d0ee8824c4b07f095d26e7463ffa

SHA256
2058aa73c631d9123fe186ca595a12dff5ffc4d2e2effc07508a3c1cbb691ffd

SHA512
8ef32c0e324cf81f8fda21add654df1e3b111c5b4f712c4e5aba75a5bb0bca9fb0d5806d1a67eb497ba9a5d04d2a2b52737750742c9d8ce2f26cb39758f368e6

Download Submit
C:\SysDrv5V\xbodsys.exe

Filesize
3.0MB

MD5
e85fcf00919c3b3128878eb72714bc28

SHA1
e1128f79794e2125812c2d6f67e7cc9d59380ab8

SHA256
f0d7fa7e1dedcc4a131dc7a93a56ce1da14ef191197a0f641cf287c60e330d85

SHA512
2ac141c16c02cf12168e917af9caa242e01214f6ecbb5fa43732c5bda6c3dbcf0d95cc1931f62b3a7cbf32322ad13675ac675ed2d40cf93704b6efbd6dbc05d8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
cba1a4b521cd585151c7044bd8d4041b

SHA1
0f51fa620f21357f43cb8c81d3fa67ce6d112d3d

SHA256
e9fbd1d52694d3f2d1c36aabd27e3494862554d6a38a2801c44525c5b01ea2ed

SHA512
9a128e01356cd2dc8674043ecdddb3ad35350355f2abb3d73f106873f67413f41dced86a38e85e448add4ab3ba54edfc768907b307c0251f44adff2d29af5185

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
b3022f40d58598e1ac6757fcf2d42ba3

SHA1
4003d1f8c5caa94ae946cbfb0ab2a200ce1f043d

SHA256
22110d1264b2abc455f23da97e830a4611cb80e1fcc14ae7bcae016e4825810d

SHA512
e83e9ff036cee34c0ff07fe9668387c40a78d3b4d2dd2dccbccf95048d93ad1b4dbd5042d97c8da1c1ccced84a377f9c89d1970f9e12c9ff9b8ef89e43bab799

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
3.0MB

MD5
75d39489e52a3e20e72272a164e86204

SHA1
888b8cffcd22c299173521a7fa7e2ea8e486265f

SHA256
bd763fdc780c200eef2df0440ab2a46ad92c002775ec645e3b164d0215752276

SHA512
03b9eccc50bb6e73ab0d7e851ce8f98bcc19d1a30a44ed63b939717ab1fdda44e1defe95598c3d5d4c399cb2999f45074b1ab2f7f44b580d15220952ec295edd

Download Submit