Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/01/2025, 12:16
Static task
static1
Behavioral task
behavioral1
Sample
e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe
Resource
win10v2004-20241007-en
General
-
Target
e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe
-
Size
3.6MB
-
MD5
23f83689bbe30ff13799a107b7a32990
-
SHA1
7775ce7148436d010d9f4c071c73595c0e12a4da
-
SHA256
e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35a
-
SHA512
6ec00f8ec123cbbe6b3ea99d2a9cd7e4a7de64d8e3ad9da9b150c2a16bb83183325bcee69fdf59bb4b489cda4b0954337557e3e52a9c80502a3d5ac04ce06815
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp6bVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe -
Executes dropped EXE 2 IoCs
pid Process 1148 ecxbod.exe 1812 xbodloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2456 e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe 2456 e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesKI\\xbodloc.exe" e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintBH\\bodasys.exe" e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2456 e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe 2456 e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe 1148 ecxbod.exe 1812 xbodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2456 wrote to memory of 1148 2456 e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe 31 PID 2456 wrote to memory of 1148 2456 e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe 31 PID 2456 wrote to memory of 1148 2456 e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe 31 PID 2456 wrote to memory of 1148 2456 e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe 31 PID 2456 wrote to memory of 1812 2456 e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe 32 PID 2456 wrote to memory of 1812 2456 e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe 32 PID 2456 wrote to memory of 1812 2456 e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe 32 PID 2456 wrote to memory of 1812 2456 e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe"C:\Users\Admin\AppData\Local\Temp\e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1148
-
-
C:\FilesKI\xbodloc.exeC:\FilesKI\xbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1812
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5da8c685170fc4f38c5f7c1c349b90948
SHA1ed843ea2a8cff28b9c34e2c823e13a782086bd0e
SHA2564fc0767833d8f19ff966d2bf8757dbac659c600ddc4520dc152e8d43267552ff
SHA512fbe74ae9326e00509a5fd452fe4ed87ddea4d1c71469e1601070814214fff88dc8308e46517e933155ba514bc75a67c5f9b257b947fc16b9e546ccd9e1d588f8
-
Filesize
1.7MB
MD57a01fc84f0b87fda93ee38087383d605
SHA1a4a46605446df74c8cd532325d2fbe723f7d2252
SHA256b2d274c9d0e1149ee6830531c6a2ebe18911728f3c7e1a6871079367ed05bc57
SHA512688086fe7c1bec565df028f8ac90169af4e955e1c4818aed2aadb53aa91048c186016c7765f8ed6cf9dd8c38ecb0554376466181535d59027ed736ef9c38714f
-
Filesize
11KB
MD5091ce6baaf2d0916f9dfa1461237e421
SHA15902212ceeb2154045b0a0da553e70d84839836b
SHA25662d82aa88273576dc8bc487628badc080e5707046f846d8d591f81d64b06476e
SHA512ce78e389b4871826f4ffc3f9d7319e0544025e916a576000b55e8cc09db59464fd1819ff9a6b3243546dfabdc5b47e99c70c6c95d09481db9e6d6a2621320e05
-
Filesize
167B
MD55ac0ab20a77d12d667cf4d8491725eed
SHA1653041405b4fbfef5903d46ab34f1f6322685cc4
SHA256e708c26153a3ca2704e0a2e986355a365836e67dcce17e84f05b7fe1b8f85df1
SHA5127388d44b7bdc0430e5a04a81d841c01a58d355c69129f3bb5f4ba509a571639e8aaef589f8116fe57bb1d45bd1976bc001f8e9d2538d6cef3c160d5b8bbe93d5
-
Filesize
199B
MD599bfde0a5175450eba877f77fe1a9a5d
SHA13f75d6579fd2efdb6e4e2ff7c0958585ad74dde8
SHA2563370fad96f9fa121064dd9990d4f6dffd969df185941c4f491e4a571178ea1c5
SHA5127657e9c75a918242373deeee5d8a862a3b8f72db6cf0227b9d69e4512768382b46f29c7c69efc36f37c128f66b610a4c230a87aa32bcdf5d1cb63a1946163606
-
Filesize
3.6MB
MD57539d89cb1c9bd0152ce218ac321c988
SHA1254dad52f4f31a676f2d71c3a767d55d2babf917
SHA2561840a3884c9e862225612cea40d18e7dda1cb45fcff5e300c9c5a53cd60ed04c
SHA51249de2c60f6e01e0f9f4039e75bef67fc1a5305100689c3c38c77c63a0c1b606068d90baa85041b69912b76f3ebd862bb49fc581e4b2160d98760f139799dd6f2