0935be3f5a21b8f3f684742a1fd01d78bfbe7a20c0544507a2376e4859b1ba60

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

128d74dd02e8ddbb3134d528197fe480N.exe
Size

2.6MB
MD5

128d74dd02e8ddbb3134d528197fe480
SHA1

ad7db4f55a29bfcfa948b4a55cff9a40ac6fb440
SHA256

0935be3f5a21b8f3f684742a1fd01d78bfbe7a20c0544507a2376e4859b1ba60
SHA512

b2b0970298d40d67452fffcea4457dcec7c76fd7d6a08b4cdb1ad6389a536396664662c1fd93b9e8b94b4f33c032a0f3a7ddcdee6b53d90464a0656c07eb8213
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bS:sxX7QnxrloE5dpUpJb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	128d74dd02e8ddbb3134d528197fe480N.exe

Executes dropped EXE 2 IoCs

pid	Process
2792	ecaopti.exe
2008	xbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2212	128d74dd02e8ddbb3134d528197fe480N.exe
2212	128d74dd02e8ddbb3134d528197fe480N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe1O\\xbodsys.exe"	128d74dd02e8ddbb3134d528197fe480N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxHR\\dobasys.exe"	128d74dd02e8ddbb3134d528197fe480N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	128d74dd02e8ddbb3134d528197fe480N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2212	128d74dd02e8ddbb3134d528197fe480N.exe
2212	128d74dd02e8ddbb3134d528197fe480N.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe
2792	ecaopti.exe
2008	xbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2792	2212	128d74dd02e8ddbb3134d528197fe480N.exe	30
PID 2212 wrote to memory of 2792	2212	128d74dd02e8ddbb3134d528197fe480N.exe	30
PID 2212 wrote to memory of 2792	2212	128d74dd02e8ddbb3134d528197fe480N.exe	30
PID 2212 wrote to memory of 2792	2212	128d74dd02e8ddbb3134d528197fe480N.exe	30
PID 2212 wrote to memory of 2008	2212	128d74dd02e8ddbb3134d528197fe480N.exe	31
PID 2212 wrote to memory of 2008	2212	128d74dd02e8ddbb3134d528197fe480N.exe	31
PID 2212 wrote to memory of 2008	2212	128d74dd02e8ddbb3134d528197fe480N.exe	31
PID 2212 wrote to memory of 2008	2212	128d74dd02e8ddbb3134d528197fe480N.exe	31

C:\Users\Admin\AppData\Local\Temp\128d74dd02e8ddbb3134d528197fe480N.exe
"C:\Users\Admin\AppData\Local\Temp\128d74dd02e8ddbb3134d528197fe480N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2792
- C:\Adobe1O\xbodsys.exe
  C:\Adobe1O\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe1O\xbodsys.exe

Filesize
2.6MB

MD5
afee511389312740cdd890b1eddff485

SHA1
3de884e186bff6ff0860d2a281ff88e8a7e58439

SHA256
2180f69a78069d83cb0c571c4eddac881a1d65ec8cb37f4de1a00d7073e977be

SHA512
8b014db842a2c1b4cb90a52e9d8ea427bc0d2442fa557421c476b186589f9a3503e5374cebe0a7a0bd51d1d5a50674310754b661a0c1e50dcb321420b19decaa

Download Submit
C:\GalaxHR\dobasys.exe

Filesize
2.6MB

MD5
2cfd3504400c0cd73cd43ff405f6ec51

SHA1
28c03cfd87135d28e95fc3858c9215092a6bb5ab

SHA256
bfc707760e9da3c84e6644f5aca11258db443ba1f57b5d720fa9e661ca43f5be

SHA512
3974e11ba1e6397abc08ad79cdc23d31d52d940314b45d873b21efb9e0eed953626dab99bfc809e8bb0efdfdfbdad9b4221ca5d149cae84abdb1ddcfde3aebf1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
79c3ffbdc1b4c0635e3a1cf2abb5f5b0

SHA1
dd3ac3d598cc2179d766ee94b3dca3d36c44cac2

SHA256
e98ab3ac6f33731ef21c8d7757e3e492c6716ef64253af17d8c1c2d647ab68d9

SHA512
35795458e948c51f370a169f6aff69fb9c6e93d1f2b390bec2e77fec637601cf0ba0a0a07eeeaee398b0cde0bb805fe2c7f523b7410d690fb576e2c4f44fdb98

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
41fe5bc194840edd6044563f1c267e5c

SHA1
f54ce09798f5f551dbd8ecb250c97001afa4ecff

SHA256
ec9347c723f5172ad4aa6466d959d79d91d8c4057f46933ed5d2115b0cfa5045

SHA512
a0e536518f597736a2b03059758ab64139a103b1cd1519d526bd96898693396e8aa05c6abaf1c60b29a37a5eee5d4d1fb53ea957df8ffb811914f97aa76cbec8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
2.6MB

MD5
a79d4b72dd98e8f9b60a37fadcdc41b0

SHA1
2a8c18cd9b0bb9152b4ed44f8384241bfd8f37ef

SHA256
d0ef66fdaf6113c9663615ab2d2bad3047da0a265dfa72e50f59c0b576188377

SHA512
12804c58afaed3687963d02c667a8ff85a9e2f88b1ca5148bb17b33024d17c419d6e817662899a192819c58d9f452a9821b4b44f4e0e05db85ae35a6561b0d01

Download Submit