Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 02:39
Static task
static1
Behavioral task
behavioral1
Sample
ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe
Resource
win10v2004-20240611-en
General
-
Target
ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe
-
Size
3.9MB
-
MD5
913cbc7960bb52b182613064a135b7ad
-
SHA1
474902ce8d516b979bf4d6159421d593ddc06e4b
-
SHA256
ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8
-
SHA512
e8811cc8146fa9adb304cb2eb149d0b009e7b413a05585eb91ef91d35d5155cb46eef0bb28d3b4b1253f058e01f23d8da48a2f0d38f2f85c979cbffed437cec4
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBtB/bSqz8:sxX7QnxrloE5dpUpibVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe -
Executes dropped EXE 2 IoCs
Processes:
ecxdob.exedevbodsys.exepid process 2140 ecxdob.exe 2700 devbodsys.exe -
Loads dropped DLL 2 IoCs
Processes:
ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exepid process 1956 ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe 1956 ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotBJ\\devbodsys.exe" ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZGU\\boddevec.exe" ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exeecxdob.exedevbodsys.exepid process 1956 ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe 1956 ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe 2140 ecxdob.exe 2700 devbodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exedescription pid process target process PID 1956 wrote to memory of 2140 1956 ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe ecxdob.exe PID 1956 wrote to memory of 2140 1956 ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe ecxdob.exe PID 1956 wrote to memory of 2140 1956 ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe ecxdob.exe PID 1956 wrote to memory of 2140 1956 ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe ecxdob.exe PID 1956 wrote to memory of 2700 1956 ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe devbodsys.exe PID 1956 wrote to memory of 2700 1956 ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe devbodsys.exe PID 1956 wrote to memory of 2700 1956 ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe devbodsys.exe PID 1956 wrote to memory of 2700 1956 ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe devbodsys.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe"C:\Users\Admin\AppData\Local\Temp\ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2140
-
-
C:\UserDotBJ\devbodsys.exeC:\UserDotBJ\devbodsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2700
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD53050c6c6b59239af083247c88c2995d4
SHA1a4341770d34aa692bb1eec935b7a0009d8e4098f
SHA256fb162b0a3281e41c730986c01b5d8ab2f6f9119ce85910d87149914262ff5d40
SHA5124cac03e8cfc8f1699e198cccf81f5d1537fb71c2e7554bf5018407335cbab48325bdabf61dfd263f409df1223eb50ffe273e5cfb99fe77425d5fcb2bfc1486f9
-
Filesize
3.9MB
MD59daefe502061561d173abd18521f0c7e
SHA1ca5386402e44c7fffa5f8e666c85be0f211d315d
SHA2561a7a78c5c66ae4a9b91750647dfd5d3a50c84c002e51a3790adb5973ff047f1f
SHA512c5175d49640e152f72e31268003dfe09480860178f49ed2e7780b77f0a485014b723e02801421ee16038da7c9e40325522b56ace28307df6958b4b9395e119dc
-
Filesize
3.9MB
MD5eff235db029209b89e2ccb037129d871
SHA1b8c9e21ab8e513d38b91b037460939e7fe6db370
SHA2569ca52bf90129783e9e32671930f257a6cb0aa61a6636d057da2446f9630f8e35
SHA5129d26ba7254d027ab54a713217e6e7908b7146d74b3f1a3742e04199f86b145a2bcd6b25ffa4fe7f33baf130b71b7376d234da298c452279ed75d34de30e441b7
-
Filesize
172B
MD522684f0befcdcf3e68d84f9ca722f149
SHA13385f78e883dd90f03d21ac1c9b11c56ce87c0e6
SHA256f2e9bd9574aa17cbf3b1f1d7edadb3b73527411bbf491ecb6b7e3dc691a9ae86
SHA512aea6764684774398e96017f9940f67506cd04c1122df2f084c259fd7cab114bd114dd70c4bb38f01c8b2a88732d569a6d364508856a2c6b55f61ea9db96f1e16
-
Filesize
204B
MD5058d52c87478916904ce501563c12f09
SHA10c211f3ac1f9866bc8b7bc070c19845972e26e28
SHA2563c6b308b6044a2eb9f9765e0368999c12d6b312bcedaac2df3392f8c50667345
SHA5125334794d0046f670f45e1abd8765d65faba39932924ab8fa6fcd19fe61bf082a158a903ce1c0a2dc2b221dbdf3ad4802c54743da0e63ab3f0eeacdf6b3ec0060
-
Filesize
3.9MB
MD5147cc195c660eb9fca9139c377cc1176
SHA16e146ac5461cf8bf12de67e3b6458b659d40af45
SHA25661d3ac1bdb79ee4c94a64e9925e545639bc58280dca7bc79cf17d63b5d534b3b
SHA512ad25378345d0b15eb8e836f8d65ce07497e2bd4573782b8234b97a8b5af7e7ab53d7a4a5f403e2fb183c83c2c08e0886c48f2653fb5187b2a151a4b59608fc58