Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-10-2024 03:52

General

  • Target

    d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe

  • Size

    2.6MB

  • MD5

    5ea12786e77fd6800b9cfd6c9aa64cd0

  • SHA1

    52e706cc2bf6df78b29079d3e45cf68cbe0d49ce

  • SHA256

    d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2

  • SHA512

    f19204e3fdfcbe6af4d455df247bc8a260f4d934a5e98c2e33214b8b728757888e982e79920cdca640934981b1a113339bd99db2c26396640535ceba9edb0c9f

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bS:sxX7QnxrloE5dpUpOb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1144
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2176
    • C:\AdobeEY\xbodec.exe
      C:\AdobeEY\xbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2456

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeEY\xbodec.exe

    Filesize

    2.6MB

    MD5

    5ed7252408c3780ee5a8ea2eea9b56ad

    SHA1

    ef7c096c3cd2d6ea35cf0b1b4ce9b270b002f2f0

    SHA256

    899fc5deb4a3c67dc6102ce6688737370afa958293645285e38d6fde955788e6

    SHA512

    85124201e06a91e36b6866951c5976cc17c259bdb95527397c37d44b0a8aea97411603af85ef5cc6d53780dec43ccb36666be8ad916c813f922e08b83ece9f58

  • C:\Galax68\bodxec.exe

    Filesize

    2.6MB

    MD5

    ad79d9d06f3ec82d26a7c8fc0fe2ede2

    SHA1

    3592c42255bea685d693a6768c86a60537d7928f

    SHA256

    fc4216f6ae5c2005ce2598fa858a2bf0ece79efa0acd0e9859a316d7dd14ccce

    SHA512

    cfae3030e3f2d895a63d4b1a11b451d90f896f369d954ecab685989d0baa85b92aab9893c7cdb388947556806c9c346dde0a4d602e00374924bc008b211c2403

  • C:\Galax68\bodxec.exe

    Filesize

    2.6MB

    MD5

    5018c9e3f2fb784220d11fd29777f2b8

    SHA1

    c1d6abe43eb00a1ac5909595df2c32a8db886e20

    SHA256

    7517feb22f2c65b687a297af5e8ac0733423eb6657c471ba229b579f58cf1d83

    SHA512

    28475e2e2d866da0db90c95c88a7530f0fb331a28a7c667e0b3a8b60cd0306f6c66151b53f3cca7fef22173b2c4f5a78d2b949ce94ffc58cd2de631ec7626eb2

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    166B

    MD5

    482a2e8f7d02873c7114ad1599b46f47

    SHA1

    aa586078fc0469680b92bad99bc20b48443fe880

    SHA256

    7bd2aeffbd5ab9d56d33a00d320e4f0f915373c18e479480e0f277aa63424597

    SHA512

    839d3f571006986a04523c3c26d0645f5f347ba6e2db457effe619838330adfe0938425e05eaee18528e2fcbf1e8e8df8d3e4539bce98887de1c81b12c68f6cb

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    198B

    MD5

    a15a32133eec4a22fb295064a6711b01

    SHA1

    2a90184a87cd5d6bafe28d3e253eb6d22a4c1a57

    SHA256

    040d1dafdf445c6aed6525bc9c1815869e52fd67c4a4705349653b39d8102b71

    SHA512

    936bf5bbd694a25bf53c2482c24a68cf3f82516574204d522f937aecb29bf9445e9c3b04dfdb27d074c61dad94e88c13063247a1da807c394f0738ab56493cd0

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

    Filesize

    2.6MB

    MD5

    719dec9fe989a72924a4fc396c0520b1

    SHA1

    eab5bb0763719081659e7ab5a2a90fd451ff4af2

    SHA256

    8c87d3d1207b7c3e2d113ccb1f92fdba5a3278ba403dec483978bb822f95ca0d

    SHA512

    a393e2d1aca37e85667790fbad2ba77cb1b8289705c679a9280905660e6fb0c2d4e371a41902a421a3798934f6a1c29a5761bf4e00385b867fef0d47a20f5cdf