ccbb3bdf0d32f2c27653c3f92eeeefb0fde2377fa57d255ed142bc2bf061960e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccbb3bdf0d32f2c27653c3f92eeeefb0fde2377fa57d255ed142bc2bf061960e.exe
Size

3.1MB
MD5

2326e867f5137ca6e0698f5e4bc2a850
SHA1

f5262032269974637acf6e1251886f2d8225e8dc
SHA256

ccbb3bdf0d32f2c27653c3f92eeeefb0fde2377fa57d255ed142bc2bf061960e
SHA512

fceb6eb08e40a8a8d7ac37505369c0d7661824bf6f45f6e4be2939b54fd3a38507d9e0f1cd4529868e0fd6e429df8d1ce2461bbea806bc6e694ab5ef2be55c14
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpKbVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	ccbb3bdf0d32f2c27653c3f92eeeefb0fde2377fa57d255ed142bc2bf061960e.exe

Executes dropped EXE 2 IoCs

pid	Process
2940	ecxbod.exe
4520	abodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvWD\\abodsys.exe"	ccbb3bdf0d32f2c27653c3f92eeeefb0fde2377fa57d255ed142bc2bf061960e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxND\\boddevsys.exe"	ccbb3bdf0d32f2c27653c3f92eeeefb0fde2377fa57d255ed142bc2bf061960e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3048	ccbb3bdf0d32f2c27653c3f92eeeefb0fde2377fa57d255ed142bc2bf061960e.exe
3048	ccbb3bdf0d32f2c27653c3f92eeeefb0fde2377fa57d255ed142bc2bf061960e.exe
3048	ccbb3bdf0d32f2c27653c3f92eeeefb0fde2377fa57d255ed142bc2bf061960e.exe
3048	ccbb3bdf0d32f2c27653c3f92eeeefb0fde2377fa57d255ed142bc2bf061960e.exe
2940	ecxbod.exe
2940	ecxbod.exe
4520	abodsys.exe
4520	abodsys.exe
2940	ecxbod.exe
2940	ecxbod.exe
4520	abodsys.exe
4520	abodsys.exe
2940	ecxbod.exe
2940	ecxbod.exe
4520	abodsys.exe
4520	abodsys.exe
2940	ecxbod.exe
2940	ecxbod.exe
4520	abodsys.exe
4520	abodsys.exe
2940	ecxbod.exe
2940	ecxbod.exe
4520	abodsys.exe
4520	abodsys.exe
2940	ecxbod.exe
2940	ecxbod.exe
4520	abodsys.exe
4520	abodsys.exe
2940	ecxbod.exe
2940	ecxbod.exe
4520	abodsys.exe
4520	abodsys.exe
2940	ecxbod.exe
2940	ecxbod.exe
4520	abodsys.exe
4520	abodsys.exe
2940	ecxbod.exe
2940	ecxbod.exe
4520	abodsys.exe
4520	abodsys.exe
2940	ecxbod.exe
2940	ecxbod.exe
4520	abodsys.exe
4520	abodsys.exe
2940	ecxbod.exe
2940	ecxbod.exe
4520	abodsys.exe
4520	abodsys.exe
2940	ecxbod.exe
2940	ecxbod.exe
4520	abodsys.exe
4520	abodsys.exe
2940	ecxbod.exe
2940	ecxbod.exe
4520	abodsys.exe
4520	abodsys.exe
2940	ecxbod.exe
2940	ecxbod.exe
4520	abodsys.exe
4520	abodsys.exe
2940	ecxbod.exe
2940	ecxbod.exe
4520	abodsys.exe
4520	abodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2940	3048	ccbb3bdf0d32f2c27653c3f92eeeefb0fde2377fa57d255ed142bc2bf061960e.exe	85
PID 3048 wrote to memory of 2940	3048	ccbb3bdf0d32f2c27653c3f92eeeefb0fde2377fa57d255ed142bc2bf061960e.exe	85
PID 3048 wrote to memory of 2940	3048	ccbb3bdf0d32f2c27653c3f92eeeefb0fde2377fa57d255ed142bc2bf061960e.exe	85
PID 3048 wrote to memory of 4520	3048	ccbb3bdf0d32f2c27653c3f92eeeefb0fde2377fa57d255ed142bc2bf061960e.exe	86
PID 3048 wrote to memory of 4520	3048	ccbb3bdf0d32f2c27653c3f92eeeefb0fde2377fa57d255ed142bc2bf061960e.exe	86
PID 3048 wrote to memory of 4520	3048	ccbb3bdf0d32f2c27653c3f92eeeefb0fde2377fa57d255ed142bc2bf061960e.exe	86

C:\Users\Admin\AppData\Local\Temp\ccbb3bdf0d32f2c27653c3f92eeeefb0fde2377fa57d255ed142bc2bf061960e.exe
"C:\Users\Admin\AppData\Local\Temp\ccbb3bdf0d32f2c27653c3f92eeeefb0fde2377fa57d255ed142bc2bf061960e.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2940
- C:\SysDrvWD\abodsys.exe
  C:\SysDrvWD\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxND\boddevsys.exe

Filesize
829KB

MD5
ec27301488b674f4394887d8cbc7bd21

SHA1
3c445b936a4f34ffe61094e62e28fe328dfcdf75

SHA256
aa578dc449c32c3e6c484c8e6a6db57c8e238017635c969e4b3b82e1621b7eb3

SHA512
d7bb95cb553d7ae8761944d6030ac31b968bc01606c7b2b084b55298957912821ad2f598d9ebbafc9cd78e5efd56a0218463926bbb8793b80084016a193b9f65

Download Submit
C:\GalaxND\boddevsys.exe

Filesize
5KB

MD5
35d5f2180b8da2eaecad0679e66dc251

SHA1
3e782e20becd6567750bacb04faafd148aadac06

SHA256
2060beef29432b8908a388df4a1a966c34d69e51cbf1f836ab07935d52f94700

SHA512
15f574e8e815c44b4444d3eb87af7e00b262eebc14f1ab886d4912aae01cf910dc7d4f769f884a3659bce05e28faa5a23be0190cf13a203cff0f3afdb951c493

Download Submit
C:\SysDrvWD\abodsys.exe

Filesize
579KB

MD5
89702e04120964f54f21c87ccadaf780

SHA1
d8c7275dbebb7df713bc15585c541bdef9178063

SHA256
9e780a36bb852e6715cd1ec4cfc924e904d98ab7035c89cce62c174a336e50c8

SHA512
1f7ec58ce6dd6a20f2897b3a1f28a9ed50d47769808996e2deb13fcc7af86ab43e39581925d0f1b7736d54c35232c177e4eade4828cb9fb22c509d5e22589325

Download Submit
C:\SysDrvWD\abodsys.exe

Filesize
3.1MB

MD5
dfeb8a72bd06e788ccd563e39541fbf7

SHA1
4325fb9175a88214a4997dc93763bebc6e2822cb

SHA256
f0e620f6eb599b7d773fb7446d77c2a5ab91a8ac00eec86ae55e69986b7b70ad

SHA512
0b93e527f5b50e487879bd6dc6a00f2962b83c0dfdacaaa01fc502c0aa5220688cdacd7ed2a4339ea68b14e43655cbf358b261617d780b6260887b79d943260e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
bb1e5586739ffd7f8d6e4f51494eca4d

SHA1
137dff3ac906abaeea1a46e0e49485fa1bd67a61

SHA256
d3db647725905850a615ccdc67f6b3b1d4209881308b0a2d32540dd69ed52400

SHA512
065e2647732b47d0a6bab69ad8b3a5075a4b49bf593a709436f0563dbbd6fcd6d8ed0c97b95f81d05a85204b070a1f573ae16752f00c9a1464a4e1bb44e9ff09

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
03e464982f5e77fa187027e5ff8eb0d9

SHA1
437f16a4c6fb12d100d81173f2cf80742c678948

SHA256
c4d5ff47ef9e56e46f6f653c8210a888740bc77f43513ef5be792224357ef247

SHA512
34e70bfc2d2f3d4098a27e32720c2414b3006c4192dc38bfe48d92ca0771fe9e6e3455ddba3ca95e516fd0778d1dea1d511acb522fbbccf50a2ad9d489519cda

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
3.1MB

MD5
4ff0b351ea4922871a6dda1d8b5845e7

SHA1
3590f20cce3929177ef70024fd66398db55e8953

SHA256
18dc19c079e809c0731ea097382f88d6e5f396cd184b3fa3a4319cffb273e3e4

SHA512
e6baac5f0f29b02e1969b77f2cc9fb9dc8a67d62f9f61a8b3a750427fb591ee3ef48b7ee1687a07750438448b296392337ecb017e145cb9c4cc6fab334d7c705

Download Submit