ab07281623779941838aadc9809a68f12863c605577be1a8871c464eb36e08a7

Analysis

max time kernel
119s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 23:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ab07281623779941838aadc9809a68f12863c605577be1a8871c464eb36e08a7N.exe
Size

2.6MB
MD5

9540846cf0d25a903d3e11ce0ef92cb0
SHA1

6467b140c76cd4d934de1c6bea1a5d8a12c6be27
SHA256

ab07281623779941838aadc9809a68f12863c605577be1a8871c464eb36e08a7
SHA512

a7adc6922305d866fff86aad6111cc4b04bd773965a5ac8ccd5021f591570864e976c749ec6a1335263132f639eac5f58d9ac79abd04535a7422b444efb30edc
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bS:sxX7QnxrloE5dpUp8b

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	ab07281623779941838aadc9809a68f12863c605577be1a8871c464eb36e08a7N.exe

Executes dropped EXE 2 IoCs

pid	Process
5064	ecxdob.exe
2280	xbodsys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotSR\\xbodsys.exe"	ab07281623779941838aadc9809a68f12863c605577be1a8871c464eb36e08a7N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidB7\\optidevec.exe"	ab07281623779941838aadc9809a68f12863c605577be1a8871c464eb36e08a7N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab07281623779941838aadc9809a68f12863c605577be1a8871c464eb36e08a7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2020	ab07281623779941838aadc9809a68f12863c605577be1a8871c464eb36e08a7N.exe
2020	ab07281623779941838aadc9809a68f12863c605577be1a8871c464eb36e08a7N.exe
2020	ab07281623779941838aadc9809a68f12863c605577be1a8871c464eb36e08a7N.exe
2020	ab07281623779941838aadc9809a68f12863c605577be1a8871c464eb36e08a7N.exe
5064	ecxdob.exe
5064	ecxdob.exe
2280	xbodsys.exe
2280	xbodsys.exe
5064	ecxdob.exe
5064	ecxdob.exe
2280	xbodsys.exe
2280	xbodsys.exe
5064	ecxdob.exe
5064	ecxdob.exe
2280	xbodsys.exe
2280	xbodsys.exe
5064	ecxdob.exe
5064	ecxdob.exe
2280	xbodsys.exe
2280	xbodsys.exe
5064	ecxdob.exe
5064	ecxdob.exe
2280	xbodsys.exe
2280	xbodsys.exe
5064	ecxdob.exe
5064	ecxdob.exe
2280	xbodsys.exe
2280	xbodsys.exe
5064	ecxdob.exe
5064	ecxdob.exe
2280	xbodsys.exe
2280	xbodsys.exe
5064	ecxdob.exe
5064	ecxdob.exe
2280	xbodsys.exe
2280	xbodsys.exe
5064	ecxdob.exe
5064	ecxdob.exe
2280	xbodsys.exe
2280	xbodsys.exe
5064	ecxdob.exe
5064	ecxdob.exe
2280	xbodsys.exe
2280	xbodsys.exe
5064	ecxdob.exe
5064	ecxdob.exe
2280	xbodsys.exe
2280	xbodsys.exe
5064	ecxdob.exe
5064	ecxdob.exe
2280	xbodsys.exe
2280	xbodsys.exe
5064	ecxdob.exe
5064	ecxdob.exe
2280	xbodsys.exe
2280	xbodsys.exe
5064	ecxdob.exe
5064	ecxdob.exe
2280	xbodsys.exe
2280	xbodsys.exe
5064	ecxdob.exe
5064	ecxdob.exe
2280	xbodsys.exe
2280	xbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 5064	2020	ab07281623779941838aadc9809a68f12863c605577be1a8871c464eb36e08a7N.exe	89
PID 2020 wrote to memory of 5064	2020	ab07281623779941838aadc9809a68f12863c605577be1a8871c464eb36e08a7N.exe	89
PID 2020 wrote to memory of 5064	2020	ab07281623779941838aadc9809a68f12863c605577be1a8871c464eb36e08a7N.exe	89
PID 2020 wrote to memory of 2280	2020	ab07281623779941838aadc9809a68f12863c605577be1a8871c464eb36e08a7N.exe	90
PID 2020 wrote to memory of 2280	2020	ab07281623779941838aadc9809a68f12863c605577be1a8871c464eb36e08a7N.exe	90
PID 2020 wrote to memory of 2280	2020	ab07281623779941838aadc9809a68f12863c605577be1a8871c464eb36e08a7N.exe	90

C:\Users\Admin\AppData\Local\Temp\ab07281623779941838aadc9809a68f12863c605577be1a8871c464eb36e08a7N.exe
"C:\Users\Admin\AppData\Local\Temp\ab07281623779941838aadc9809a68f12863c605577be1a8871c464eb36e08a7N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5064
- C:\UserDotSR\xbodsys.exe
  C:\UserDotSR\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4404,i,1330210614411927383,9239043499051775691,262144 --variations-seed-version --mojo-platform-channel-handle=1320 /prefetch:8
1⤵
PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotSR\xbodsys.exe

Filesize
2.6MB

MD5
5ab2399bc32dc8696c53e8b34027e701

SHA1
ffc12ad44a39728bbdb992d19baf7a8bca226988

SHA256
ef48032d5becde1ae410728996f54f5bd8948ebef7b7615e95a1f1d7b6eacbfd

SHA512
8c552ecf64f806682d65fcb56246216b202385a87215f619bdbcdbc51250ddcfba00b61a421ae682b7beee4596ae43f6300faabd772f68fb49e93a7e19c5bd27

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
637749ac8586997524e4fe468a1c837c

SHA1
faa397a0644809be1fde632e67eb4c32d2416ebe

SHA256
18e3545ddc047359f098ceb4d99b5b99787878fef81252e1ea0f3af70790b6ad

SHA512
09a75173c074ac69550d3e29a3b44e9622ac3c8be11514c7ed162021c3b834ece54a23af705d4c68ea8b47374abbb5bc35bb795797292ecd7546ec6a39e563f8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
7cc49710400c16526684368b7496e1f2

SHA1
57764909eee31a446de337e09e465691be07d224

SHA256
b11934e9031df45d0c38131c8c4e8641fe5f4dd58aa672b72f352fa4c2e72bec

SHA512
ec8f4a36cdabe3bde81695326c8d6455e1958cb022c9b7270939c72c7eaf319e4a04b6c5910b4b1fc8abea72ac508b25cbd038a70eccd0ed6e8d41d664d2b005

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
2.6MB

MD5
eaa5384f003bf4ed1f6012aa6e0cd195

SHA1
9aac5134aa29b83154a97493dbe2ff8b7665bbd8

SHA256
314eacbbc6c0b5f0bfa0286930673e678a2cb127cd871b9bb87694cf75afe253

SHA512
ff8756b0b293c943adc6e6adfead68acff66c741b8ffcf7a9305f67fce5428aad2f644ef2ea4c47fc09791c07855df157d079be647dcf6fa2255dd2fdb5165cb

Download Submit
C:\VidB7\optidevec.exe

Filesize
2.6MB

MD5
a92768e8ba0f53fd746419fc375bc8c9

SHA1
35be8f3f0af07fcf3dfaeecc027031d9dddaab5e

SHA256
0b82d1c1093cdc18f75dd1ff86b0651753dabb1ebde46e34f9823b2226fa9f7c

SHA512
db5b45bb70720f7c3c953d5492a3cb0607b3e3b5fc3911dca7a7d65a5697ed9cfe04c4f9ed0e27b37046a9b8a99fb289ee50452e519888bddac3920c394639cd

Download Submit
C:\VidB7\optidevec.exe

Filesize
2.6MB

MD5
1532a5769d87c57b4a35789c5efbb5a0

SHA1
e515442caaf3f1650ef669a5bbe2e349199c422e

SHA256
5dbc60ba2dbf6ac6c309f8abf43d5d402a249d30a7aea8e3d203ab4535032564

SHA512
daffbef7ffe8c5013161f8b22fa38794dcc17b9f97e0cf2ff99d5076404d5e73c5648c1f571e9f0694adc7a1ea9b0030f9a7df24997f316545028cc3a796bdda

Download Submit