Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 17:22
Static task
static1
Behavioral task
behavioral1
Sample
ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe
Resource
win10v2004-20241007-en
General
-
Target
ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe
-
Size
2.6MB
-
MD5
421c7abb8fe0f0daaab456397d9a8530
-
SHA1
494882bea05d1d21899a66c47c579e63c0bf6fe9
-
SHA256
ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331
-
SHA512
cd7571f3063d4f93bb0c83da40e746d16d260b4b20a1378d23b24bbfe82cc9ef2caf2c16f4e0f6a4ca892ce62d71602b08396b722b5e4d484d8b2c6982df4fa0
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBzB/bSq:sxX7QnxrloE5dpUp0bV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe -
Executes dropped EXE 2 IoCs
pid Process 2796 ecabod.exe 2940 xbodsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2416 ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe 2416 ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvWH\\xbodsys.exe" ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZEP\\dobdevloc.exe" ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2416 ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe 2416 ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe 2796 ecabod.exe 2940 xbodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2416 wrote to memory of 2796 2416 ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe 30 PID 2416 wrote to memory of 2796 2416 ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe 30 PID 2416 wrote to memory of 2796 2416 ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe 30 PID 2416 wrote to memory of 2796 2416 ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe 30 PID 2416 wrote to memory of 2940 2416 ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe 31 PID 2416 wrote to memory of 2940 2416 ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe 31 PID 2416 wrote to memory of 2940 2416 ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe 31 PID 2416 wrote to memory of 2940 2416 ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe"C:\Users\Admin\AppData\Local\Temp\ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2796
-
-
C:\SysDrvWH\xbodsys.exeC:\SysDrvWH\xbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2940
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD57d47222147ee3e902bda95147d228264
SHA1371298ce45245f1cf5037bf7ac24c474efe14e1e
SHA25651df71e7647a7173053bf754f808f204e7aa349cd530d6186150e693e18dfa20
SHA51278a26ecd1757778f679988305264b14906586485ec68fa6998fd5adbb14235d8ebb46f9d3527ef78c65f10af6b51eedf624db763aff706cbe16c2c180a80d628
-
Filesize
2.6MB
MD50d9513fa1094b6712076933063efcc59
SHA1a59fbdf06e170a1d3e7939389e39f48d6af1ca87
SHA2565dc8fce67331de9f3ec7b583855aefb9dcd9d610990457852e3c6d881917e867
SHA512f22b67dfbc57b639c79ed98d24ee05a2db8209d207db4ebcfb89db7b43f2c520a9dc6e6451ddd890a3df66909104ba5dac3fb7e165205114209924963b826dde
-
Filesize
2.6MB
MD50067969e69198d306fe2f1235089e81a
SHA1cda5b88389ea7974c097040fbdc6c03690d13475
SHA2562e6058b631ddd92e15519f3b0c69e2a7f77aefc3d1fbf7dee0ffaf748651e175
SHA512ae1236abd1d2654f659953225c2d429d4ceb54cf233a10211ec9fb85456abec399d1be1641ade73de03dad0fcfb0c905a68e27c366678ff70fa41196085c8a46
-
Filesize
170B
MD598150a99aec28f4e80b64a41956d1a67
SHA18f189c52f7849a68e2f8b9b1632d184ce24dbf74
SHA256c0dc2eccb22454e6012c149539ac69ef7ec0e03d50d3823cac35443d7e1f9b33
SHA51214243089cc2b1f5f8a87a85910b6427d8c43656157ca31327611a800c6b62eb01c2866144dced80e5a8e45455d7602a1aea83f4ffca597234c36c7a4a02ed488
-
Filesize
202B
MD5f7a6642f3aa36c7c795f15f6353b164b
SHA15582c18f6b64fe987ed087a86a97140ffb5ce494
SHA256c077a394758b06c315bdcdd3af5917012d882614a46fc6f23a8f3582816dc0fc
SHA512141cb045801d5e8e170dba8c3a62b8bbc1a757a35b3ff9ff8824f64db29274471ee929a402ffe6f24db6deee4ac92279e81a8d5b2f2c961bdca92d9270eff336
-
Filesize
2.6MB
MD53dc7ee1f69254fba07972b60825b540e
SHA1c2a9b4a48256f2e0fe838d8bf82ffd7fb11230c3
SHA256a00a95314a0e04c864de38743fa8b70a49699b604a8e5267dca984353f1d54bc
SHA512db5ee79f61e9d455746eea32760ad71dca54162577134fce011fc18920b8c7b4bb5012696f23cb9a3ca0d0bea645d042f75ac488e2da7e7864b7331f820cff50