d8caaee04bf91a8503b5cdd7889ad82e1d7eab406cb14ca3560970f4ebf073f2

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 00:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fc5f49247fad06d79c5b846d8fa011d0N.exe
Size

2.6MB
MD5

fc5f49247fad06d79c5b846d8fa011d0
SHA1

c79d506e54f7295d5a1051f877bf72331d8e37a1
SHA256

d8caaee04bf91a8503b5cdd7889ad82e1d7eab406cb14ca3560970f4ebf073f2
SHA512

405005b85cd14e32ed13be8333bb317401570d192e306f429c14b21a7a09ec663ac7684fb781e42f5b398094a35ae369dcb97da4edba9cb29e1a398759409492
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bS:sxX7QnxrloE5dpUpMb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	fc5f49247fad06d79c5b846d8fa011d0N.exe

Executes dropped EXE 2 IoCs

pid	Process
3900	ecxbod.exe
2504	adobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvHG\\adobec.exe"	fc5f49247fad06d79c5b846d8fa011d0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBK4\\boddevloc.exe"	fc5f49247fad06d79c5b846d8fa011d0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc5f49247fad06d79c5b846d8fa011d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2440	fc5f49247fad06d79c5b846d8fa011d0N.exe
2440	fc5f49247fad06d79c5b846d8fa011d0N.exe
2440	fc5f49247fad06d79c5b846d8fa011d0N.exe
2440	fc5f49247fad06d79c5b846d8fa011d0N.exe
3900	ecxbod.exe
3900	ecxbod.exe
2504	adobec.exe
2504	adobec.exe
3900	ecxbod.exe
3900	ecxbod.exe
2504	adobec.exe
2504	adobec.exe
3900	ecxbod.exe
3900	ecxbod.exe
2504	adobec.exe
2504	adobec.exe
3900	ecxbod.exe
3900	ecxbod.exe
2504	adobec.exe
2504	adobec.exe
3900	ecxbod.exe
3900	ecxbod.exe
2504	adobec.exe
2504	adobec.exe
3900	ecxbod.exe
3900	ecxbod.exe
2504	adobec.exe
2504	adobec.exe
3900	ecxbod.exe
3900	ecxbod.exe
2504	adobec.exe
2504	adobec.exe
3900	ecxbod.exe
3900	ecxbod.exe
2504	adobec.exe
2504	adobec.exe
3900	ecxbod.exe
3900	ecxbod.exe
2504	adobec.exe
2504	adobec.exe
3900	ecxbod.exe
3900	ecxbod.exe
2504	adobec.exe
2504	adobec.exe
3900	ecxbod.exe
3900	ecxbod.exe
2504	adobec.exe
2504	adobec.exe
3900	ecxbod.exe
3900	ecxbod.exe
2504	adobec.exe
2504	adobec.exe
3900	ecxbod.exe
3900	ecxbod.exe
2504	adobec.exe
2504	adobec.exe
3900	ecxbod.exe
3900	ecxbod.exe
2504	adobec.exe
2504	adobec.exe
3900	ecxbod.exe
3900	ecxbod.exe
2504	adobec.exe
2504	adobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 3900	2440	fc5f49247fad06d79c5b846d8fa011d0N.exe	94
PID 2440 wrote to memory of 3900	2440	fc5f49247fad06d79c5b846d8fa011d0N.exe	94
PID 2440 wrote to memory of 3900	2440	fc5f49247fad06d79c5b846d8fa011d0N.exe	94
PID 2440 wrote to memory of 2504	2440	fc5f49247fad06d79c5b846d8fa011d0N.exe	95
PID 2440 wrote to memory of 2504	2440	fc5f49247fad06d79c5b846d8fa011d0N.exe	95
PID 2440 wrote to memory of 2504	2440	fc5f49247fad06d79c5b846d8fa011d0N.exe	95

C:\Users\Admin\AppData\Local\Temp\fc5f49247fad06d79c5b846d8fa011d0N.exe
"C:\Users\Admin\AppData\Local\Temp\fc5f49247fad06d79c5b846d8fa011d0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3900
- C:\SysDrvHG\adobec.exe
  C:\SysDrvHG\adobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4180,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4612 /prefetch:8
1⤵
PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBK4\boddevloc.exe

Filesize
2.6MB

MD5
176caeeaa57fe64fd8e656f53afc3552

SHA1
6e6ad7bd259e07c62609e4309fc16ab950220d4b

SHA256
e566d8c5eee4263a80d516f671b5c379bb1b233027fece02352bd6a0b890b5d6

SHA512
d365ecda0d5670d109dbab1879e3ed5a7b386dbc61333b6c3516a555af9691b5355266f11d5b152875ea8f978618ea4670a90f0251d798154e561f6e05f36b15

Download Submit
C:\KaVBK4\boddevloc.exe

Filesize
13KB

MD5
642d5fd1c5d47e0cd3efc57772bc2053

SHA1
bc41dd3d35783afbd472e73a9f63190d7e166933

SHA256
354d593722f5c5af8706226640303ec107869e0842004e188841efc1b84c1798

SHA512
3c5ab6241a835ab0cffcf0d36944fcc6eb3aa2afc83dcda29790a9a82f9f14ae2423a853816bc47894042dbca59e25ab4eb432113fe9ed87505cd8093adefab9

Download Submit
C:\SysDrvHG\adobec.exe

Filesize
2.6MB

MD5
338a21228717f42a1e3864754aa1d784

SHA1
d8085a719f7b9c5481c4a52d5487f8162278f512

SHA256
68dd0e1082dd5ce2699e92c5fc7bcaeceb980778df3639036ef49c57e29e7db0

SHA512
0142973ae4aebf781c6bf9a8c9ca1b6426abb195ad419571973099ac1228c731d49754f6ec3b3cd6bd5441682babc4e7fb062e44eba27e77a6eaa40ea7a33c9f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
bd5ba9610501f1f1a82f5310bba573bb

SHA1
a574a88a093030367b08ec7c78c022adf195a720

SHA256
202a9ef419d8b5103447fe23b1fbf1ed7d3abc3552a0e1100f9f47f82aade39b

SHA512
02cca9a5f67d54344e1f9fce7e70998f2d94507e1ab3b3a0b3e22883b3914c86c211ac6b1679c53d9ee362bfdaadbf15174cadf032dc6c5d945e226be766ce8b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
c30bd7fc26017d358bffd68f8cac3f74

SHA1
97df71c99ec2b5f0b3957049a5884b0e1b42b81d

SHA256
0cc20f976810413f089ed42f78c72a0db2d6e8bace0ce176a713c3e801f6f9d7

SHA512
21417f09d81f4514d76b8afae2b7eb1c79ccd305620a28c9f26edc57da03f2f0b43274767180bc12332c47a48537f0b1c9bc0c630c0dc57e5b0a0e87987a14d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
2.6MB

MD5
81a53e7d730d621663edff1f52a44861

SHA1
33a464138df399faf488ced913b65d2f38ee34ea

SHA256
060355c11db5573fabcf50c290c7510ee6ad6f04980f75b65e2e308737b6b1bd

SHA512
ef8534970f2c9f5752210668d98931a273dde9aaed151f1ff967c9fece30f4c67078f034de068d55ddbb062cb63c7e2bcf0bc0cbfbd387ea288cfc9eb4af318d

Download Submit