Analysis
-
max time kernel
118s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 00:02
Static task
static1
Behavioral task
behavioral1
Sample
4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe
Resource
win10v2004-20241007-en
General
-
Target
4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe
-
Size
2.6MB
-
MD5
58f112e134ba38876c9e55651bde32c0
-
SHA1
cedbdf28dc10b68ace93a699fdcb19176f8d9501
-
SHA256
4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631da
-
SHA512
e299c0e560028e708192c8dafaea60a6daea3ba409421a0f060d2c52ed08ba27f0bf661dd8b5077ae0287d0ce873ba3cfcffec15c1b16979f5702be9fcc71457
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bS:sxX7QnxrloE5dpUpHb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe -
Executes dropped EXE 2 IoCs
pid Process 2856 ecxbod.exe 2116 adobsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2304 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe 2304 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotMW\\adobsys.exe" 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxGE\\bodxec.exe" 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2304 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe 2304 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe 2856 ecxbod.exe 2116 adobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2304 wrote to memory of 2856 2304 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe 29 PID 2304 wrote to memory of 2856 2304 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe 29 PID 2304 wrote to memory of 2856 2304 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe 29 PID 2304 wrote to memory of 2856 2304 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe 29 PID 2304 wrote to memory of 2116 2304 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe 30 PID 2304 wrote to memory of 2116 2304 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe 30 PID 2304 wrote to memory of 2116 2304 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe 30 PID 2304 wrote to memory of 2116 2304 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe"C:\Users\Admin\AppData\Local\Temp\4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2856
-
-
C:\UserDotMW\adobsys.exeC:\UserDotMW\adobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2116
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5d9d9e2f72d0f4839ee6feb448bbecaeb
SHA16d16ae3bc56596a4f332eac963cf3765e97312eb
SHA2566b6b4fff12b975220cd3f79e19a59b54276a06351fcf392d1a0abb9669ea6e22
SHA512a615e3c2772498055cc0ad873f7b6bbe16c0eff58f14ff5fdcffaf2c6aa07790205066b0ed59eb2a4ce0598e2380b9558a09730e538f3a0a4f3677b9f4d02918
-
Filesize
2.6MB
MD5925ce024e8853225a93d61ec9099f0f7
SHA1e2a1929ac93b3a70604c8220e8f3bf2fbb70991f
SHA256a142b15c368bcebd3c37a0f7ef319ad1638b9222464790622dac723a3a7b21cd
SHA512c07bdb59e1d4bd2b03a29c5a83efc476e7d20475cda21258b0fe16a15f6d5cb4e9686959f491ac79982e90d0e9754906992fabadb2036990517bb44eb132ccf8
-
Filesize
2.6MB
MD5e0a6663c0d9371dd7be312577e2ff353
SHA12170c77afa97037771538f48e99c108b1e1d1191
SHA256a505c7f4ed4adaa662b259fa3ee3e7b5cff549fa8cea1992454802712bf509da
SHA5124af56bf7761c34aa5cb7ab863e2c41a40f1b370fadfe25882b0ed59d7fe2694500fc4d918b688b1ba29fcf5334e4f60d5bfc55f3435e1a13bad00be752ccedf5
-
Filesize
169B
MD52916f0739a13a424ed4c9adeea18b2ce
SHA181056ac9d2d6ccf34f6deec0a9a5367b72d3ab65
SHA2564457197ac2143635e6719911f72d5623287b2e96e3fd202eda0e09a8348427b3
SHA51211d19ded905529798795a8efea5153fcfcc713b0e2b7129070d0a55ea5e523bc4b178b041aaf68ffdce16b39de78837edf7ebaa981a4534f504cb1200c14a050
-
Filesize
201B
MD555fb4b9fa9c17a71147fd203eb2988b4
SHA1548024c3f48ccd5f8f902b3656081eab34771c5d
SHA2567b3a4df6f5730727e9156da2f09c7c732935710293c75f987e8c800eedd27379
SHA5127d6f776e60828ebabf358da653b3fe971678633e6c7ebdeb3b07d96d258434e368ffd55bf28ec5c891633aba639fbb7bbcf76fdef27ac42a8a67d74cc665664b
-
Filesize
2.6MB
MD50046cbbea71c79d6860359d808025a8e
SHA1c6ebc350aa55fe4c74c3e23704c2acfe810d8258
SHA256003d688df6f427a38e5bf1602f3ee98fb8521f4cbe5823c40d89627472fcb3d9
SHA51224db24cc0ff81810caff87b3a19c37314ef10f954d2375144ada70e3423761df961d2627c9a34e9afe2687a5e99d35caf0f467517c15d8986a7ffa8b32f63086