Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 03:52
Static task
static1
Behavioral task
behavioral1
Sample
d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe
Resource
win10v2004-20241007-en
General
-
Target
d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe
-
Size
2.6MB
-
MD5
5ea12786e77fd6800b9cfd6c9aa64cd0
-
SHA1
52e706cc2bf6df78b29079d3e45cf68cbe0d49ce
-
SHA256
d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2
-
SHA512
f19204e3fdfcbe6af4d455df247bc8a260f4d934a5e98c2e33214b8b728757888e982e79920cdca640934981b1a113339bd99db2c26396640535ceba9edb0c9f
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bS:sxX7QnxrloE5dpUpOb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe -
Executes dropped EXE 2 IoCs
pid Process 2176 ecxdob.exe 2456 xbodec.exe -
Loads dropped DLL 2 IoCs
pid Process 1144 d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe 1144 d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeEY\\xbodec.exe" d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax68\\bodxec.exe" d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1144 d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe 1144 d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe 2176 ecxdob.exe 2456 xbodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1144 wrote to memory of 2176 1144 d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe 30 PID 1144 wrote to memory of 2176 1144 d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe 30 PID 1144 wrote to memory of 2176 1144 d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe 30 PID 1144 wrote to memory of 2176 1144 d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe 30 PID 1144 wrote to memory of 2456 1144 d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe 31 PID 1144 wrote to memory of 2456 1144 d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe 31 PID 1144 wrote to memory of 2456 1144 d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe 31 PID 1144 wrote to memory of 2456 1144 d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe"C:\Users\Admin\AppData\Local\Temp\d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2176
-
-
C:\AdobeEY\xbodec.exeC:\AdobeEY\xbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2456
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD55ed7252408c3780ee5a8ea2eea9b56ad
SHA1ef7c096c3cd2d6ea35cf0b1b4ce9b270b002f2f0
SHA256899fc5deb4a3c67dc6102ce6688737370afa958293645285e38d6fde955788e6
SHA51285124201e06a91e36b6866951c5976cc17c259bdb95527397c37d44b0a8aea97411603af85ef5cc6d53780dec43ccb36666be8ad916c813f922e08b83ece9f58
-
Filesize
2.6MB
MD5ad79d9d06f3ec82d26a7c8fc0fe2ede2
SHA13592c42255bea685d693a6768c86a60537d7928f
SHA256fc4216f6ae5c2005ce2598fa858a2bf0ece79efa0acd0e9859a316d7dd14ccce
SHA512cfae3030e3f2d895a63d4b1a11b451d90f896f369d954ecab685989d0baa85b92aab9893c7cdb388947556806c9c346dde0a4d602e00374924bc008b211c2403
-
Filesize
2.6MB
MD55018c9e3f2fb784220d11fd29777f2b8
SHA1c1d6abe43eb00a1ac5909595df2c32a8db886e20
SHA2567517feb22f2c65b687a297af5e8ac0733423eb6657c471ba229b579f58cf1d83
SHA51228475e2e2d866da0db90c95c88a7530f0fb331a28a7c667e0b3a8b60cd0306f6c66151b53f3cca7fef22173b2c4f5a78d2b949ce94ffc58cd2de631ec7626eb2
-
Filesize
166B
MD5482a2e8f7d02873c7114ad1599b46f47
SHA1aa586078fc0469680b92bad99bc20b48443fe880
SHA2567bd2aeffbd5ab9d56d33a00d320e4f0f915373c18e479480e0f277aa63424597
SHA512839d3f571006986a04523c3c26d0645f5f347ba6e2db457effe619838330adfe0938425e05eaee18528e2fcbf1e8e8df8d3e4539bce98887de1c81b12c68f6cb
-
Filesize
198B
MD5a15a32133eec4a22fb295064a6711b01
SHA12a90184a87cd5d6bafe28d3e253eb6d22a4c1a57
SHA256040d1dafdf445c6aed6525bc9c1815869e52fd67c4a4705349653b39d8102b71
SHA512936bf5bbd694a25bf53c2482c24a68cf3f82516574204d522f937aecb29bf9445e9c3b04dfdb27d074c61dad94e88c13063247a1da807c394f0738ab56493cd0
-
Filesize
2.6MB
MD5719dec9fe989a72924a4fc396c0520b1
SHA1eab5bb0763719081659e7ab5a2a90fd451ff4af2
SHA2568c87d3d1207b7c3e2d113ccb1f92fdba5a3278ba403dec483978bb822f95ca0d
SHA512a393e2d1aca37e85667790fbad2ba77cb1b8289705c679a9280905660e6fb0c2d4e371a41902a421a3798934f6a1c29a5761bf4e00385b867fef0d47a20f5cdf