ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
03-06-2024 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe
Size

4.0MB
MD5

adb7728d4c7b219bbf52849f484db9be
SHA1

7ffa2ec0c08588a1c919b4350be908b9253c8342
SHA256

ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce
SHA512

8325ebc7d2504e1e663f7c3ab4fd5fb1859ad69a7ab53a6017861f1acceef4b3022236e753872a8ddc30fa8308e293ee634a1eea5593ff50b2031a482722669b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LByB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpRbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe

Executes dropped EXE 2 IoCs

pid	Process
2812	ecaopti.exe
2272	xbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2188	ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe
2188	ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocSP\\xbodec.exe"	ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax4X\\boddevloc.exe"	ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2188	ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe
2188	ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe
2812	ecaopti.exe
2272	xbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2812	2188	ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe	28
PID 2188 wrote to memory of 2812	2188	ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe	28
PID 2188 wrote to memory of 2812	2188	ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe	28
PID 2188 wrote to memory of 2812	2188	ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe	28
PID 2188 wrote to memory of 2272	2188	ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe	29
PID 2188 wrote to memory of 2272	2188	ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe	29
PID 2188 wrote to memory of 2272	2188	ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe	29
PID 2188 wrote to memory of 2272	2188	ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe	29

C:\Users\Admin\AppData\Local\Temp\ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe
"C:\Users\Admin\AppData\Local\Temp\ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2812
- C:\IntelprocSP\xbodec.exe
  C:\IntelprocSP\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax4X\boddevloc.exe

Filesize
4.0MB

MD5
c1b10c11ab8a0884f9e0b12fec6dbc16

SHA1
b8c449b7d3fab32e0b886358c2308064707f093f

SHA256
e44c0a315d509c2698452d85c293d7e6f21a1bca9d8c77a73588bc2dfd3d210f

SHA512
76ff2e43e6d122af3498e9aebfeb18861eb69d40996a343c6c3772139a67c182f5417251983ae2b487a61055456d42b2228c01cd9efed16c68761564c3819794

Download Submit
C:\Galax4X\boddevloc.exe

Filesize
4.0MB

MD5
118a6ac478d01026eded6075842616b2

SHA1
54257a91ce785b542a4d7dc6ba0f5931db055505

SHA256
09196c2b2a2e81f6569ba001d6744825e10ad2a22f1d91ddc0317d1233fa0b3f

SHA512
378273e61a0359246d07d7b00ebb8bf310a89ffa952a40bfd8846271106649d122f4e0f1c2aeb7c3cac7d3fae5af40093e3456e95ebb1419e60c315c62f12afb

Download Submit
C:\IntelprocSP\xbodec.exe

Filesize
4.0MB

MD5
8790a2eef729a737561a6c073e57caa7

SHA1
8cd615f48f8b10dc93ee35046477a3873bbe1644

SHA256
2f334e06f22a8f9bb4de6a9d03cd12c1d59ebffbedb0b2dcf55190defedf8b04

SHA512
7aa28b9a944768669f70d9ccd23de51e1eead309f320a17b3f1e62b2915bf04a317357eb740e44af6665ed2d0cf46d81862e4a92191cedf41fadec792d19e94b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
f428d2db18630d89bb941b0685ba7daf

SHA1
07833edb380ca53f9aa6905655d3c19bf24b8442

SHA256
612d1b9667d0a662bcf450cf9cbfe70c4f15e5e24ae0953c85ccf1743e4d2487

SHA512
e8ac8b6130673db88cf7da8bcacc5f9a3fc1bc6e6a3718f5c5ead6768340c15589a6faebb2c829c06106cefa57ab1e05fc59915af0e3b64d709aff7f9d673443

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
5ecdc8874a5e30c494aa28896c23810e

SHA1
2eb6c0e5773188262a625306fcc87d0d96bb3d69

SHA256
5a8dcfbec68db8bd5737f5c8b8777c7f23c96d22f8943313b072974f0e7ad24a

SHA512
4bcb63dde31720290ec7e8f4cbc0d3e568e90296ac3bbaa658988bc063a9de35e789f395917447de45ed557a8ed7ec53a523c32c57c95a04be52ce2bc0f9561f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
4.0MB

MD5
543ddd1348863dfcc13516da1b180772

SHA1
2a0d93f55d58ccf43c942467a6d0fce4a6d7b48b

SHA256
906d9e985404cbe4df436b6d13c0af134cddb03b64c8b381287828f5e18401ce

SHA512
d88b86e88d83b5cadf01370755390f2ab086c8f9a3e96063ce88df6271badb9334e8d51a769e09484ec9b74ab18c6c19c4779726c2dbf1067afd924149306516

Download Submit