Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 19:51
Static task
static1
Behavioral task
behavioral1
Sample
bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe
Resource
win10v2004-20241007-en
General
-
Target
bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe
-
Size
2.6MB
-
MD5
e2434796bed4d1cd649c6afb0fc47096
-
SHA1
42f630e492619fe20283d7227a7f65f9a4e9e361
-
SHA256
bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2
-
SHA512
48af8958a4cb5664f84919eb22ab5a69c409146065dd99ea7d4d4f21a116265aa582dfc47b1853424f52ad9126bdc8b9a7328210de842585f7a1a87afcf0aff4
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LByB/bST:sxX7QnxrloE5dpUptbc
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe -
Executes dropped EXE 2 IoCs
Processes:
ecxbod.exeadobloc.exepid Process 2840 ecxbod.exe 2704 adobloc.exe -
Loads dropped DLL 2 IoCs
Processes:
bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exepid Process 2668 bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe 2668 bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotVP\\adobloc.exe" bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidZJ\\dobxec.exe" bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
adobloc.exebc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exeecxbod.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxbod.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exeecxbod.exeadobloc.exepid Process 2668 bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe 2668 bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe 2840 ecxbod.exe 2704 adobloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exedescription pid Process procid_target PID 2668 wrote to memory of 2840 2668 bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe 31 PID 2668 wrote to memory of 2840 2668 bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe 31 PID 2668 wrote to memory of 2840 2668 bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe 31 PID 2668 wrote to memory of 2840 2668 bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe 31 PID 2668 wrote to memory of 2704 2668 bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe 32 PID 2668 wrote to memory of 2704 2668 bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe 32 PID 2668 wrote to memory of 2704 2668 bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe 32 PID 2668 wrote to memory of 2704 2668 bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe"C:\Users\Admin\AppData\Local\Temp\bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2840
-
-
C:\UserDotVP\adobloc.exeC:\UserDotVP\adobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5a9b59fd50ebaa96fe4b424fef373164c
SHA1363f9fa726dd4efd3ccafda46ac7c80017ba33c3
SHA2561c11c49bb849841baa860a28d7eb783fc87316607980d963665b3b945707c2c9
SHA5121f1fd00be44aa7b2bf184f5dff0c87310baf36fd6c0092048d2a0ca9520c87b6f409ae0b62710f8b6b218dd2474b5256a57345fac95aa1a45134b4031912c863
-
Filesize
167B
MD5924c1df92c2972a703fc41a5f9dd1142
SHA1e87c0bb9714ef5e1524fb45fbe97211cbfd52b97
SHA2566c5fd35e989155e26dc0211d2bfa8e02ced13e412e896ad5429a54079ab396e1
SHA5123a6e50d98ecca3b05de456564dc6886ce89a6e547ed3aa307a45e53ed7169418f0d736efd01853fa9f5f42c2fec7e19ee6b52c9f7c45e383d8295d922339c271
-
Filesize
199B
MD5f9117eee618ab2f518669fc9e9ac0b69
SHA1e46b8ca88d18838e0c13d41f73e3efbb9440e350
SHA2562e5f1564c70b9bea81e670441d620319cfb53b6bc75e08ed4c18c648478a0037
SHA512eaa194082870ea6696f1cfe8ebb59c15885af97f3772a9f42cafaddc4140024197e90153214f737c5697beb52e775a452bd26e2d4056a265701f81adb1b7d6cf
-
Filesize
2.6MB
MD58ad735c4b1fd47bc059253faf6a96257
SHA1dca508a9e3c827be0bd82e6982e101ea1915e1b9
SHA256eea5793b496d55ed232476f2596b5d7509f138802748dee1852b1957a98ce5dd
SHA512dd458c1dd6151c2c071895e1cee7a2c60665eb5b3e015d6ef1cf92edb8d8fb7ff03638900c6859d832c5d182ad5eca4407c856a34efc93e5b4df7e69b97607c4
-
Filesize
2.6MB
MD5d59404919001e16d0537d335d3186bfb
SHA12ba6f68ba04c126a4495f777476f7b3c8c73977e
SHA2566a375f4e5c9ce7f1236885cb44fe6d27363e28c153f2fa08b676427841f3b361
SHA51240b0f608f0e7f696787eae54af9dbf1538a46f0c49e236fe8ebe4a1b0d1757d6843557de6e7a3aea541fa7dc6ffa0b5ce6c2cd9f146f3fe73d8f7e6e51c6f83d
-
Filesize
2.6MB
MD55caa483e082bc29ab84be295f233d41b
SHA14413807b6dfded29dae77e9bcff661527a59544b
SHA25605d7275c56bd2d14607576eabbc1e6328f51c9628f65660263f23132f05c5d07
SHA5126abaf58b413ad5a1aeea47effa18c2e44fb74d385e2bd02f784935dd7b62162789f4b5223f32c7269887e1a4e8b67729cb7dc9da5a9d5bb8081b60d016c0ef2b