Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/01/2025, 12:16

General

  • Target

    e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe

  • Size

    3.6MB

  • MD5

    23f83689bbe30ff13799a107b7a32990

  • SHA1

    7775ce7148436d010d9f4c071c73595c0e12a4da

  • SHA256

    e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35a

  • SHA512

    6ec00f8ec123cbbe6b3ea99d2a9cd7e4a7de64d8e3ad9da9b150c2a16bb83183325bcee69fdf59bb4b489cda4b0954337557e3e52a9c80502a3d5ac04ce06815

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp6bVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe
    "C:\Users\Admin\AppData\Local\Temp\e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1148
    • C:\FilesKI\xbodloc.exe
      C:\FilesKI\xbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1812

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesKI\xbodloc.exe

          Filesize

          3.6MB

          MD5

          da8c685170fc4f38c5f7c1c349b90948

          SHA1

          ed843ea2a8cff28b9c34e2c823e13a782086bd0e

          SHA256

          4fc0767833d8f19ff966d2bf8757dbac659c600ddc4520dc152e8d43267552ff

          SHA512

          fbe74ae9326e00509a5fd452fe4ed87ddea4d1c71469e1601070814214fff88dc8308e46517e933155ba514bc75a67c5f9b257b947fc16b9e546ccd9e1d588f8

        • C:\MintBH\bodasys.exe

          Filesize

          1.7MB

          MD5

          7a01fc84f0b87fda93ee38087383d605

          SHA1

          a4a46605446df74c8cd532325d2fbe723f7d2252

          SHA256

          b2d274c9d0e1149ee6830531c6a2ebe18911728f3c7e1a6871079367ed05bc57

          SHA512

          688086fe7c1bec565df028f8ac90169af4e955e1c4818aed2aadb53aa91048c186016c7765f8ed6cf9dd8c38ecb0554376466181535d59027ed736ef9c38714f

        • C:\MintBH\bodasys.exe

          Filesize

          11KB

          MD5

          091ce6baaf2d0916f9dfa1461237e421

          SHA1

          5902212ceeb2154045b0a0da553e70d84839836b

          SHA256

          62d82aa88273576dc8bc487628badc080e5707046f846d8d591f81d64b06476e

          SHA512

          ce78e389b4871826f4ffc3f9d7319e0544025e916a576000b55e8cc09db59464fd1819ff9a6b3243546dfabdc5b47e99c70c6c95d09481db9e6d6a2621320e05

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          167B

          MD5

          5ac0ab20a77d12d667cf4d8491725eed

          SHA1

          653041405b4fbfef5903d46ab34f1f6322685cc4

          SHA256

          e708c26153a3ca2704e0a2e986355a365836e67dcce17e84f05b7fe1b8f85df1

          SHA512

          7388d44b7bdc0430e5a04a81d841c01a58d355c69129f3bb5f4ba509a571639e8aaef589f8116fe57bb1d45bd1976bc001f8e9d2538d6cef3c160d5b8bbe93d5

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          199B

          MD5

          99bfde0a5175450eba877f77fe1a9a5d

          SHA1

          3f75d6579fd2efdb6e4e2ff7c0958585ad74dde8

          SHA256

          3370fad96f9fa121064dd9990d4f6dffd969df185941c4f491e4a571178ea1c5

          SHA512

          7657e9c75a918242373deeee5d8a862a3b8f72db6cf0227b9d69e4512768382b46f29c7c69efc36f37c128f66b610a4c230a87aa32bcdf5d1cb63a1946163606

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

          Filesize

          3.6MB

          MD5

          7539d89cb1c9bd0152ce218ac321c988

          SHA1

          254dad52f4f31a676f2d71c3a767d55d2babf917

          SHA256

          1840a3884c9e862225612cea40d18e7dda1cb45fcff5e300c9c5a53cd60ed04c

          SHA512

          49de2c60f6e01e0f9f4039e75bef67fc1a5305100689c3c38c77c63a0c1b606068d90baa85041b69912b76f3ebd862bb49fc581e4b2160d98760f139799dd6f2