e05f47fdbb956b1308665592dfc689a41fc13f6cbb63042911a66ae99046efed

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2024 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e05f47fdbb956b1308665592dfc689a41fc13f6cbb63042911a66ae99046efed.exe
Size

2.6MB
MD5

bc4fad2504660b57b1a9ab066d9dde99
SHA1

60d5b00523d70465f0872f06f9f439ef3a0403f2
SHA256

e05f47fdbb956b1308665592dfc689a41fc13f6cbb63042911a66ae99046efed
SHA512

0be5d3ff70e3d211c522bc61db0fb1a744c2c2ba8ae18afe4f2f7407bbb0e24d59bdaf01c2ae9068601ce25c279e46d55fc5d00911dd0cae25fb8d8dd259565a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCB/bS:sxX7QnxrloE5dpUpBb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	e05f47fdbb956b1308665592dfc689a41fc13f6cbb63042911a66ae99046efed.exe

Executes dropped EXE 2 IoCs

pid	Process
1968	ecaopti.exe
1508	xdobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocWL\\xdobsys.exe"	e05f47fdbb956b1308665592dfc689a41fc13f6cbb63042911a66ae99046efed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxPB\\bodasys.exe"	e05f47fdbb956b1308665592dfc689a41fc13f6cbb63042911a66ae99046efed.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e05f47fdbb956b1308665592dfc689a41fc13f6cbb63042911a66ae99046efed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3296	e05f47fdbb956b1308665592dfc689a41fc13f6cbb63042911a66ae99046efed.exe
3296	e05f47fdbb956b1308665592dfc689a41fc13f6cbb63042911a66ae99046efed.exe
3296	e05f47fdbb956b1308665592dfc689a41fc13f6cbb63042911a66ae99046efed.exe
3296	e05f47fdbb956b1308665592dfc689a41fc13f6cbb63042911a66ae99046efed.exe
1968	ecaopti.exe
1968	ecaopti.exe
1508	xdobsys.exe
1508	xdobsys.exe
1968	ecaopti.exe
1968	ecaopti.exe
1508	xdobsys.exe
1508	xdobsys.exe
1968	ecaopti.exe
1968	ecaopti.exe
1508	xdobsys.exe
1508	xdobsys.exe
1968	ecaopti.exe
1968	ecaopti.exe
1508	xdobsys.exe
1508	xdobsys.exe
1968	ecaopti.exe
1968	ecaopti.exe
1508	xdobsys.exe
1508	xdobsys.exe
1968	ecaopti.exe
1968	ecaopti.exe
1508	xdobsys.exe
1508	xdobsys.exe
1968	ecaopti.exe
1968	ecaopti.exe
1508	xdobsys.exe
1508	xdobsys.exe
1968	ecaopti.exe
1968	ecaopti.exe
1508	xdobsys.exe
1508	xdobsys.exe
1968	ecaopti.exe
1968	ecaopti.exe
1508	xdobsys.exe
1508	xdobsys.exe
1968	ecaopti.exe
1968	ecaopti.exe
1508	xdobsys.exe
1508	xdobsys.exe
1968	ecaopti.exe
1968	ecaopti.exe
1508	xdobsys.exe
1508	xdobsys.exe
1968	ecaopti.exe
1968	ecaopti.exe
1508	xdobsys.exe
1508	xdobsys.exe
1968	ecaopti.exe
1968	ecaopti.exe
1508	xdobsys.exe
1508	xdobsys.exe
1968	ecaopti.exe
1968	ecaopti.exe
1508	xdobsys.exe
1508	xdobsys.exe
1968	ecaopti.exe
1968	ecaopti.exe
1508	xdobsys.exe
1508	xdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3296 wrote to memory of 1968	3296	e05f47fdbb956b1308665592dfc689a41fc13f6cbb63042911a66ae99046efed.exe	87
PID 3296 wrote to memory of 1968	3296	e05f47fdbb956b1308665592dfc689a41fc13f6cbb63042911a66ae99046efed.exe	87
PID 3296 wrote to memory of 1968	3296	e05f47fdbb956b1308665592dfc689a41fc13f6cbb63042911a66ae99046efed.exe	87
PID 3296 wrote to memory of 1508	3296	e05f47fdbb956b1308665592dfc689a41fc13f6cbb63042911a66ae99046efed.exe	88
PID 3296 wrote to memory of 1508	3296	e05f47fdbb956b1308665592dfc689a41fc13f6cbb63042911a66ae99046efed.exe	88
PID 3296 wrote to memory of 1508	3296	e05f47fdbb956b1308665592dfc689a41fc13f6cbb63042911a66ae99046efed.exe	88

C:\Users\Admin\AppData\Local\Temp\e05f47fdbb956b1308665592dfc689a41fc13f6cbb63042911a66ae99046efed.exe
"C:\Users\Admin\AppData\Local\Temp\e05f47fdbb956b1308665592dfc689a41fc13f6cbb63042911a66ae99046efed.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3296
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1968
- C:\IntelprocWL\xdobsys.exe
  C:\IntelprocWL\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxPB\bodasys.exe

Filesize
2.6MB

MD5
c39d74c51a92bd8e9c95db66453be4e5

SHA1
ac4813644bcf25e7138f31ea989f73c39b0e0129

SHA256
f5078d69b7028b711a644e6b2acd828b65ddd731af072544a16278239f06d067

SHA512
2c677144504bf83317175f8f217769e0ebfdd918086e656a617d292566ce675b7d11177ad68e462ff820a818ac8932846058dd20ceb4c2374b1b65cc64a72c8d

Download Submit
C:\GalaxPB\bodasys.exe

Filesize
2.6MB

MD5
53b1d827f26adb2d80f20463c16eddf4

SHA1
f297068ebd7b70847b542d78d9e8bedcdcf601c9

SHA256
27e2734b2b39c7a8ad0fd4fdd5cd743166d3a3e5ece6888b62d27e5f29f79363

SHA512
4e33c56a802420988d7c215526467d9d4f78655cf79c59b5160597f292e9efaa1fc0072548701b442ef67152ab239d473fa6743f6a94452e979837a174549b6b

Download Submit
C:\IntelprocWL\xdobsys.exe

Filesize
2.6MB

MD5
00b1c067d6f43a0f9101dcd0c63d8509

SHA1
3f5158059c53f37c7ca03e16e78915eec27660e3

SHA256
446ced8276073a3dd6990a004585ed6b3c384863f1348072a723d7973a63a197

SHA512
5b67591fa4175d9596b0024ff67f3adc2b2281c5030dffdbd201fed53f5237f36843fcd5eb39f96b84cfd34b05a758186cef44bd5e05a0945ff916cfe2846a0d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
70315d5b3ea3762df6a01a103ffca412

SHA1
b59290fd651249307519a235fcc42f370fc963d1

SHA256
c488d3ccdd7163a58b1bf63cdc3afeda228426ed2b4cc48c16f84f91680f08d2

SHA512
26cc6c506d381705ea5116974fd4e9e70ce7a0cbae97d80582e2181cc6c098b5d255f1c30441d3110f230caf3414b03cbd7504a89c3274ef55d931988c2ecd98

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
76eb5a6fb713225a47057587faf260ce

SHA1
0bf3b56d76f20480d7e9f38038674e9a95aee680

SHA256
3b76711d13874200b5ded274615b80f5fdb6b3510622a80bb74075c0255ee597

SHA512
776bbb292d4adfb61797027c0ab889afaf40c4b0b08cda441dd75ffd14c101d4712cd7898ac31568a50360d91f9f5252663e99063f2f205db0621cfd5bfd3bf9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
2.6MB

MD5
aabc040331fdf306914a4f895a50f4b1

SHA1
a213790622ef5b3baf6119952a8d2a1a67f5160f

SHA256
c9a7463d3a355a102ac7e714f31f67b8630dc07bdf93c931c9c42e9f5367af35

SHA512
43e897b1e632635b75e6a0e8bca1229bb17745a4423b233b5ed433986c6fa38d85373c80225a5dea51e5ab1342a257485ebf596f69c13bfece2045e5e425a91f

Download Submit