918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 02:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe
Size

3.9MB
MD5

0b8385a80202c7a9052e266bd6b5d712
SHA1

6477f77cdbb7637e7f807585ef25435ff1f2a193
SHA256

918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3
SHA512

f81a8670f50559fa5a18e613ce0327450bbff524653588da9abb44fb9acbc24c5672a157f4a1a264ee7c606fc46e4781038e143467f4dad905107a425b007b23
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSqz8:sxX7QnxrloE5dpUp/bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe

Executes dropped EXE 2 IoCs

pid	Process
2784	ecabod.exe
1712	xbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot0X\\xbodec.exe"	918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidOF\\optidevloc.exe"	918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3880	918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe
3880	918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe
3880	918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe
3880	918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe
2784	ecabod.exe
2784	ecabod.exe
1712	xbodec.exe
1712	xbodec.exe
2784	ecabod.exe
2784	ecabod.exe
1712	xbodec.exe
1712	xbodec.exe
2784	ecabod.exe
2784	ecabod.exe
1712	xbodec.exe
1712	xbodec.exe
2784	ecabod.exe
2784	ecabod.exe
1712	xbodec.exe
1712	xbodec.exe
2784	ecabod.exe
2784	ecabod.exe
1712	xbodec.exe
1712	xbodec.exe
2784	ecabod.exe
2784	ecabod.exe
1712	xbodec.exe
1712	xbodec.exe
2784	ecabod.exe
2784	ecabod.exe
1712	xbodec.exe
1712	xbodec.exe
2784	ecabod.exe
2784	ecabod.exe
1712	xbodec.exe
1712	xbodec.exe
2784	ecabod.exe
2784	ecabod.exe
1712	xbodec.exe
1712	xbodec.exe
2784	ecabod.exe
2784	ecabod.exe
1712	xbodec.exe
1712	xbodec.exe
2784	ecabod.exe
2784	ecabod.exe
1712	xbodec.exe
1712	xbodec.exe
2784	ecabod.exe
2784	ecabod.exe
1712	xbodec.exe
1712	xbodec.exe
2784	ecabod.exe
2784	ecabod.exe
1712	xbodec.exe
1712	xbodec.exe
2784	ecabod.exe
2784	ecabod.exe
1712	xbodec.exe
1712	xbodec.exe
2784	ecabod.exe
2784	ecabod.exe
1712	xbodec.exe
1712	xbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 2784	3880	918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe	88
PID 3880 wrote to memory of 2784	3880	918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe	88
PID 3880 wrote to memory of 2784	3880	918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe	88
PID 3880 wrote to memory of 1712	3880	918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe	89
PID 3880 wrote to memory of 1712	3880	918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe	89
PID 3880 wrote to memory of 1712	3880	918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe	89

C:\Users\Admin\AppData\Local\Temp\918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe
"C:\Users\Admin\AppData\Local\Temp\918b17ade592614df5d26afada71431d83f3c12ed1bba13377f3d9c504362ee3.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2784
- C:\UserDot0X\xbodec.exe
  C:\UserDot0X\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDot0X\xbodec.exe

Filesize
676KB

MD5
9b063d100a504e32687ff4b27d567ad8

SHA1
592ac2e00b9dc56b77eb1a96e42ba1e88ca781ed

SHA256
a5b845497307214939a5be7833c872af743c98ae1e57db76f092788aacbe95bc

SHA512
9dec88ddfb432a4413e3049ca2442a187866c2a1a83827e6e1bcf1a5baf4fb5a77cb744e5e96aa32d8192054699e1c7a6ca6962154fd45e7b8f287cfed403d10

Download Submit
C:\UserDot0X\xbodec.exe

Filesize
3.9MB

MD5
e390ecfdcef45f8a6b9592fb0441d5cd

SHA1
8f336d03e7524e52490ede8d606ebd17e9ab5ce4

SHA256
e097f8a8866608d3aef6524aa4b3f826a0e7d9f63bde1e8f05ad102239cd8d82

SHA512
8e419d3e985490f0f147332f530d3ad7ea827927c467434b173979c337f31a72dd43cdf5390952c32f17be8a1708daf7d763dfcb6f448b7d523d0620130b0cd6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
6f33b1c0a788078ea261150d429e118b

SHA1
274bf6104fc0b7ab0fbdc5f3f7e35102bc7cf7a8

SHA256
6e786efdcb0877831f9733229d5d3d2901628fce297e1854c4cbc02a595e98ed

SHA512
457dc7b53f688e893d1655565c4f713754f0cac96debe0c356f5c224def248ae8165e030400700065980970f610067a814333d41e2bbafe104d28e277d92e58b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
047603451b42f2b5467fe47be4f7bd92

SHA1
ec1b1287cafb75ff5ac13306281bbcbec63a3ea5

SHA256
b053f07474cf6bfa0a7b3f7609c08bbe088d6a5307e633b9a1c89cd4ab7c2b70

SHA512
bdd971b447e8af1865bf6c4a42bfc3f2aeb83177babf19eb192025e26e0f297308ced08605dca53b51f8097273bf145d0ee421caed1985e851a210b993c72674

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
3.9MB

MD5
3eeb697c99b24fc79a9688b63ce540f6

SHA1
58759a25d9cf953e81da98a2728f3bc2a6d1944d

SHA256
73b4a40247553a61d5a25b414a0c433e670a0ca593255364ece517ebfc37131c

SHA512
26855fbfab1c453e96820e644b650201028666f0b38b166fc25de65e81cb6214257422c5c85ca866ff48fdfe6fbd526ae50053548b6d71c5fd01f5d545123041

Download Submit
C:\VidOF\optidevloc.exe

Filesize
3.3MB

MD5
8cc8abbb8017a013559b15b53a1218f9

SHA1
07e28500fea9a57d0dee4ec0a77548015c239b14

SHA256
46ea21e8723d97f7c9614e47a5a79c42a1643bc300e0c350cac708f1a99a1975

SHA512
2dd7297aecb03a0a36464dc40b5bdc1840d5662dc07a284c291d20cef1e20d2443e11fc89147d9fdfa92e753cc2e62caa18bc05568faef6129f658a4f742e944

Download Submit
C:\VidOF\optidevloc.exe

Filesize
3.9MB

MD5
b5502e90abc20f644a57564c2a11f35c

SHA1
40acf631c1a4c4526a8ed2ae915610d9b5c75574

SHA256
657a75daf470f7280d5a3d9bb69ecdb22d893d47b3a8dae0be0934eb6943aa18

SHA512
abb2311ffd2fc2b52048c088374989f0ca7aaadd56b00b7be88d17b70685da255ad542a139fa5ac288864e2f0739f41b80778d36593305a6476f70de2436470b

Download Submit