6be9a13228a85831f34afc88a435ff399a785ebb4e4baf2f07a0becb0820dc0c

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2024 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0641bd8c04806e04f67339e8dc84ddf0N.exe
Size

3.2MB
MD5

0641bd8c04806e04f67339e8dc84ddf0
SHA1

62a7f448f27886ec3d1a40baed2f1188fafd60b4
SHA256

6be9a13228a85831f34afc88a435ff399a785ebb4e4baf2f07a0becb0820dc0c
SHA512

d8fc5bc37eb62043bd82b0c5bc7b40b55f730fdf79e77ec682e8b361070a0cd65078e10e4b61504c0c66bb4b3476c364c77e1925b80a2474c9c3126ed561ad09
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBBB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpSbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	0641bd8c04806e04f67339e8dc84ddf0N.exe

Executes dropped EXE 2 IoCs

pid	Process
3352	ecaopti.exe
2928	xdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvJN\\xdobec.exe"	0641bd8c04806e04f67339e8dc84ddf0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBAT\\boddevsys.exe"	0641bd8c04806e04f67339e8dc84ddf0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2824	0641bd8c04806e04f67339e8dc84ddf0N.exe
2824	0641bd8c04806e04f67339e8dc84ddf0N.exe
2824	0641bd8c04806e04f67339e8dc84ddf0N.exe
2824	0641bd8c04806e04f67339e8dc84ddf0N.exe
3352	ecaopti.exe
3352	ecaopti.exe
2928	xdobec.exe
2928	xdobec.exe
3352	ecaopti.exe
3352	ecaopti.exe
2928	xdobec.exe
2928	xdobec.exe
3352	ecaopti.exe
3352	ecaopti.exe
2928	xdobec.exe
2928	xdobec.exe
3352	ecaopti.exe
3352	ecaopti.exe
2928	xdobec.exe
2928	xdobec.exe
3352	ecaopti.exe
3352	ecaopti.exe
2928	xdobec.exe
2928	xdobec.exe
3352	ecaopti.exe
3352	ecaopti.exe
2928	xdobec.exe
2928	xdobec.exe
3352	ecaopti.exe
3352	ecaopti.exe
2928	xdobec.exe
2928	xdobec.exe
3352	ecaopti.exe
3352	ecaopti.exe
2928	xdobec.exe
2928	xdobec.exe
3352	ecaopti.exe
3352	ecaopti.exe
2928	xdobec.exe
2928	xdobec.exe
3352	ecaopti.exe
3352	ecaopti.exe
2928	xdobec.exe
2928	xdobec.exe
3352	ecaopti.exe
3352	ecaopti.exe
2928	xdobec.exe
2928	xdobec.exe
3352	ecaopti.exe
3352	ecaopti.exe
2928	xdobec.exe
2928	xdobec.exe
3352	ecaopti.exe
3352	ecaopti.exe
2928	xdobec.exe
2928	xdobec.exe
3352	ecaopti.exe
3352	ecaopti.exe
2928	xdobec.exe
2928	xdobec.exe
3352	ecaopti.exe
3352	ecaopti.exe
2928	xdobec.exe
2928	xdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 3352	2824	0641bd8c04806e04f67339e8dc84ddf0N.exe	86
PID 2824 wrote to memory of 3352	2824	0641bd8c04806e04f67339e8dc84ddf0N.exe	86
PID 2824 wrote to memory of 3352	2824	0641bd8c04806e04f67339e8dc84ddf0N.exe	86
PID 2824 wrote to memory of 2928	2824	0641bd8c04806e04f67339e8dc84ddf0N.exe	87
PID 2824 wrote to memory of 2928	2824	0641bd8c04806e04f67339e8dc84ddf0N.exe	87
PID 2824 wrote to memory of 2928	2824	0641bd8c04806e04f67339e8dc84ddf0N.exe	87

C:\Users\Admin\AppData\Local\Temp\0641bd8c04806e04f67339e8dc84ddf0N.exe
"C:\Users\Admin\AppData\Local\Temp\0641bd8c04806e04f67339e8dc84ddf0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3352
- C:\SysDrvJN\xdobec.exe
  C:\SysDrvJN\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBAT\boddevsys.exe

Filesize
396KB

MD5
3ecaf6f2633ad5021c9f477170e693cd

SHA1
70272cb0d54ee017aa715f4d74daa41fd453fd1d

SHA256
606f9b5d2c481e7be55dd1c5cf34fbefd3dec8176507c55641619e65a6048497

SHA512
a92e9867230ffc9de916788b4c08a4e6dea40c3befe9ffd7b231a92eb1ae94f815bc8d24827d0d7b04945e94d451335c8ec52420ba3a7ea2a4e552d98021a429

Download Submit
C:\KaVBAT\boddevsys.exe

Filesize
62KB

MD5
5d9b83d6bd87b041fcaa3907a9455a76

SHA1
b124ac02d9176f34e97b79b61f7056d2d34244b2

SHA256
2410fa9735a2477cc2d7f531067de6976a33f7a307c4bc9d85522179ff8941ad

SHA512
eee328fbc23c1be6653e0698aceaabf33ae237ad52c6ab5a4336fd5c009f8987e3863338c849289addc1698e1b563c8b67522134b9923516a2dfdd74848fb66b

Download Submit
C:\SysDrvJN\xdobec.exe

Filesize
550KB

MD5
f7379374b46b11791b37a47ba53031ce

SHA1
43d9551abe30841eac354fcdf43c4dbc03f01fe7

SHA256
4296680e2096913cfea39eb96cd51e4bb701ed031f50bc09431686c01e602699

SHA512
2749f0147483fa815e42844c194247a5bd0f842f53353acae1d28e14d74f050361157593420bc763c899ea82a089bdb56808ff29168fa04a2d025d21225df779

Download Submit
C:\SysDrvJN\xdobec.exe

Filesize
3.2MB

MD5
366182a43eccc95d98f572c3b0251937

SHA1
60aa7079364d5a289e9264a7cd6f6599e846cc8c

SHA256
1690bb4effe5f65c10a1ee2d9a22b77466a0fcb114c1c7bccabb64a5ecf602b4

SHA512
b152b25e34069da6dd78e565c299e6125c1eb1ad611bff7ce10702b389bf062bbc313aefdcc9dd4773e0a39688a9acfba79e0cd527d531b4c7d36fe89d7397cf

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
4ec8672cce2ae7053ede0ef6fea2c6aa

SHA1
cf1bfa7db368c9d620692844589989fe5f865331

SHA256
8c623927449473ec8fdce7280a2ff8611737950dd04a961acbcf23b874c0f10b

SHA512
172cffcb9339295cab317a300649dbd481fd20b22b92b0c707bbe5aa9303bdfc1dccbf27b581a68a52c80a45547483d92d594640de912abc1287218fee5f96ee

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
1d74fdceb18c3923e3406c22101fb29e

SHA1
b59131d0705655178ba5648c04a5adc313274b02

SHA256
f9c41891144dc50bd375c3b563cef0f1b4513ec24241292cde5ad9559b0049d0

SHA512
54eedb8b2a40be561da00cca7f78a680471456c221c870ca8c0b71c614da47af45939a4d7bf3ffb19762b68813d2d8468542f2dbcd2ac918311dd32c1e37f555

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
3.2MB

MD5
878aedafbed3ee14c3accfd62de11c84

SHA1
f7f7a0c9c913cb396489291c5bddec2ee8acdb3c

SHA256
23b23fc3c1b9a429f1db68c69d800bdc07aafeb5e228489eb93f9c272e23c97d

SHA512
d2545b7be70dc982176381bc8f7ed5babc30e4c385fc7e9367db7d74b98ff597e4d1e0bbc7485bf44f15f3209a527ebcdec675d2becf73df23d53121c7770675

Download Submit