Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 23:33
Static task
static1
Behavioral task
behavioral1
Sample
8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe
Resource
win10v2004-20241007-en
General
-
Target
8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe
-
Size
2.6MB
-
MD5
9b42636603c89983378290168040f6f0
-
SHA1
cbb75e590b62818c8f3e0c8a34eedb3bd12369c7
-
SHA256
8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971
-
SHA512
e188976870964290cd3e8129595bf489f2144eb553cebe349a086f684c0f56e7276e969529b796adb1e6e0fb260f0f6f07897f2d1929a81ac0322f3b7ace3f06
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bS:sxX7QnxrloE5dpUp5b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe -
Executes dropped EXE 2 IoCs
pid Process 3596 ecxbod.exe 2272 xdobloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv6N\\xdobloc.exe" 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBPB\\dobdevsys.exe" 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2300 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe 2300 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe 2300 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe 2300 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe 3596 ecxbod.exe 3596 ecxbod.exe 2272 xdobloc.exe 2272 xdobloc.exe 3596 ecxbod.exe 3596 ecxbod.exe 2272 xdobloc.exe 2272 xdobloc.exe 3596 ecxbod.exe 3596 ecxbod.exe 2272 xdobloc.exe 2272 xdobloc.exe 3596 ecxbod.exe 3596 ecxbod.exe 2272 xdobloc.exe 2272 xdobloc.exe 3596 ecxbod.exe 3596 ecxbod.exe 2272 xdobloc.exe 2272 xdobloc.exe 3596 ecxbod.exe 3596 ecxbod.exe 2272 xdobloc.exe 2272 xdobloc.exe 3596 ecxbod.exe 3596 ecxbod.exe 2272 xdobloc.exe 2272 xdobloc.exe 3596 ecxbod.exe 3596 ecxbod.exe 2272 xdobloc.exe 2272 xdobloc.exe 3596 ecxbod.exe 3596 ecxbod.exe 2272 xdobloc.exe 2272 xdobloc.exe 3596 ecxbod.exe 3596 ecxbod.exe 2272 xdobloc.exe 2272 xdobloc.exe 3596 ecxbod.exe 3596 ecxbod.exe 2272 xdobloc.exe 2272 xdobloc.exe 3596 ecxbod.exe 3596 ecxbod.exe 2272 xdobloc.exe 2272 xdobloc.exe 3596 ecxbod.exe 3596 ecxbod.exe 2272 xdobloc.exe 2272 xdobloc.exe 3596 ecxbod.exe 3596 ecxbod.exe 2272 xdobloc.exe 2272 xdobloc.exe 3596 ecxbod.exe 3596 ecxbod.exe 2272 xdobloc.exe 2272 xdobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2300 wrote to memory of 3596 2300 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe 88 PID 2300 wrote to memory of 3596 2300 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe 88 PID 2300 wrote to memory of 3596 2300 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe 88 PID 2300 wrote to memory of 2272 2300 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe 89 PID 2300 wrote to memory of 2272 2300 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe 89 PID 2300 wrote to memory of 2272 2300 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe"C:\Users\Admin\AppData\Local\Temp\8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3596
-
-
C:\SysDrv6N\xdobloc.exeC:\SysDrv6N\xdobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2272
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228KB
MD523497ef37ee3467d3edb83457238a3c6
SHA1b515b9ac3705b3a5c4f7980537fe717a66e62fe3
SHA25626b7202f6fbb8ed46a4a8686021fdedb8b96565df03da9785627c5fc0e4b8ed1
SHA512b88a5105b1df502437b9165eb9727a1f0bcd08a26965c17de0c9aeff21038f21e58bbd14fc1c0c93012acbea7a6febd8c091ef6a8da6fe728a7e9eaaac485f09
-
Filesize
864KB
MD5419ea425a9877e8102e6026c4dff10c4
SHA1b48f829854cb2605ad87b003bb2c51cc672d8e61
SHA256e0456e37529a37b27e3ef2bdf2edcec914bcbd717835e081cd99b52896948f01
SHA5123204a01421c2a13defeef72e7c01b83983e4778e31dd07a2b327d0c4f8d6aea4807f6557ae947870203c621b23919945e2e9033270ede34f9ead2b47af74142e
-
Filesize
102KB
MD5c086eba78c30d076c12734e00cd5c026
SHA1f043e2bb506b346b870add636882f38d5e49bfb4
SHA256a771e3cbb26259f20348bf74ef2b5e3c3293f714878bcc42dc476657dfc0a503
SHA5126419c9fd9d9ea0eae2c6ebae7dd50c14bdebaabaf568857ccd979d12e8821606f12dfd1e7a4bea29d2f0ba15eedc656ad411ed870fa3edcc1af0c36047b00932
-
Filesize
2.6MB
MD520ed5faa9f27e2999b65d5f52887ba5c
SHA1e628ef7a917482fa9e20ca1b52b8a4aa0a353cbe
SHA2561e068902eef35bf78822e5bd2d9982b7a36c3cef93eee4c3bd3a933259eb1319
SHA51214c416052b3a7b6de99794acf7f5f97d9f1675722483a4bd930d7866d35b5bcdc9577c051f96d7ad8aea7b5a88b9123b28e5b026a7302cc856baf85831178582
-
Filesize
202B
MD52098c1e54610b0badfb761c52a704010
SHA1c0fce5bd3e4a8e830166f7e1829e6b123a076de3
SHA256a9c156c67fb65f36766bc958dce96c409bc697efcd636a979d10e2725026b338
SHA51272c2c0d4bb97b3e5c47dc144579794c1003e0cf21f363edf4cd1e64c9f9a6d6019b651df028bbb3fbc0291a2436f8a76f168b198f62797298fd6e2a129a00b8d
-
Filesize
170B
MD5863e0d48901c6d70d856d4efed40cb01
SHA1b3b61c459cf6b5177645c291f3030a6ebeccb4f5
SHA256ff5a5e7e6a827eba179d116de48a1288f9500a7c529bede3fc5456d9cd5adae4
SHA5123e11f2e930c8b121b1967e073a3182b4ff53ed148be8e84405a4986e2360e92fd159d8f2ae50d381a74c8256d5d633229962a578349ba931d99446faaef0e6f0
-
Filesize
2.6MB
MD5fe6b8eaa8f6218a0e8dfebeda823968e
SHA14959a3ea66fee942baa97a922a911938f2dd7217
SHA2564a786f95a95aa4d957207bba917e527ffd35e519174dbd75fa0fc1447339d738
SHA51251b3b976722dda44002855e3df1d549fe9cbaf561ca323d42c9f0ec6db63579a009c569cad082d7996502743c1b402cd1ebdfc7c1ed1b899949bc424b2d65182