Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 12:45
Static task
static1
Behavioral task
behavioral1
Sample
f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe
Resource
win10v2004-20241007-en
General
-
Target
f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe
-
Size
2.6MB
-
MD5
a3875c96399721e33b1ea6180d7f6e50
-
SHA1
ee29ca8862ccfb321c3cee04d6564dcf41d56402
-
SHA256
f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3c
-
SHA512
7681adc3c525607a6bc9fcc33d39c961a0eb0cd95deffcf9495ccd447ebbedfe026bddd3dc501b9ac61f057f82237125558869a5625482f21f116efd67912670
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bSq:sxX7QnxrloE5dpUp6bV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe -
Executes dropped EXE 2 IoCs
pid Process 3052 ecdevbod.exe 2104 xbodsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2968 f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe 2968 f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocBH\\xbodsys.exe" f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxBZ\\dobasys.exe" f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2968 f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe 2968 f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe 3052 ecdevbod.exe 2104 xbodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2968 wrote to memory of 3052 2968 f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe 30 PID 2968 wrote to memory of 3052 2968 f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe 30 PID 2968 wrote to memory of 3052 2968 f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe 30 PID 2968 wrote to memory of 3052 2968 f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe 30 PID 2968 wrote to memory of 2104 2968 f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe 31 PID 2968 wrote to memory of 2104 2968 f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe 31 PID 2968 wrote to memory of 2104 2968 f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe 31 PID 2968 wrote to memory of 2104 2968 f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe"C:\Users\Admin\AppData\Local\Temp\f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3052
-
-
C:\IntelprocBH\xbodsys.exeC:\IntelprocBH\xbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2104
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5a23f73456cf57f6942ff1fe1441b4cae
SHA12dc6db7f1898ce8fe16042906a0cca3004bcc464
SHA25646a4a60f35788c824b4899fe1e178c160bc9f309a484bca43fa7273c2806a411
SHA512862f33ca57f221b0f66a5fe456eff7a2deab22c377d53af64984166a25ef631f136997e8e3f4ab64cd0c55a335e2ea69edcce5dbf987c795617883b972d8bbb4
-
Filesize
2.6MB
MD55bbbccac963520a478f51eb3417ffd9c
SHA1ef7d8f00495c497203c639c8f8533db933124f3b
SHA2567e4c897d5c957374ce2b5f609de037ca456829f91352347ba0c308f02edf06b8
SHA5124550b44ac7aa5db140bac24d740da9f1fc59f93188770ecc18d94a52d700d20a4d3b8d19f82626688263cfa0b6e4439ef8854f20689c800ccbcf21ae1b934c97
-
Filesize
13KB
MD5fbe3105945c809e8bf6e00f7fef8ce54
SHA1e4b4b6a33f2126392c845abd1669f10511f5c42f
SHA256588c56e8f6a9d537a5bc2c80903c4b2fdfd2efb06c55c8a6c1e1039a485fae2d
SHA51250cbba09c9369cf432e58eac2131517db247d9a0625def1f06f2359a45a2015fe879017f05ad29c35b344e132039515dfda1d9d5a69c9cf07dc94b14c9bd5a79
-
Filesize
2.6MB
MD5678c88b8f84541a82ed965c60b03fa2e
SHA16ad087048da401e43a73cd2611db275a98523223
SHA256980eee12aa3c1f8f2051b5db18c345c86d53ce08d734905d404f8351413a9427
SHA512399764b3aa81f4bf790cf7d71dbdc1d99600e7eb2edf49b327a479f7125c2bb369860cf9fefde8961c35deaf8bd4b587726dd0c53b6f8ad84ada5b3f4b166126
-
Filesize
174B
MD555e0dbfa6eff772945c470db86c29055
SHA1f76162df69191c8f7d193f3fe114225162b435aa
SHA256b03ba3c418a57c8c295475e0218ff8acbc8a415f81ba27ed9374881db1811aa9
SHA512542a9a8b949511bf2ed1e33b6c040036634d4feb06f60090348825ee2a021f7b2212462dda115d0693cea4bad0d44d4af1710225b017a112f02e988bb161386c
-
Filesize
206B
MD5a2c8139958833a967304ac5f05b8908f
SHA1897c56e3e6ea8df50be483e6d1d38daa09bd17a6
SHA256bdcf91815db69460eea86e529a99b2da9ad2699808e15a71ecb5c6283e8b892d
SHA5123729b1d1d71e2719f6543b5e2bf65dca3495801df2cf4307016e06ee79e4b800db7db8e626ab4dc90a907d35054b7190959f93153b7ae3706e203ae8abcd6a62
-
Filesize
2.6MB
MD59c3cbbe72db06f2fe9e03a7835194c86
SHA12960265378ad54c4ef65a75e0351bb9c9a4e1204
SHA25657bf6c092a7b8f76f39579b99e988937f45075598c0632bbe6333d3dc558bf45
SHA512c9e1dcd006734a62740331448ef338d161e847d280bce5b7639d4de7c240442600e5becfce16330792ca3551820ff5de3c6af5a01ba8f501a2ee37adfade403b