Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 16:57
Static task
static1
Behavioral task
behavioral1
Sample
4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe
Resource
win10v2004-20241007-en
General
-
Target
4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe
-
Size
2.6MB
-
MD5
6de03fab414e9990d9061dd0ed693020
-
SHA1
55d0e3b1d8f296d32158205df82ee427cd06bcf4
-
SHA256
4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7
-
SHA512
98fe4cb7ea453a279a1df75a5162cfe0802ee52aa82412f98f16ffeb02b47048ae624ead2b88aa382464865b4d16cb2dfd568899396c61cc136720bd3e7a9c15
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCB/bSq:sxX7QnxrloE5dpUpFbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe -
Executes dropped EXE 2 IoCs
pid Process 2812 ecxbod.exe 2128 devbodsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2212 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe 2212 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvHA\\devbodsys.exe" 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintUG\\optidevec.exe" 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxbod.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2212 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe 2212 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe 2812 ecxbod.exe 2128 devbodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2812 2212 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe 30 PID 2212 wrote to memory of 2812 2212 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe 30 PID 2212 wrote to memory of 2812 2212 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe 30 PID 2212 wrote to memory of 2812 2212 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe 30 PID 2212 wrote to memory of 2128 2212 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe 31 PID 2212 wrote to memory of 2128 2212 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe 31 PID 2212 wrote to memory of 2128 2212 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe 31 PID 2212 wrote to memory of 2128 2212 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe"C:\Users\Admin\AppData\Local\Temp\4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2812
-
-
C:\SysDrvHA\devbodsys.exeC:\SysDrvHA\devbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2128
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5ee8308ec3538882294c37bd2b0a043b5
SHA1a54b31033f6f31107fd81be036a2dbca19503619
SHA2568f3e92ce231b89363fa1a284912da64242e22e6a93dcab18d8cc810c3fa02c67
SHA512d1d880e4e5ea43a5deb3594ccbdc2e988aa68389b6c9220169b80da32dc10dcf9ad0c2d74d143755a0bc767d9992457dbe2d50620f5ccde42e28a94b336c2d0a
-
Filesize
2.6MB
MD5ad837a96287ecd1cb82ee70e2a4f217a
SHA113385f883e3f2d5fa0357247ea327f93b4db644d
SHA256e419b549396e981b2e563cdcc3a11cd4299e1903cf33ea44206cd8b2d4bc3db2
SHA512c450277f6ec8e52c6a7385933742962879e89dd96b4f3fd0161c3d128c6ab400001c9f0bbfb80013169e4a5b283676a0a60b494cee3f46fc300e7daaf47a98f8
-
Filesize
2.6MB
MD59f968c29d0364e3aef464799521c466e
SHA118cce70b7a64994df044436c1115e909c249f140
SHA256dc5aa5581ad6df11ceb36f9a9b3961437895547bc1d0de190adf8db7c636d149
SHA51223e2e344fcb3d2ab8f3ddb15211784096cccbbca99a09f8f4300fe9c02791f4e96abc3a9eead505fadd953932fd47db5ddd611a379a265dd41b2fb080aff7f03
-
Filesize
172B
MD597762cf95b750e6b541f66f7c87223a0
SHA14e2bab6c957fa98acaf47b89d7e1ea9e7a6fdca8
SHA25609375f3efff1584a43b660d9b03ffbd1aad06753f00d89b5fe29424511026bda
SHA512d76af287e4d0456b953f240fc106abad9e90b35a65a928ae551ed1b179238b70bbe8f6c3b21688bf7de94086017d53df9fb57bfc2e950289690e4da117587f0c
-
Filesize
204B
MD5896d592693a50a2ced0441cf6231bacf
SHA1a562d818e7ea7108e3e8c4a34960f90349743334
SHA2562e32f41383edb8ed733579051c95bda85198a8dfa9becc9624dd4b30f7dadb6f
SHA512e7a6e43c4f89855bbf2c9bb9aa268c938d8dcdeda8a64c9cc7dbf41fe9e74ef21cd805a8d9e7247907ce566c76075632abbf9514b724c46353a54ae3003053e4
-
Filesize
2.6MB
MD598be63f93b9c993221b9d12d5944bcab
SHA171d7b3046763c7daa281a1af2be0b3d73031aad1
SHA2562ddadf5540601cffb7936c87eb9f7b34d6dbc2c911a9693d26f5dfa1ec2fb58f
SHA512269f545fa4895c5480684a5c141b0576f2384d13293dd2a29b10cf631309e3864117753993e9edbc0673534586a619a04a442057195f79cf3524b47b8f2137ae