49a304d68501b3ecc375f09909ae0f409e44825caf22927182a607d68adced06

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb88aaf25690e97bb6dad8fff86e3d00N.exe
Size

2.6MB
MD5

bb88aaf25690e97bb6dad8fff86e3d00
SHA1

019c186c2999ace1395078db7ae6ec3d45d18b37
SHA256

49a304d68501b3ecc375f09909ae0f409e44825caf22927182a607d68adced06
SHA512

ac2dc5e54b900640d35c15c6c1a2cff12183174fe8e616069b0c6b4b14ebe2814a3baad6041c8625b6275c0890e71685e96396862d1f0d524a85228f89543069
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bS:sxX7QnxrloE5dpUpXb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	bb88aaf25690e97bb6dad8fff86e3d00N.exe

Executes dropped EXE 2 IoCs

pid	Process
2916	ecxbod.exe
2720	xbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
3012	bb88aaf25690e97bb6dad8fff86e3d00N.exe
3012	bb88aaf25690e97bb6dad8fff86e3d00N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesR2\\xbodsys.exe"	bb88aaf25690e97bb6dad8fff86e3d00N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax17\\dobxec.exe"	bb88aaf25690e97bb6dad8fff86e3d00N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3012	bb88aaf25690e97bb6dad8fff86e3d00N.exe
3012	bb88aaf25690e97bb6dad8fff86e3d00N.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe
2916	ecxbod.exe
2720	xbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2916	3012	bb88aaf25690e97bb6dad8fff86e3d00N.exe	31
PID 3012 wrote to memory of 2916	3012	bb88aaf25690e97bb6dad8fff86e3d00N.exe	31
PID 3012 wrote to memory of 2916	3012	bb88aaf25690e97bb6dad8fff86e3d00N.exe	31
PID 3012 wrote to memory of 2916	3012	bb88aaf25690e97bb6dad8fff86e3d00N.exe	31
PID 3012 wrote to memory of 2720	3012	bb88aaf25690e97bb6dad8fff86e3d00N.exe	32
PID 3012 wrote to memory of 2720	3012	bb88aaf25690e97bb6dad8fff86e3d00N.exe	32
PID 3012 wrote to memory of 2720	3012	bb88aaf25690e97bb6dad8fff86e3d00N.exe	32
PID 3012 wrote to memory of 2720	3012	bb88aaf25690e97bb6dad8fff86e3d00N.exe	32

C:\Users\Admin\AppData\Local\Temp\bb88aaf25690e97bb6dad8fff86e3d00N.exe
"C:\Users\Admin\AppData\Local\Temp\bb88aaf25690e97bb6dad8fff86e3d00N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2916
- C:\FilesR2\xbodsys.exe
  C:\FilesR2\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesR2\xbodsys.exe

Filesize
2.6MB

MD5
cd57dece0f5ada9f7d524df5afd49cd9

SHA1
91417a77e92586e9eb8731662d0b523c5756d6d6

SHA256
a4a2d025af006ac75e3b4fa6156cc57622f9ad796a0a04504e23556ddbd1b0f7

SHA512
9e672cb829951785f77ae8ff0c39d3c378aaff4c738fb97a286ae9854b33be37034df511a5a8ee5386996edaf8416cbd2e24b6d7aec3c70fb4c895b99e03e7b6

Download Submit
C:\Galax17\dobxec.exe

Filesize
2.6MB

MD5
2988b513bba5acbda82d9bcece5e6e05

SHA1
e108b3bcf716a128bc16d15383f88fa580b57000

SHA256
e8d5cc5ddad6595f620d6c6d1f1f4c8fe48a9e4a8a974746f7cd527eca9c8df4

SHA512
c74245728e599041d4954f2c9cae3dd3fdfd151fc8586418cf2c500932c2612882c10e7ea85787f079e474cee5ba329c7771e3a433f8988941ef7a57d475d857

Download Submit
C:\Galax17\dobxec.exe

Filesize
2.6MB

MD5
570db375b6d0d266b2f757cb5954d7a1

SHA1
60914bdb5a2a80b35215e93cf87f787c474181b1

SHA256
b130f1c3ba41552b10ae0abb85d5775fcea30229c07254ce4e3ec8264adee540

SHA512
07b8be7c3bba3f17811edd0ec219244a8600fbf42ba9722af5104059d0e8bbcd4bef12e7241b4ef76a7af503feea048af2d82e6e18b4754ecac4bb74c70f7b6a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
167B

MD5
44bf9394d0c6f0767b0496a560b129ce

SHA1
d0ecc8c6cba37c27e1cc6ffad668d56ee2c15dc0

SHA256
c6e2a3d521018bf62fcec51a686968f820d78388223d24a84f0a62316b1c94ad

SHA512
c0c34bee36b0b41eee3ab7de0c8b236a20277e566deeb55a57641f517b2ae749ebb164965a4b341d3b3d311e57286cf5a16f46e08e46babcb300ce967ebe62a7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
199B

MD5
d4975a295315715b62a45f6d66af5879

SHA1
4a18438a2ba5715ec064d4801fcc09eda4b7fbf1

SHA256
14a8b061173d8a00e2ad12df19c32255df992800f6063fc06f41cc5ea70c127e

SHA512
2532762f23e7f4662722fc80175786d2350e0b51c218460c800a9a8883c86b4996a7211a6e15b81eb77d604e70b332ba0e76613b25a4af0f2867537ad801b78d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
2.6MB

MD5
78e779cefd4dade1816bbda805ce74eb

SHA1
494e179c88f08fbe6278b3812a38c54ffe455769

SHA256
38d5492a32a04736d619c1006dab7dc2a4ed57c3aa4b5b06b44740b20cfc3df7

SHA512
7d4569c805f17f5c04ac9aa3a5b2534da35913dc6499eb80dc88c623fab7cf7b79d74b9e7b54580ed7e46fa0601ab980f11459f89121b9d535bf23ae72bb2aca

Download Submit