Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/01/2025, 22:23
Static task
static1
Behavioral task
behavioral1
Sample
bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe
Resource
win10v2004-20241007-en
General
-
Target
bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe
-
Size
3.6MB
-
MD5
d4c7e99f9fa1071f60f5e8be949a6554
-
SHA1
dc7efdfc80aeab13dcfe9052135bd22757defe00
-
SHA256
bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602
-
SHA512
1f97cc9c34763dec1b0d7d21873d14e5d561e747f2f2c82ba6bc7eb48e29f3ad2aae88c3c8fc674440fc06c902d64260b815f1bf12eb335d87a794a5574846c1
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBGB/bSqz8b6LNXJqI20tK:sxX7QnxrloE5dpUpNbVz8eLFczp
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe -
Executes dropped EXE 2 IoCs
pid Process 4776 ecdevbod.exe 2424 xbodec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv9U\\xbodec.exe" bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintFC\\bodaloc.exe" bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4728 bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe 4728 bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe 4728 bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe 4728 bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe 4776 ecdevbod.exe 4776 ecdevbod.exe 2424 xbodec.exe 2424 xbodec.exe 4776 ecdevbod.exe 4776 ecdevbod.exe 2424 xbodec.exe 2424 xbodec.exe 4776 ecdevbod.exe 4776 ecdevbod.exe 2424 xbodec.exe 2424 xbodec.exe 4776 ecdevbod.exe 4776 ecdevbod.exe 2424 xbodec.exe 2424 xbodec.exe 4776 ecdevbod.exe 4776 ecdevbod.exe 2424 xbodec.exe 2424 xbodec.exe 4776 ecdevbod.exe 4776 ecdevbod.exe 2424 xbodec.exe 2424 xbodec.exe 4776 ecdevbod.exe 4776 ecdevbod.exe 2424 xbodec.exe 2424 xbodec.exe 4776 ecdevbod.exe 4776 ecdevbod.exe 2424 xbodec.exe 2424 xbodec.exe 4776 ecdevbod.exe 4776 ecdevbod.exe 2424 xbodec.exe 2424 xbodec.exe 4776 ecdevbod.exe 4776 ecdevbod.exe 2424 xbodec.exe 2424 xbodec.exe 4776 ecdevbod.exe 4776 ecdevbod.exe 2424 xbodec.exe 2424 xbodec.exe 4776 ecdevbod.exe 4776 ecdevbod.exe 2424 xbodec.exe 2424 xbodec.exe 4776 ecdevbod.exe 4776 ecdevbod.exe 2424 xbodec.exe 2424 xbodec.exe 4776 ecdevbod.exe 4776 ecdevbod.exe 2424 xbodec.exe 2424 xbodec.exe 4776 ecdevbod.exe 4776 ecdevbod.exe 2424 xbodec.exe 2424 xbodec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4728 wrote to memory of 4776 4728 bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe 83 PID 4728 wrote to memory of 4776 4728 bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe 83 PID 4728 wrote to memory of 4776 4728 bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe 83 PID 4728 wrote to memory of 2424 4728 bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe 85 PID 4728 wrote to memory of 2424 4728 bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe 85 PID 4728 wrote to memory of 2424 4728 bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe"C:\Users\Admin\AppData\Local\Temp\bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4776
-
-
C:\SysDrv9U\xbodec.exeC:\SysDrv9U\xbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2424
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5dfbaddceb6d9bea5c2d9005d5e6de1a0
SHA12fd996df9f1492c970ffb4930a6241bced11fd67
SHA256fd0a90952f495811310a0cb7d2b93f8323eaf326015003e99811758f84f7b9aa
SHA512282ea69da2ba20b3b34653bc079088b6efc14e73a8f1fb31139803c2164df9a2de8693a0926583cae478bf1faf3283cd1c77692ebd87d68ecbeb43ed1e18064b
-
Filesize
343KB
MD584c5440f24c9935959754a01da280aa4
SHA13ba44e0a60dd46e4a3294239a56a36532bb4d5d1
SHA256a8057b3592266fb7e9ba472aa16a5d8ea22da0306a5a1e3fb4522d4fb86e21eb
SHA5121478eec04d4699f8947610157ecfa53fb1253e1996ee3ecbc77e73468a8073d3ff962863b5453fbd3225a0f5411fc1c748c55805ab326557c289c8c239b498e6
-
Filesize
3.0MB
MD5ff40983d88efa695db0f234024d647b5
SHA1c5fb7e015f16f5f33d2c7ccd3698a0450a61ff84
SHA256d561fa4d132969c5eb40bec150a40103354f4173b28f03ec01c2ed7c1c7586e0
SHA5124379b7761e2b6a532383486cf070b520513805448a3dede8b9e90cefafb958814dffb4a094f86ed241694d51f966ab41d36184c11e3673ac70ce7a7975374dd2
-
Filesize
3.6MB
MD5bc17c5baa4a7dc876f8e69813267210c
SHA1de070610ff6bc102dcf8fab9ff8fa9301a058202
SHA2569d2c3654f55eb33f3e75591698e15659eec0c3cf63415032768a850947f10abc
SHA512fdcd27017ef8563800b9ecabd52967ed0cd42afb84f7c5000460428b2ed4f6921e7a099752b8d84034ecbd12b224accbd9a6b99100a0d1f736ab788b20bb4a17
-
Filesize
201B
MD5563da3a064bfcadda4f764d72341e523
SHA12b70dc1588fc232d9bdeebd3cc91d19c189db247
SHA256e988c8e3a54ad58b29ad739eba70f20073f9407f7128e37edbccbda9940deafa
SHA512e9cd024ed8670387d5402afb786fbb56027edde89ba50b7562041e5535a830ecb76d18efc52e13732552c0716588eeec88853f7e45d0b38019ac3801a79640eb
-
Filesize
169B
MD5f555c5c330cb2d6cf9ffc9b3f8ffec5f
SHA1f2b7478e93291976cd6620e45ab08bb30f88684f
SHA256c804143a41668eda4815e27aebbf60cfdd2c57892d37fed4dbdff1e111d75bef
SHA51273169e479780233eca1398889ed860b55807106ddd7ce14bb653de2faf54279049f16f699d58e1c72602626f4624eb57fee50aaaf1694b7c03ce4df824126787
-
Filesize
3.6MB
MD530dbc8db6259acf35250033b11f52ca3
SHA166e97d0edaa0718c102f9594493bef916fe46505
SHA256439534e953dcaf6481456b74c38570c78e30dc3cc5e624a690b5fe946da05dba
SHA5123bd35236a31446075cbb961f8271f5eb7f0c962ee04173697fd63b830a21a0472509acfbddc839d8bfc90b15f2db5822b2c37ef49d934881425ae6de4d825c33