Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/10/2024, 14:08
Static task
static1
Behavioral task
behavioral1
Sample
298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe
Resource
win10v2004-20241007-en
General
-
Target
298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe
-
Size
2.6MB
-
MD5
5f4f1944a84e9de12002ea1bdad7e7b0
-
SHA1
894083158d61e521c5564f4c9096eef92d745361
-
SHA256
298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273
-
SHA512
6bc6c334ff8d4ea78f270859d87c02adc44ca9658d888e3cb9d86f8294364ad70d3038851dddaf9c8277aa641142a2694e929c7f6db2618db66de4f97b966b2c
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bS:sxX7QnxrloE5dpUpBb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe -
Executes dropped EXE 2 IoCs
pid Process 3044 ecdevbod.exe 2368 xbodsys.exe -
Loads dropped DLL 2 IoCs
pid Process 1620 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe 1620 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocBH\\xbodsys.exe" 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxBZ\\dobasys.exe" 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1620 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe 1620 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe 3044 ecdevbod.exe 2368 xbodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1620 wrote to memory of 3044 1620 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe 30 PID 1620 wrote to memory of 3044 1620 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe 30 PID 1620 wrote to memory of 3044 1620 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe 30 PID 1620 wrote to memory of 3044 1620 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe 30 PID 1620 wrote to memory of 2368 1620 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe 31 PID 1620 wrote to memory of 2368 1620 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe 31 PID 1620 wrote to memory of 2368 1620 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe 31 PID 1620 wrote to memory of 2368 1620 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe"C:\Users\Admin\AppData\Local\Temp\298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3044
-
-
C:\IntelprocBH\xbodsys.exeC:\IntelprocBH\xbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2368
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5f352f380ae889fc106c5cd33d0f394f5
SHA186a1f5e36cb8a125dc78e4ae2afecbceb51d5693
SHA256a77b5c6fdaf62dc9dd33b6abe3ba79d4ab08dea242586b669e6612bf8ccd1bf9
SHA512cc8d37edef07224579dd77f8d754422444598ec344e6393af6eaa6b466f60ff68c77130a110370c4120a34dd0fe73434da92c75495b63fda922c4d639a7b8089
-
Filesize
2.6MB
MD5aac74e8974e0fd5da63b44dd061f80a1
SHA1bdcfe26b91d968f331913268a3807ad95fa7a3f3
SHA25618c566d77b99cf75275f1a1c8e0c9d7557ac511d2ac4a4391e8cbe9416ad65bc
SHA512100de874a1517b8974e6ee0266f35aa1d234e882667b7ebe55bfe170889c5d3cbf3c68f32b5988d8b4a0fcf7e50143e85d2a7d37789aff13de2aaf9aeadb6f12
-
Filesize
2.6MB
MD50ac81f0cf65b0c10b3a47eef0fe8f03b
SHA1c7581ea428b30139a83c14d058c2eca10db8f679
SHA256456cf555aa941a4b9bde06bee683275d2ffb6d57a9b96d273ac5ebf5408fa350
SHA51259177009c5d964497d74ca7eb7e742391864f4169f1db809fc152e7c19bbb06dfcf3a19276ca24f148908985cb09f16bc93816e368ce60ea96faee4f36895525
-
Filesize
174B
MD555e0dbfa6eff772945c470db86c29055
SHA1f76162df69191c8f7d193f3fe114225162b435aa
SHA256b03ba3c418a57c8c295475e0218ff8acbc8a415f81ba27ed9374881db1811aa9
SHA512542a9a8b949511bf2ed1e33b6c040036634d4feb06f60090348825ee2a021f7b2212462dda115d0693cea4bad0d44d4af1710225b017a112f02e988bb161386c
-
Filesize
206B
MD5a2c8139958833a967304ac5f05b8908f
SHA1897c56e3e6ea8df50be483e6d1d38daa09bd17a6
SHA256bdcf91815db69460eea86e529a99b2da9ad2699808e15a71ecb5c6283e8b892d
SHA5123729b1d1d71e2719f6543b5e2bf65dca3495801df2cf4307016e06ee79e4b800db7db8e626ab4dc90a907d35054b7190959f93153b7ae3706e203ae8abcd6a62
-
Filesize
2.6MB
MD51b17197225f458814da214ce4200d5f6
SHA1a140f9885812260c1d23b7c848148660bde7367e
SHA256c3f5453883d3a78499e2969aeceb86e8b48b64c78a71d3edd65e500d64b104e1
SHA512b44de425486f5e5bf8e4a0b68a147b3a7ea2156e1fdfb8fd5645df1a3d0949c890788dfff9d4e19f8bacf0b51ea8930004a213a64d02f35840b70dd0a37b5cf3