f64581d4deefd87bb1930dac2da3e38b8aeb8c93ed12e88d535ddd0191f9e9b3

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a35e3b3e0ce2ebf79ce73e6f187e580N.exe
Size

2.6MB
MD5

2a35e3b3e0ce2ebf79ce73e6f187e580
SHA1

365ee986520f66f4231667b0b31e3e0836253cf9
SHA256

f64581d4deefd87bb1930dac2da3e38b8aeb8c93ed12e88d535ddd0191f9e9b3
SHA512

af15d9b93f16600ddb2e98973545afac29505ea46e4312d973558819aa037e40354b8c22b67be8c478a0061e411a6a80ad00f06272c61f781bff5599b0a90849
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBsB/bS:sxX7QnxrloE5dpUpjb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe

Executes dropped EXE 2 IoCs

pid	Process
2160	ecxbod.exe
2536	devdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1908	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe
1908	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvG9\\devdobsys.exe"	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBQS\\bodxsys.exe"	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1908	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe
1908	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe
2160	ecxbod.exe
2536	devdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2160	1908	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe	30
PID 1908 wrote to memory of 2160	1908	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe	30
PID 1908 wrote to memory of 2160	1908	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe	30
PID 1908 wrote to memory of 2160	1908	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe	30
PID 1908 wrote to memory of 2536	1908	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe	31
PID 1908 wrote to memory of 2536	1908	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe	31
PID 1908 wrote to memory of 2536	1908	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe	31
PID 1908 wrote to memory of 2536	1908	2a35e3b3e0ce2ebf79ce73e6f187e580N.exe	31

C:\Users\Admin\AppData\Local\Temp\2a35e3b3e0ce2ebf79ce73e6f187e580N.exe
"C:\Users\Admin\AppData\Local\Temp\2a35e3b3e0ce2ebf79ce73e6f187e580N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2160
- C:\SysDrvG9\devdobsys.exe
  C:\SysDrvG9\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBQS\bodxsys.exe

Filesize
2.6MB

MD5
3a7ec8b03a5147ff4d1e1153cfda8626

SHA1
dad6785a9cbbcb1cd37c83de98c6b9dd48e6d27b

SHA256
95a5ca2410545e2ba6445b4c788d0f1e74739f828e99a5dbf9b169e334c9df13

SHA512
4132b17f99e174fce15d724106f4f8ce626dbd26713529251764a90fc591914c704dde2824fd68c33517ce9bcdda248be7cec4b486cda97aa0aa2586b31e77bb

Download Submit
C:\KaVBQS\bodxsys.exe

Filesize
2.6MB

MD5
df387a497970d580a6a304074e88482c

SHA1
2b14128c1b22b7f0b8c0b2e6243eb21f8ad3bda2

SHA256
ca010665696767f7913d9c58489d79d08725054bc95ec0a836292acc8343f686

SHA512
a868751aee3843b5085d14467221ce0a2e071285742727865739de0716a94fa0937b9726cc45ee7ee2fd9e4608753397cd08e5333ad890572106b463552267dc

Download Submit
C:\SysDrvG9\devdobsys.exe

Filesize
2.6MB

MD5
8a84b6031538e4a7067dba4573c43032

SHA1
f11ad4301f07a9ff6b3b3724e8089d91e2b7c750

SHA256
2a1c3b3e6799a45858480fa3fe7da72e1e28322e89631233320fc3b7f267c27c

SHA512
a1ecc1fa8a2ce3da43c5527b9a63c75e7e6c80262e221a7dd3cd6bc4a6081a061aeda0b22734ab756adcaafa0654dfd2ba4346204cedb3eb0e68f6307b87c66b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
31862b69cbea8e70a697893cf4858c2a

SHA1
c6efd2bc051392876243c1ce4ca9edea4279ae5d

SHA256
811deac8f4e649ee5b4d40f2fcfd297b08e78ba177d3ea6c23ef522e68789d94

SHA512
0b9b63809c921a8739cd766c2ac53a8583a5141f73822647b95e82083070001a0d8c4d616793573220cab437455731931e6bb177209bb494148165f566204fda

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
e0452b9fe937150c592c42d29ea874b8

SHA1
a62030244f36d553a5745d6295b029506edaa75f

SHA256
062a2c20a419339fa855a294165b2cfad742c5daf03b2c7e62b51b7613eff0b2

SHA512
8c3804e0c6ff726b230e6eb311eb0c682672c6acec6285d73464afe72e319d82ff56d738b78a169385d9797e25562f8a30b1a4fc4d752f08012007c4b0b01cec

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
2.6MB

MD5
49610cbefb7e4acc1c211601c67edcdd

SHA1
50ed818934af83cd061afdf28825205abfb21838

SHA256
e7ac44ef56f720d5851966eb80663379c1f5da9072792f8680ccf6e2284ffed2

SHA512
dbc514bfc27c901c20b25aabe731c7397411c393a2e695177a7c0a2221643866eadb3b171d00a7d1a9b5c9d25e4b445c23b52e3b984a211e30da7e6f62bed3ae

Download Submit