7bf32c6ac0cdc0b3d1f8a8edab395ad657684a6727add540ef549e0c061e64ae

Analysis

max time kernel
119s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ea787ebf2699318c40579ee8c734410N.exe
Size

2.6MB
MD5

4ea787ebf2699318c40579ee8c734410
SHA1

6c1df063f60e4a28ed791310e465680d702eaed9
SHA256

7bf32c6ac0cdc0b3d1f8a8edab395ad657684a6727add540ef549e0c061e64ae
SHA512

64dae9089f6492ce856cf8d20e89f643dee39e9b658bf4dc6312b49abee2078df71ea89ea2773406c007b0186ae89f1901043fbd86c7f928c39541acb155152a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bS:sxX7QnxrloE5dpUpib

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	4ea787ebf2699318c40579ee8c734410N.exe

Executes dropped EXE 2 IoCs

pid	Process
668	ecxbod.exe
2444	xdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesJJ\\xdobsys.exe"	4ea787ebf2699318c40579ee8c734410N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidY6\\bodxsys.exe"	4ea787ebf2699318c40579ee8c734410N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ea787ebf2699318c40579ee8c734410N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2320	4ea787ebf2699318c40579ee8c734410N.exe
2320	4ea787ebf2699318c40579ee8c734410N.exe
2320	4ea787ebf2699318c40579ee8c734410N.exe
2320	4ea787ebf2699318c40579ee8c734410N.exe
668	ecxbod.exe
668	ecxbod.exe
2444	xdobsys.exe
2444	xdobsys.exe
668	ecxbod.exe
668	ecxbod.exe
2444	xdobsys.exe
2444	xdobsys.exe
668	ecxbod.exe
668	ecxbod.exe
2444	xdobsys.exe
2444	xdobsys.exe
668	ecxbod.exe
668	ecxbod.exe
2444	xdobsys.exe
2444	xdobsys.exe
668	ecxbod.exe
668	ecxbod.exe
2444	xdobsys.exe
2444	xdobsys.exe
668	ecxbod.exe
668	ecxbod.exe
2444	xdobsys.exe
2444	xdobsys.exe
668	ecxbod.exe
668	ecxbod.exe
2444	xdobsys.exe
2444	xdobsys.exe
668	ecxbod.exe
668	ecxbod.exe
2444	xdobsys.exe
2444	xdobsys.exe
668	ecxbod.exe
668	ecxbod.exe
2444	xdobsys.exe
2444	xdobsys.exe
668	ecxbod.exe
668	ecxbod.exe
2444	xdobsys.exe
2444	xdobsys.exe
668	ecxbod.exe
668	ecxbod.exe
2444	xdobsys.exe
2444	xdobsys.exe
668	ecxbod.exe
668	ecxbod.exe
2444	xdobsys.exe
2444	xdobsys.exe
668	ecxbod.exe
668	ecxbod.exe
2444	xdobsys.exe
2444	xdobsys.exe
668	ecxbod.exe
668	ecxbod.exe
2444	xdobsys.exe
2444	xdobsys.exe
668	ecxbod.exe
668	ecxbod.exe
2444	xdobsys.exe
2444	xdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 668	2320	4ea787ebf2699318c40579ee8c734410N.exe	94
PID 2320 wrote to memory of 668	2320	4ea787ebf2699318c40579ee8c734410N.exe	94
PID 2320 wrote to memory of 668	2320	4ea787ebf2699318c40579ee8c734410N.exe	94
PID 2320 wrote to memory of 2444	2320	4ea787ebf2699318c40579ee8c734410N.exe	95
PID 2320 wrote to memory of 2444	2320	4ea787ebf2699318c40579ee8c734410N.exe	95
PID 2320 wrote to memory of 2444	2320	4ea787ebf2699318c40579ee8c734410N.exe	95

C:\Users\Admin\AppData\Local\Temp\4ea787ebf2699318c40579ee8c734410N.exe
"C:\Users\Admin\AppData\Local\Temp\4ea787ebf2699318c40579ee8c734410N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:668
- C:\FilesJJ\xdobsys.exe
  C:\FilesJJ\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3988,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=4284 /prefetch:8
1⤵
PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesJJ\xdobsys.exe

Filesize
7KB

MD5
84c3a9ef71c6c32cc10faa7a3122fe8d

SHA1
44094cadec949c065d4321a4cb7bb4c11cd999f9

SHA256
de832fdf2de3a5ef6ef5856b88230214e4a82f75e7bd75a06e26b26295f3f07b

SHA512
f1a129f7aed7cc664d5863e93709d5db2f4f45caf6e6372303a8d02f820d81b54c422a04eb54ae98bd4ba94cd7035a4f0faa9a15bf71b5210f2274fb4f64ac3a

Download Submit
C:\FilesJJ\xdobsys.exe

Filesize
2.6MB

MD5
b822d9ba92e74d9968de763cbf035630

SHA1
3c0f017ce145f004654cffed5a66d14e592fbe67

SHA256
60d90e9af3cdb42c6af996db03f6329db8477fb3cc88631eaae182c4dc876949

SHA512
8d1ca2bc119dbc888140efab364501247138c3ce8b1c78b60d9f11f8c0dbad6baeae2354d1d6ac5f8276c03a486f4cf4a541c60e6e98f4a9c2c13f56f6265b74

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
198B

MD5
524d6652d503c673c15cc1ead9279302

SHA1
a2501f9cd5d5167d7b7aac6093cb1a73278318ce

SHA256
6a924425845c36bc344771c119dc648f69b817c901e8bf65ac6e4b2221707be6

SHA512
3ece361629960a9960539d2816c6b64bd0d95c0a01f76697eabf4f0e80c93363bfebd15a014c4af22872b2106129a999034f1f9bafbd0817631644555fd18e02

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
166B

MD5
345680edce6355d77c55b60ff5f55fff

SHA1
f5713527dfce462718589f5e39b4647540774fa4

SHA256
dabe823c6690ce08ea2167c0dd94464bd33aeebae8ed8e51e032e91210620b50

SHA512
07eec0b21f3391eb2ebac9668ceba012bde669edb98859d49cbe09a19d2b7d515feae2225db03360c7871038253cbc589e1a92c20ac36ed179f71f390412dfe5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
2.6MB

MD5
5b5ffe080a1282fdfb59eb863e09c76c

SHA1
a003e81ad5f03ce1e2f105dccce750dd95cb329f

SHA256
fd536819cdd40dab73e868442624067e7a519f8773b2fe69971c5d51d3c598fc

SHA512
73dde03b8f95d0a949dcd05ffd7f75cb149115842a2b94a8d5de1dba0d1b7baa3a8119d9274c3d14c07b28f59b8ec4fb53a5211f1989da2371068dce6b1c24a1

Download Submit
C:\VidY6\bodxsys.exe

Filesize
664KB

MD5
3e8fd497abf25a210b5c232f59ab13d3

SHA1
80e603c72c8ee5ecbce8e34ed98be80fa526af0b

SHA256
d373e88153578646d7b73c49d259c2d11af8c94661e73f1e1f50d88c910d8b7a

SHA512
69929b8218462bcb95452a3d3a1b2e9b4f365f75c4d2273373c0644f33ee704667d0a9cc2b171174380091f6351afacd68d95db3af71a8d80ed250262486e654

Download Submit
C:\VidY6\bodxsys.exe

Filesize
2.6MB

MD5
7fe9b9e69582e930e39c9316252072dd

SHA1
d923fc2ea104546a2e7f0c661e94ee6f3fce023b

SHA256
5086761b5fc8d2647bab0b4a35b99f85230a3a64ce694f8c7ba5650ecc7ae035

SHA512
9874d1d3bc36710742e84e17c0a54d8cc7a2805abecf3bc5e4a4a94eb2cafb919bb8f50d0617087cb36c219ec8cf50baec8ada62403cd454553839612359730a

Download Submit