49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7db

Analysis

max time kernel
120s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe
Size

2.6MB
MD5

19f901d1634b31531c8b304ed1108150
SHA1

933d7b4f38cbb48002a60cb8a36691f9e6695e04
SHA256

49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7db
SHA512

37cc10694f8e4546d8284294a448e2bdc497b0c9aecd0c66adb280149766f770d9c25633d8b73d3a0c093b655a2aa91e824c16e1a5518ddaed9b2ae23000ed3e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBVB/bS:sxX7QnxrloE5dpUpKb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe

Executes dropped EXE 2 IoCs

pid	Process
644	ecabod.exe
1116	devbodec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeHB\\devbodec.exe"	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxIO\\bodxsys.exe"	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1448	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe
1448	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe
1448	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe
1448	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe
644	ecabod.exe
644	ecabod.exe
1116	devbodec.exe
1116	devbodec.exe
644	ecabod.exe
644	ecabod.exe
1116	devbodec.exe
1116	devbodec.exe
644	ecabod.exe
644	ecabod.exe
1116	devbodec.exe
1116	devbodec.exe
644	ecabod.exe
644	ecabod.exe
1116	devbodec.exe
1116	devbodec.exe
644	ecabod.exe
644	ecabod.exe
1116	devbodec.exe
1116	devbodec.exe
644	ecabod.exe
644	ecabod.exe
1116	devbodec.exe
1116	devbodec.exe
644	ecabod.exe
644	ecabod.exe
1116	devbodec.exe
1116	devbodec.exe
644	ecabod.exe
644	ecabod.exe
1116	devbodec.exe
1116	devbodec.exe
644	ecabod.exe
644	ecabod.exe
1116	devbodec.exe
1116	devbodec.exe
644	ecabod.exe
644	ecabod.exe
1116	devbodec.exe
1116	devbodec.exe
644	ecabod.exe
644	ecabod.exe
1116	devbodec.exe
1116	devbodec.exe
644	ecabod.exe
644	ecabod.exe
1116	devbodec.exe
1116	devbodec.exe
644	ecabod.exe
644	ecabod.exe
1116	devbodec.exe
1116	devbodec.exe
644	ecabod.exe
644	ecabod.exe
1116	devbodec.exe
1116	devbodec.exe
644	ecabod.exe
644	ecabod.exe
1116	devbodec.exe
1116	devbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 644	1448	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe	89
PID 1448 wrote to memory of 644	1448	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe	89
PID 1448 wrote to memory of 644	1448	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe	89
PID 1448 wrote to memory of 1116	1448	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe	90
PID 1448 wrote to memory of 1116	1448	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe	90
PID 1448 wrote to memory of 1116	1448	49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe	90

C:\Users\Admin\AppData\Local\Temp\49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe
"C:\Users\Admin\AppData\Local\Temp\49ba645ebe0db8dce13efa9701848dbd2772be1fdc677cb2e59824aa9a2ce7dbN.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:644
- C:\AdobeHB\devbodec.exe
  C:\AdobeHB\devbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4056,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=3956 /prefetch:8
1⤵
PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeHB\devbodec.exe

Filesize
2.6MB

MD5
c5fcbc415882e11a15622ef140928b34

SHA1
c3b606933aa65b7f9c7f4dd9c67c2ecf8fefe12e

SHA256
db05ec799cb2d99dae05c63cef8a16a0573304578a40fd8abe76c57660835977

SHA512
843eed630a9f26c44fe00878e0c5ec67daa1011a9b6af1d438ce6b5de31a6a1f9e4f7ea00f7e06f906f72987be3aa21dc0a568699c6e1cc5c219d4a613a7e045

Download Submit
C:\GalaxIO\bodxsys.exe

Filesize
2.6MB

MD5
bed03fadf8cff8d156775f8b11ec0fe5

SHA1
55d490d8202629a09ecdef8625cc1f5ef8f09f8b

SHA256
5c88ec0b15fbcdbb08b4a9ab61e005b9b0cae1cee79769788c82657c7db14803

SHA512
b582aa34ac62a36f07f27678a7310334f11885deb1c660917006b8e1109c7e4f248f6b3da60b6460444b82410f3ed7827d0cf3bb8c1a201c62a6662e69128346

Download Submit
C:\GalaxIO\bodxsys.exe

Filesize
1023KB

MD5
a71246a8dddb43e409b580dc5e82921d

SHA1
f56a109d42321bca9b1c73c29dcfed5010294f02

SHA256
83369e5be88901973b58f4a4ac0c29d8e48d7a269ff5f9e7c0facbbc13ef8c48

SHA512
b740ed68e3a3999d7cf0514281d949dc0b2ece795f83b7e50cd811baf327b759278bb9081d98f85e4962aefaea98058de417a56e005865eef09958aeb1edba3d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
320671cfbebf07ff038e8994bfc98bf4

SHA1
5b620d469b58b094a5b63d2d9c14fef214825a51

SHA256
543026f543e6cd7a2917cc613e0f171405781f476106590d8db6c586264fcf11

SHA512
d519d77c1297b2f9e57d43a543e8a9042b3097769ea907ed0d6d852b703eaac17588208ceaaaaa3ecefcfc58083aac565bea758dea9ea8936678aaf083db77c2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
da630180f4c2a97658579966c75fee85

SHA1
1c869d07c9e97fc9a34c2e2f4e6afc2e2f1201c3

SHA256
5ee452e98f21ce4b9764129128c53bde40c3987227d9613b249c8b14fde9b88d

SHA512
ae28b80eec761a4241095d918ef391e29baac131214558bfe1133c25fd25d27205a4df19c7fcceb03319f4d8cab0de94bb41037f542a11f03987e50f17c71ee8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
2.6MB

MD5
ba0d5706cefefb6f98a01a5e156b9ce9

SHA1
418b8af5f21d944a2223be0220178121ca1c84ab

SHA256
e559244649e546a078ae8a94e2c13ce2a74f46a66f5422a9a8fa62a8a1256d64

SHA512
7b6356ad5c82aa0b954c3e423d348c32c15c5134db78ff54b33a816f64f5708e58d8d0a23f646276774aad8a6321a012154906d5808ed790148363d80a18b65b

Download Submit