1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe
Size

3.9MB
MD5

130ce263810502ef67b195be63833750
SHA1

b7549d4be7e7a5fbc4aae431563882caf1ebd140
SHA256

1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7
SHA512

1c450d0d7ddb74e034c76768229a7923ae4cc8654df373c2903a7a04a4c9343d761bbdc4506bc0c514800c73831b4cd0a94903bb0eb05922fb85e467f316699c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bSqz8:sxX7QnxrloE5dpUp2bVz8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe

Executes dropped EXE 2 IoCs

pid	Process
5104	ecdevopti.exe
2980	xbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files94\\xbodsys.exe"	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintX3\\bodaec.exe"	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2560	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe
2560	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe
2560	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe
2560	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe
5104	ecdevopti.exe
5104	ecdevopti.exe
2980	xbodsys.exe
2980	xbodsys.exe
5104	ecdevopti.exe
5104	ecdevopti.exe
2980	xbodsys.exe
2980	xbodsys.exe
5104	ecdevopti.exe
5104	ecdevopti.exe
2980	xbodsys.exe
2980	xbodsys.exe
5104	ecdevopti.exe
5104	ecdevopti.exe
2980	xbodsys.exe
2980	xbodsys.exe
5104	ecdevopti.exe
5104	ecdevopti.exe
2980	xbodsys.exe
2980	xbodsys.exe
5104	ecdevopti.exe
5104	ecdevopti.exe
2980	xbodsys.exe
2980	xbodsys.exe
5104	ecdevopti.exe
5104	ecdevopti.exe
2980	xbodsys.exe
2980	xbodsys.exe
5104	ecdevopti.exe
5104	ecdevopti.exe
2980	xbodsys.exe
2980	xbodsys.exe
5104	ecdevopti.exe
5104	ecdevopti.exe
2980	xbodsys.exe
2980	xbodsys.exe
5104	ecdevopti.exe
5104	ecdevopti.exe
2980	xbodsys.exe
2980	xbodsys.exe
5104	ecdevopti.exe
5104	ecdevopti.exe
2980	xbodsys.exe
2980	xbodsys.exe
5104	ecdevopti.exe
5104	ecdevopti.exe
2980	xbodsys.exe
2980	xbodsys.exe
5104	ecdevopti.exe
5104	ecdevopti.exe
2980	xbodsys.exe
2980	xbodsys.exe
5104	ecdevopti.exe
5104	ecdevopti.exe
2980	xbodsys.exe
2980	xbodsys.exe
5104	ecdevopti.exe
5104	ecdevopti.exe
2980	xbodsys.exe
2980	xbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 5104	2560	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe	86
PID 2560 wrote to memory of 5104	2560	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe	86
PID 2560 wrote to memory of 5104	2560	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe	86
PID 2560 wrote to memory of 2980	2560	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe	87
PID 2560 wrote to memory of 2980	2560	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe	87
PID 2560 wrote to memory of 2980	2560	1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe	87

C:\Users\Admin\AppData\Local\Temp\1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe
"C:\Users\Admin\AppData\Local\Temp\1e147da0e92bdeecdbf81af8a663496ddf0b0eaa2bb8a6fe1e354d1e02fd1ea7.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5104
- C:\Files94\xbodsys.exe
  C:\Files94\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files94\xbodsys.exe

Filesize
742KB

MD5
d44055515a04c56ef18a60abcf01e555

SHA1
efcee993f1d9f60d9f23158f42c7804f0b7f895b

SHA256
9a09c719fdc18bbc6b99bd33a886055095ee6171366f8d6c5a04d870c6f01571

SHA512
62b292e406ec148b71610f3c6adea9eab516b86af874414a4e670ccc707331f0097a50814c62fd29ac8974cce14577e072386ba38c352347cdd7204008726a49

Download Submit
C:\Files94\xbodsys.exe

Filesize
3.9MB

MD5
ac0ce8b7eb7dc8df7e1f4dca99d2b5da

SHA1
1dd1564af1c63f2b05e9ddb39ae25fb23c3d7aa8

SHA256
5ea4b83e1a1afb0f56e0015ad2df0611cbc81b4e614148ea7d7bfdcb2eb825e8

SHA512
a4236fbe1e6c922db3a006fc981f01bb57b2cc53809f0c4a0810d9b33036d13bc9a40c1c23bc82992cf975918f2c9fe0e5ffd6856be493b0ce079a285c21856e

Download Submit
C:\MintX3\bodaec.exe

Filesize
3.9MB

MD5
f3482f2cee2a45ddeac25880b9ff7567

SHA1
36a25db7984de10e2b064cabb56adad199f3ed66

SHA256
3caeb1e0440e132fb12603ca1239a14c14646427a0d733e482f1fc36be43553c

SHA512
b54ada3f1c644b32d042cf5c7fa903f8007a9d31c733f578a669528ede9a9a2db3418c21e8196b4c712238966e28dcc77ed98087f8793fb523a3d813bab77424

Download Submit
C:\MintX3\bodaec.exe

Filesize
39KB

MD5
8ad721cb3223c0cb0b022c6cf99d1f1a

SHA1
99e1b9322999587da01c53dd1be3aac20a64aae7

SHA256
ec4254a666580ddda21c1d4b28a9805a5d6b1bde7d697e49780a04a2f59fd39c

SHA512
f6c2d6c678dd330439cd301f544050af076e23f3a04efd8ee991f1744f510706ec892d2d68b699da9f65e2c45daa04d9c4173f2775f267613e4f3c00ac1d2dfa

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
08326f871c2ea20ce66baf3c4a77477b

SHA1
b2817d587fb0ea246e0db77d52a16e8b13ce5b60

SHA256
ac282b095c49a9e6abc992623ef1a7a6149abd0923da9f71027114c79506073e

SHA512
5ceb37ac9678f13793ff0138338ed2d3a12691ab44444c3365782070ba299fdc32463097437fccabcb0bdefad7ef5ea71325bb4d1e11ddec67466e99dd018a9d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
bfc08b72ec99fb6520dfdc0c9b7bd0f6

SHA1
3872694a2857701162624157e19bf32a705a854d

SHA256
afc03b13df6e17b49679fec002dd91a8446b07348bf0128c589d0b46ce6511ff

SHA512
38323c5689d6ca43aaad1a3f49963c2c90bb9de497f4281e1ec92b2a47be35ccfafa9233ceeccba998efb1d800736c8826c6dff40e1c3faf0a93b134f5c73110

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
3.9MB

MD5
a181b0d4b614614dfb190fe2a14d7c64

SHA1
e81cb15e0b0f892eab123aded55fbc7b03b3f388

SHA256
8ea376f189f625bf1f861726ceef49a641de02b6955291e20979b2275bac44c0

SHA512
448842013a5c5b0eca19e937278e400e859f647e75c8d8e9626e30cab6ae7c7c4bf14cfea153efc40b69f38dbb566857639755d4a82da384d98d8296e177450c

Download Submit