65c91959d19830a81430bea3afc1dee8de549accece9b47265effd091e9f5bbc

Analysis

max time kernel
120s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2024 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65c91959d19830a81430bea3afc1dee8de549accece9b47265effd091e9f5bbcN.exe
Size

2.6MB
MD5

eaed8dd21e9216c702ae2650f029ef70
SHA1

204134cc9488c8ae713eca2378cc2879c7c027ed
SHA256

65c91959d19830a81430bea3afc1dee8de549accece9b47265effd091e9f5bbc
SHA512

84a6e42e62ec6b6cae2e17129168c2f5cd49e068fac9a90e7dbaef7288ce7309b1a7a03a8ce9a8f2717e64dddda991b799e6a8fc0d00dbd3f7a73fc670c04c5e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bS:sxX7QnxrloE5dpUpYb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	65c91959d19830a81430bea3afc1dee8de549accece9b47265effd091e9f5bbcN.exe

Executes dropped EXE 2 IoCs

pid	Process
4964	ecadob.exe
444	xbodloc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotQQ\\xbodloc.exe"	65c91959d19830a81430bea3afc1dee8de549accece9b47265effd091e9f5bbcN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZOB\\bodxsys.exe"	65c91959d19830a81430bea3afc1dee8de549accece9b47265effd091e9f5bbcN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65c91959d19830a81430bea3afc1dee8de549accece9b47265effd091e9f5bbcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4748	65c91959d19830a81430bea3afc1dee8de549accece9b47265effd091e9f5bbcN.exe
4748	65c91959d19830a81430bea3afc1dee8de549accece9b47265effd091e9f5bbcN.exe
4748	65c91959d19830a81430bea3afc1dee8de549accece9b47265effd091e9f5bbcN.exe
4748	65c91959d19830a81430bea3afc1dee8de549accece9b47265effd091e9f5bbcN.exe
4964	ecadob.exe
4964	ecadob.exe
444	xbodloc.exe
444	xbodloc.exe
4964	ecadob.exe
4964	ecadob.exe
444	xbodloc.exe
444	xbodloc.exe
4964	ecadob.exe
4964	ecadob.exe
444	xbodloc.exe
444	xbodloc.exe
4964	ecadob.exe
4964	ecadob.exe
444	xbodloc.exe
444	xbodloc.exe
4964	ecadob.exe
4964	ecadob.exe
444	xbodloc.exe
444	xbodloc.exe
4964	ecadob.exe
4964	ecadob.exe
444	xbodloc.exe
444	xbodloc.exe
4964	ecadob.exe
4964	ecadob.exe
444	xbodloc.exe
444	xbodloc.exe
4964	ecadob.exe
4964	ecadob.exe
444	xbodloc.exe
444	xbodloc.exe
4964	ecadob.exe
4964	ecadob.exe
444	xbodloc.exe
444	xbodloc.exe
4964	ecadob.exe
4964	ecadob.exe
444	xbodloc.exe
444	xbodloc.exe
4964	ecadob.exe
4964	ecadob.exe
444	xbodloc.exe
444	xbodloc.exe
4964	ecadob.exe
4964	ecadob.exe
444	xbodloc.exe
444	xbodloc.exe
4964	ecadob.exe
4964	ecadob.exe
444	xbodloc.exe
444	xbodloc.exe
4964	ecadob.exe
4964	ecadob.exe
444	xbodloc.exe
444	xbodloc.exe
4964	ecadob.exe
4964	ecadob.exe
444	xbodloc.exe
444	xbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 4964	4748	65c91959d19830a81430bea3afc1dee8de549accece9b47265effd091e9f5bbcN.exe	89
PID 4748 wrote to memory of 4964	4748	65c91959d19830a81430bea3afc1dee8de549accece9b47265effd091e9f5bbcN.exe	89
PID 4748 wrote to memory of 4964	4748	65c91959d19830a81430bea3afc1dee8de549accece9b47265effd091e9f5bbcN.exe	89
PID 4748 wrote to memory of 444	4748	65c91959d19830a81430bea3afc1dee8de549accece9b47265effd091e9f5bbcN.exe	90
PID 4748 wrote to memory of 444	4748	65c91959d19830a81430bea3afc1dee8de549accece9b47265effd091e9f5bbcN.exe	90
PID 4748 wrote to memory of 444	4748	65c91959d19830a81430bea3afc1dee8de549accece9b47265effd091e9f5bbcN.exe	90

C:\Users\Admin\AppData\Local\Temp\65c91959d19830a81430bea3afc1dee8de549accece9b47265effd091e9f5bbcN.exe
"C:\Users\Admin\AppData\Local\Temp\65c91959d19830a81430bea3afc1dee8de549accece9b47265effd091e9f5bbcN.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4964
- C:\UserDotQQ\xbodloc.exe
  C:\UserDotQQ\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZOB\bodxsys.exe

Filesize
1.1MB

MD5
8afab793c2218de78cf959a338116cee

SHA1
504cc54990119af3703e1ed384bb5ec82cf436e6

SHA256
f10c3df540ce6ccd92c5a16f0eaff97d60e0e5eed617f8b59b2270b2fbdde253

SHA512
f4aba708b7accc388648623f9929aaa8a1e3d1c5119d9186c3cf337a20abd57eb13fbdaf19087d319ed058be52f1bfb4046351b1f89d3d787839a83246ac2679

Download Submit
C:\LabZOB\bodxsys.exe

Filesize
2.6MB

MD5
00bd3bca854ab0473f608d0f5b617856

SHA1
dc07625e8956061aa357b8e9ac25f01d2acc8ecf

SHA256
215a8380c18f4fc2b0dd9719c4dc07a072f172e2b569a96c4883758ac2604280

SHA512
ba14f17157da3c8bde7865f1131fa0ae1721311a2ace0c94ab6f35e52f0274feb498e018ceb79c61e8278e79c58fca1ea39c01627b005d142590d2dc525a1671

Download Submit
C:\UserDotQQ\xbodloc.exe

Filesize
2.6MB

MD5
a5c07c0f199f96403c47b058322b6c07

SHA1
e1ff2e32d67df789b71ea051204599798a420939

SHA256
9c38e5294518e95d1eacb3b4a59743a4ecc39cd4e7a3cc67cfa7df223ef1b2a7

SHA512
60a85dccec77506dab1d480620c23f4d824704e7e86a44eae734e73a4566c899edaedb505f890346d8446dbd06e5638d9087b426cdfc65f7ff2257f028023e19

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
882f8be9523ec02cbdbe9e0037083849

SHA1
ab4b97df4c319396b0865feabb96aefe14cf6441

SHA256
98ccbfa915e82ea6b384f563baf292b365e10df04053f698480635c88653d9a3

SHA512
9ab9dba48207ed82503468bbde5d96af7377fb831c1d442b15a91165868df7e60e338d4bcad50738686078471a079a69a886d5cdfef23bd5339dffacf8ac76fe

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
022371ad817ff4b7e05daffe3688137a

SHA1
db74ee325d0cf691a5de56c5bb98d6e1b5c08ba3

SHA256
03782eccf9e7a3e974a57ae7cc256da2081f2a1f09288017a14634cb50cd32f7

SHA512
a0629632231fc59b206a46dee685fd9867adc727c448ef7f4730244e49753cebd8772d0a73ef6692cb05ba95e9d87a35493be19153501146788839988580a126

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
2.6MB

MD5
77b7f17a3bd5c1d0534c0e949cfb6302

SHA1
c322f0f73bb323379311bb3bf9e3b1fdf0eba5d1

SHA256
7d27202d70e118a5b5dc772a86a4a61868e566342f43b7c49762928aacc0c7d5

SHA512
775a0eddfd433eb08e76dbd3edccd41fe6328c6ca77ebdeb775e1ab3973f7915ed4dfa793b42130e787917f8c2b8780faa5c9625b7760e33e896ec433f017625

Download Submit