e19c1e3d6c1e4193545a685daa27ca72108d5ef0b0a4962817da1cfb23e29d63

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6a1afe7f95afac2b8d65094b0831b50N.exe
Size

2.6MB
MD5

c6a1afe7f95afac2b8d65094b0831b50
SHA1

88e561a525d959c683150d5930894db2ada1e965
SHA256

e19c1e3d6c1e4193545a685daa27ca72108d5ef0b0a4962817da1cfb23e29d63
SHA512

c90473169365c5d7d96f17954b87a84f9cb9f81e7903650a652265cc5d24cf1807a64e283740170dcb9a9c90cee1a3aa4169c6373caf0bd48dd4231631780474
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bS:sxX7QnxrloE5dpUpYb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	c6a1afe7f95afac2b8d65094b0831b50N.exe

Executes dropped EXE 2 IoCs

pid	Process
2256	ecxbod.exe
2288	xbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2432	c6a1afe7f95afac2b8d65094b0831b50N.exe
2432	c6a1afe7f95afac2b8d65094b0831b50N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvU5\\xbodsys.exe"	c6a1afe7f95afac2b8d65094b0831b50N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBRL\\dobxloc.exe"	c6a1afe7f95afac2b8d65094b0831b50N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c6a1afe7f95afac2b8d65094b0831b50N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2432	c6a1afe7f95afac2b8d65094b0831b50N.exe
2432	c6a1afe7f95afac2b8d65094b0831b50N.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe
2256	ecxbod.exe
2288	xbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2256	2432	c6a1afe7f95afac2b8d65094b0831b50N.exe	30
PID 2432 wrote to memory of 2256	2432	c6a1afe7f95afac2b8d65094b0831b50N.exe	30
PID 2432 wrote to memory of 2256	2432	c6a1afe7f95afac2b8d65094b0831b50N.exe	30
PID 2432 wrote to memory of 2256	2432	c6a1afe7f95afac2b8d65094b0831b50N.exe	30
PID 2432 wrote to memory of 2288	2432	c6a1afe7f95afac2b8d65094b0831b50N.exe	31
PID 2432 wrote to memory of 2288	2432	c6a1afe7f95afac2b8d65094b0831b50N.exe	31
PID 2432 wrote to memory of 2288	2432	c6a1afe7f95afac2b8d65094b0831b50N.exe	31
PID 2432 wrote to memory of 2288	2432	c6a1afe7f95afac2b8d65094b0831b50N.exe	31

C:\Users\Admin\AppData\Local\Temp\c6a1afe7f95afac2b8d65094b0831b50N.exe
"C:\Users\Admin\AppData\Local\Temp\c6a1afe7f95afac2b8d65094b0831b50N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2256
- C:\SysDrvU5\xbodsys.exe
  C:\SysDrvU5\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBRL\dobxloc.exe

Filesize
2.6MB

MD5
cb49533a0175a4344656db2cabdc9822

SHA1
ccd0f3388462154b99ef8249f9f0fcd3ea8538df

SHA256
85a423d8cc9d23eac6f6b86264cbbcc3a5125e2be158e58de85cb71b0842c11a

SHA512
294574daf82a02dcd4a9497035166c91d1ba6e8a4f782f776b82d902784274457a23170f836c2015c459951fe172651be6e304f5721b7666596cdfc2d0ecaac7

Download Submit
C:\KaVBRL\dobxloc.exe

Filesize
2.6MB

MD5
e698249a9578267e31d4ed44c497b76b

SHA1
4c956131982a65c86a18bb674da21a69af1691a7

SHA256
f79ee86c989c7a0c68ca22032ad28701d3db7ec7f8b12976f2631fc8e755703b

SHA512
49a2ea76a188c5956eb30d0e1bfb893e4f7cddb534bb55d2a72bd73b2a99a67dfc47ee644ec272f235a649dd3ade4bb786eb0745eed7dc7b152af379946910c7

Download Submit
C:\SysDrvU5\xbodsys.exe

Filesize
37KB

MD5
9ba1f92f17320406dfe029e73132f1f8

SHA1
5178500c26e0bae7a24b5f6089f4efac6bd1c451

SHA256
e2bdabf6ea4b10b3bcdc7cc25b9413609a1f9f529940ba94824e408abb581504

SHA512
afcb08b444b349ced710fdcf62a34fe5d36f5ae3233e46e7dea8b228f13e34643000d248e3a4eb700d4def94bc096c9aa4988b02398441d2eb578682cd4eb835

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
0bc5b43be670b320f64c2c072674ce41

SHA1
9d8e681e689fb294ac767cd0fc92981f99398027

SHA256
774a244a51560a48717d8427b9c690e84dfb47a4b06fadc43b748e0389aec06b

SHA512
49008b0490b6570936ada6fde0c860c7000536a6badbd78ddd6548288f70a9e5a6ebadc557476e6c301179090c6b3bb2e0ad9ab68f8af39485fca5d6ef6e3349

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
2d74c3979f1bc9d35c94c1b44ae18875

SHA1
9cb2256eec527c4abac52569a6e5bf587ccec521

SHA256
d7dfe50b3f6555c2ded3ce5105729054ccbb4cf96e2a23681a3a170b7556ac75

SHA512
a7c0ce398c91c7309685c3d94ba0548124ee841b3e72f8300f704f450384319cc8f1e5db8b5a2b7316977a5d2f313f85b0786b626edbcbc5b96ef2b3e45f1e44

Download Submit
\SysDrvU5\xbodsys.exe

Filesize
2.6MB

MD5
c1462adfe54c56a74f689e461e767356

SHA1
916390ea499a5018304ab543ef565e8106a18fb3

SHA256
78bcceeca448fdb6999420b07c52dcde4dea4139b70b36df8a622cdf169e4352

SHA512
3e46bee42b43fff974272b9aa15355d54582c355fb95a32f6deb1d90b302d26db4952be37c81119ea09ad5b687ef2a300f2317370fe8c3733f949881a8394019

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
2.6MB

MD5
6c88f48c03b77c848b105ea8ff21c3e9

SHA1
0b309d4e87325a6b5ec0b0208c8ab5ce105ca12f

SHA256
6ecdda5d9ef8c03de66daeadba535419f6afea6173830a3020cbeb61bff43dfe

SHA512
4eb83de3dc0f66bc120959ee43f8112e35e6d6599f18947c24a55264ee542ba89fdee17836efd3024dadd24a305e0214a1dacebfc6cb9e129112a644fd8a3435

Download Submit