Overview

overview

7

Static

static

3

d16a7a2d47...67.exe

windows7-x64

7

d16a7a2d47...67.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 08:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67.exe

  • Size

    2.6MB

  • MD5

    f5beed01e362e949e31811b8021784e5

  • SHA1

    1ece4ea2e5c874d197ab369d5f7116fd25b8e82f

  • SHA256

    d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67

  • SHA512

    beb7df35b9428e4ee5364af416eba2c044bbf8df8bf3a6e6f590c4bc05be382b926c86835109453a4bb7a711929c934c0c48ce395e8cfb86e6e25de91179ef5b

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBfB/bSy:sxX7QnxrloE5dpUp0b1

Score
7/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67.exe
    "C:\Users\Admin\AppData\Local\Temp\d16a7a2d4765c22a5b77f10d31b99dd2be9544387e528678551b2df520548a67.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4044
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3660
    • C:\UserDotWI\xdobloc.exe
      C:\UserDotWI\xdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Galax6J\bodasys.exe
    Filesize

    2.6MB

    MD5

    142c24be35aa531af28f3961997ec918

    SHA1

    28cdf6451feb1bf862347b7e2ca749842ef2a9cf

    SHA256

    9c1de4971e66dc0790ca841db71bf0cd8ffdca9e89659f3eea67b8e333d973aa

    SHA512

    29846ec85149a785b7d0864e8e0e7775a095dc2a3479c796114a431d06742235b7e714530220a4cb744d4275d31b8e6f6b255da97d3140e21d75e1e45a17229e

    Download Submit

  • C:\Galax6J\bodasys.exe
    Filesize

    2.6MB

    MD5

    b93ef80a9bdc7387d969371ab98f5021

    SHA1

    5398b4e17cd5b16af5659f0744541a9ee2d6e71e

    SHA256

    ca83947c716b8b06e956aac1bbde528e7a50e1c2c3fb4d578daa07d28ecd144d

    SHA512

    ee0b9d5730cab3f4c9bf580b3fcd52d9ba1d1f354acfcc7c9d0be9faad51124c7b2d6907af732e331733e24a01bae7b230225e0bbc35ba0d1b530e9368670009

    Download Submit

  • C:\UserDotWI\xdobloc.exe
    Filesize

    2.6MB

    MD5

    93a67eecd6cba2296d87f26a4fdc6d9b

    SHA1

    d9885b865c1ee09b0870efd6e5752488279b30ef

    SHA256

    1e14268f600c7ca1adbca69db45525c0556f721ed649dda5393e2e5571fb152b

    SHA512

    5d5ec24a4969daa9ff99dccf0be0f057fe17cbad0e21109eedce17b8e2beed4722344375d3e3d9ed21acb69b61963ff7d140f3ee767b5ae433073625b3962084

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    202B

    MD5

    643ef6457d9878008d51e8d73ce97333

    SHA1

    2e6586c220f72f0467af8aaad89d5afccb9e8e41

    SHA256

    98cac3a484a46636a24707240b1d10e3054a431c97aca46720e959bff03f5ddb

    SHA512

    8d211a6c4d2c001d4aebcf8c75df8b81d74cc12812d9c8eddbda1a7d224d422c6e5ec8408cea5832fb0fac20390b2f42284ca14319ab35edd802a24b00ca9fa6

    Download Submit

  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    170B

    MD5

    06a5463f9e2cabfe6fd5d7d94a4efb23

    SHA1

    ebf99f9bca150f0ccae028f03c8f83a4f410d7d0

    SHA256

    8f6e018e64cc0975bf2fb4c703553f86f0ba84f0a702d8167b2cd49db21dce5b

    SHA512

    0a1a1f148ddbcec4810dd41256ab75d0555c7825096270478d55c054724922f6881b5f674694ba2e11246a9cfae2f3be543446fdc318f1fc6c773d356b495958

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
    Filesize

    2.6MB

    MD5

    ea870941d0da58a610a95f41a1e89fdf

    SHA1

    cbff67cf81160c7beabf0f178ec06238c6d75cee

    SHA256

    a183a7dbc4a2a38a42169d90938c728397c741bdc0ae9692c16fbc51c819ea18

    SHA512

    5e12b6fab0b83926e539c396fe95af6bc832450bf09788dd74bfad762d31e3331dc267ffdb10a2120248d8aa84a4022acde3343719c4ccc1099ad80fc7755a1c

    Download Submit