b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9

Analysis

max time kernel
148s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe
Size

2.6MB
MD5

46f2073cd4364076c502b75e34d8829e
SHA1

3bf44dfe40442f7b0a4bc3eaffa054ab1649746f
SHA256

b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9
SHA512

ab684220b166397bb19bd4e2ed6ebb65bbac6987f2a4262987eb6401935e2348c65fa602bd9eefc26296b3ea70ece86b78c6ec1a348866f7cf6e2136f2e3d1c1
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUpCb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe

Executes dropped EXE 2 IoCs

pid	Process
2940	ecxbod.exe
2300	abodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2380	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe
2380	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZU\\abodec.exe"	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBZY\\bodxec.exe"	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2380	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe
2380	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe
2940	ecxbod.exe
2300	abodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2940	2380	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe	30
PID 2380 wrote to memory of 2940	2380	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe	30
PID 2380 wrote to memory of 2940	2380	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe	30
PID 2380 wrote to memory of 2940	2380	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe	30
PID 2380 wrote to memory of 2300	2380	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe	31
PID 2380 wrote to memory of 2300	2380	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe	31
PID 2380 wrote to memory of 2300	2380	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe	31
PID 2380 wrote to memory of 2300	2380	b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe	31

C:\Users\Admin\AppData\Local\Temp\b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe
"C:\Users\Admin\AppData\Local\Temp\b957636701b84764bd89ff95b5c179587b5f08a69663b89db548ea8687f587f9.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2940
- C:\IntelprocZU\abodec.exe
  C:\IntelprocZU\abodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocZU\abodec.exe

Filesize
2.6MB

MD5
b8318945ec478fe5ad188fe4fd7b4e4b

SHA1
e6872a4d6da5eb9058422f1727feaf3c776bea4a

SHA256
0b806b6943a50ce9d75eb6c54317fcdcbb2d5e3d76039afa437c6b8d5b68d9ba

SHA512
959d368f8d9b730fd8fc3fa69a62792acdd431e4edc5a627a3d6abccd4232eb2da93fbfb33d0065c259548a01f60bc843a4d7260e11183c1fc296341ac9be145

Download Submit
C:\KaVBZY\bodxec.exe

Filesize
2.6MB

MD5
fc43797a8a7a2a30a2e224bc5034900d

SHA1
85a03e4e2a08e73b80cb79b435cb05c0ba3abd63

SHA256
28f365dfb4a849ea75d25615e000daf7a67dc6b380c850e79c42e2091780bee2

SHA512
de50871fe63ed370f5936904dd150756f3f8a41d986192b213868d909b82cc018f836805f72bbe4740ad7e9846df3961a340b64199689fe93f7a5d9e87240db5

Download Submit
C:\KaVBZY\bodxec.exe

Filesize
2.6MB

MD5
73deb068a240947114d1cbe96dea2c66

SHA1
8362f56f1c71e7aa2d7f0fa26a2360a0b8cdda00

SHA256
84252c65297da3923134485016535953fda0924e34fb034516ba8d02984a8ddd

SHA512
44d466848b76fa0494f609a5f5be1b625176917f673fa155e97b36a560517db345379b93e82e0938137fabf1140a387ba707e9fbb7df821d17f9cec55c21a242

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
021c92c5dda6b7b5733ff51b22e9e13f

SHA1
d1cb0f6d143694a0e0f4d6b223ae7f01d28624a6

SHA256
cd9a8114ac1ff49973c8df9f618e71bbdb5acafffb649594fe9b776953db6b2a

SHA512
e8bf428ad0fe47301870e261ee7092f4dc3e6aa46f6da4fd6017b543579be380360bcb19df08306073e3573a505372d212f44f908d841120c9ba5adac8c9ff36

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
72a6ec6b59782c01052f0b5bf7a997d1

SHA1
69524bd73fe2cf9400c3c5b9c1a0b4629fe2abba

SHA256
21917b8bb0baec45621253ba6d72247f5f13868bbdbd1932956658922e918237

SHA512
5d4651a5c301c5b5fd9a081e62953be24c9dac735d5ba059fade8878d7f13315945a2cc0abd8aae5d9183072fb1e2c2b3190d6a7dfddc7f62f852762bcea7e21

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
2.6MB

MD5
92f26e7faa758dfa31b9ee91b629919f

SHA1
71c7d7763b4b3274c5802b74da657e69c49af478

SHA256
ae6b44113dc9c9e6a312da76f9808b62858d581bdc528afb7662eb472c4d8c80

SHA512
360f4dcd23057ac3e703a45803ff7cb0d9257a86fb5d87879c1c2aa24b7e8bf4dd7321353be40aec4275056c5dabd9318e61ae4b631ce1e59a0aeb9da5e93a6d

Download Submit