57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe
Size

4.0MB
MD5

2ee0a449814fb02ce0d0a5ffdd2ec4d8
SHA1

2d0c7458f4dd5996ee14e278ce07cfefa08f35ac
SHA256

57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19
SHA512

7b870c2a3c91370906c817fe82a925cb547fc5d00359e341006c525acde13e935fb408b352ecaae0cfe50b61bd999b348abd86876306f3353ba6b663411b65e7
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpjbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe

Executes dropped EXE 2 IoCs

pid	Process
3188	ecabod.exe
2060	xbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotHU\\xbodsys.exe"	57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidU7\\optixec.exe"	57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2584	57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe
2584	57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe
2584	57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe
2584	57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe
3188	ecabod.exe
3188	ecabod.exe
2060	xbodsys.exe
2060	xbodsys.exe
3188	ecabod.exe
3188	ecabod.exe
2060	xbodsys.exe
2060	xbodsys.exe
3188	ecabod.exe
3188	ecabod.exe
2060	xbodsys.exe
2060	xbodsys.exe
3188	ecabod.exe
3188	ecabod.exe
2060	xbodsys.exe
2060	xbodsys.exe
3188	ecabod.exe
3188	ecabod.exe
2060	xbodsys.exe
2060	xbodsys.exe
3188	ecabod.exe
3188	ecabod.exe
2060	xbodsys.exe
2060	xbodsys.exe
3188	ecabod.exe
3188	ecabod.exe
2060	xbodsys.exe
2060	xbodsys.exe
3188	ecabod.exe
3188	ecabod.exe
2060	xbodsys.exe
2060	xbodsys.exe
3188	ecabod.exe
3188	ecabod.exe
2060	xbodsys.exe
2060	xbodsys.exe
3188	ecabod.exe
3188	ecabod.exe
2060	xbodsys.exe
2060	xbodsys.exe
3188	ecabod.exe
3188	ecabod.exe
2060	xbodsys.exe
2060	xbodsys.exe
3188	ecabod.exe
3188	ecabod.exe
2060	xbodsys.exe
2060	xbodsys.exe
3188	ecabod.exe
3188	ecabod.exe
2060	xbodsys.exe
2060	xbodsys.exe
3188	ecabod.exe
3188	ecabod.exe
2060	xbodsys.exe
2060	xbodsys.exe
3188	ecabod.exe
3188	ecabod.exe
2060	xbodsys.exe
2060	xbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 3188	2584	57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe	81
PID 2584 wrote to memory of 3188	2584	57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe	81
PID 2584 wrote to memory of 3188	2584	57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe	81
PID 2584 wrote to memory of 2060	2584	57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe	82
PID 2584 wrote to memory of 2060	2584	57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe	82
PID 2584 wrote to memory of 2060	2584	57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe	82

C:\Users\Admin\AppData\Local\Temp\57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe
"C:\Users\Admin\AppData\Local\Temp\57078b45c225a5063d3b7acaca6202d47e5ee931cd39295c7c899f5e51d01b19.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3188
- C:\UserDotHU\xbodsys.exe
  C:\UserDotHU\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotHU\xbodsys.exe

Filesize
4.0MB

MD5
024c89a1bef15206e481b04cda91de75

SHA1
616e374dcd90dddcf38ba1006eee0ee154416d90

SHA256
f39141bfcd9013588ac90981938a56f968d8f2ace00b3411679ff2539b0be9c7

SHA512
cabf39445d1eddf1cceb0201d9fa171f5c4d4c330a5b2a926374c73360a8368ad87679106c145616156d8d4c66395749450daf86d4c44ac203a8c31a3196d699

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
147dae5c0d8d96845dbb469367198df8

SHA1
5640f583da7a9625402540278ebd752946c11e3f

SHA256
f38815e5e1ee2ef148f6ba801636ae2567fa640cf3979581b0b25af77b370da5

SHA512
7d2a3c8d9f32c31ff9bc5c23010a996d909418689fa8387e0eebe1fc93f6aed77595fe552dc1e534e5217cb19a25e7c9856a39b8c192e7bafb05b37e5fcfb542

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
3407eedf98fc367874e61bbc109e2ba7

SHA1
5602a7bc9cab1122459af99b0b5e0b27950ac2c3

SHA256
a20365e9ef75c4fc9ddc7b486b1df77452feccf2222474a0a73f3115aff3bed1

SHA512
db0f6f3d0d12b16f6355e58ccade9e9d3eed4982e19bbcff222e6eb53e00b1903da89a4754bb7914c7710e7f513061ceb78a5c8633dbbe416033924c92bc72a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
4.0MB

MD5
cb0ac284b7e59fe44970066cf368eed3

SHA1
7b87ab0d46aa23ec88f4c8230857c132d49bf6eb

SHA256
b73768ca9279e09966f404a04d43a39e7b6ade926f9ebfb211e47acc0492e99f

SHA512
204504028b148a80831f1a830b2fbe4dac44ca1d71432a9a9a0eb83b0a0bc689c7b08cb5739fa9c25bf0286bf5b069ba5f09b985f76fc0e5c38eb1d332ed51c6

Download Submit
C:\VidU7\optixec.exe

Filesize
194KB

MD5
efe6ddf93ef9c1ab381cd11e65df79fc

SHA1
ca26625c07cb87f3761a181e92d76c22bffba378

SHA256
d264d8062e689be0dc29433caee9e72a90098e97d05517f8a9af5bf0b11669e9

SHA512
9cc6e3328f92641a59cc8caa08d85ad57daf343d81b0194b70b0c795d0ec88350607c7137f9c4ea245cd251a23f9159fa5cbfc2aa0d798b77cc63c8981f04ba6

Download Submit
C:\VidU7\optixec.exe

Filesize
20KB

MD5
586dc09d5804dc54d44fbabe2f70a2f5

SHA1
1b5a9a763950331479ac1c498b03264cda1e5e0e

SHA256
33712f6263ec98ae8ff353abc33c5a663b2c766cbe5c8a49229dad2fbfb8f079

SHA512
54a9d8562e63f9b26ca5680b6e9a17abb896ba1d76fd279957335198bab32efc42361d0585349bd615b1859a022b024d4629234b578a41c99310d0b00c64998a

Download Submit