467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe
Size

2.6MB
MD5

d73dbc077f643acecf9182e2d6ea0f00
SHA1

2b0caeb79eeb5e4becb6cbea14d2e0868c6f288c
SHA256

467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6
SHA512

3cce366c4584ede5c2ee6c950c6f29912ccc1bdabf9d74d0ad6546dbb67216b3ee1b1cb7f914537e654e2d613068abc9609e8233c28e57e07daca35487ab0ad4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bS:sxX7QnxrloE5dpUp2b

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe

Executes dropped EXE 2 IoCs

pid	Process
1516	ecdevdob.exe
1596	xoptiec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintF6\\bodasys.exe"	467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv13\\xoptiec.exe"	467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3164	467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe
3164	467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe
3164	467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe
3164	467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe
1516	ecdevdob.exe
1516	ecdevdob.exe
1596	xoptiec.exe
1596	xoptiec.exe
1516	ecdevdob.exe
1516	ecdevdob.exe
1596	xoptiec.exe
1596	xoptiec.exe
1516	ecdevdob.exe
1516	ecdevdob.exe
1596	xoptiec.exe
1596	xoptiec.exe
1516	ecdevdob.exe
1516	ecdevdob.exe
1596	xoptiec.exe
1596	xoptiec.exe
1516	ecdevdob.exe
1516	ecdevdob.exe
1596	xoptiec.exe
1596	xoptiec.exe
1516	ecdevdob.exe
1516	ecdevdob.exe
1596	xoptiec.exe
1596	xoptiec.exe
1516	ecdevdob.exe
1516	ecdevdob.exe
1596	xoptiec.exe
1596	xoptiec.exe
1516	ecdevdob.exe
1516	ecdevdob.exe
1596	xoptiec.exe
1596	xoptiec.exe
1516	ecdevdob.exe
1516	ecdevdob.exe
1596	xoptiec.exe
1596	xoptiec.exe
1516	ecdevdob.exe
1516	ecdevdob.exe
1596	xoptiec.exe
1596	xoptiec.exe
1516	ecdevdob.exe
1516	ecdevdob.exe
1596	xoptiec.exe
1596	xoptiec.exe
1516	ecdevdob.exe
1516	ecdevdob.exe
1596	xoptiec.exe
1596	xoptiec.exe
1516	ecdevdob.exe
1516	ecdevdob.exe
1596	xoptiec.exe
1596	xoptiec.exe
1516	ecdevdob.exe
1516	ecdevdob.exe
1596	xoptiec.exe
1596	xoptiec.exe
1516	ecdevdob.exe
1516	ecdevdob.exe
1596	xoptiec.exe
1596	xoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 1516	3164	467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe	82
PID 3164 wrote to memory of 1516	3164	467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe	82
PID 3164 wrote to memory of 1516	3164	467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe	82
PID 3164 wrote to memory of 1596	3164	467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe	83
PID 3164 wrote to memory of 1596	3164	467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe	83
PID 3164 wrote to memory of 1596	3164	467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe	83

C:\Users\Admin\AppData\Local\Temp\467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe
"C:\Users\Admin\AppData\Local\Temp\467e1695403afbc0e5cbc343b23fd0e6ba6eefcd88425bda7207fc759eaf28f6N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1516
- C:\SysDrv13\xoptiec.exe
  C:\SysDrv13\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintF6\bodasys.exe

Filesize
2.6MB

MD5
7792755b0c295158a8a634fcacfabb2b

SHA1
75b38835ff0c1355ad163c21939b236c8ff19597

SHA256
9d986e67768b0ca49b7b69366a7395039e7aa73ac3335803eccf1ae64735809d

SHA512
445a850a47eb9e824d28a59a9b9c46cc4f1bd57b99255f34889f7c1bee70149afd255d181571c407f6bc014c7cd48cee350ae52c11dbb3aa5486c024913392ef

Download Submit
C:\MintF6\bodasys.exe

Filesize
1.2MB

MD5
08b2b25a0d9856d07efa87a8b5e81a47

SHA1
124b117daeeb90572e543b51b50d2cf19c9a1588

SHA256
b388f95b70ba9ca06497bd00b1544a00d543a173ffbf0ed72e36dbd754829836

SHA512
5935ca74fd68355fe180b5791864baf42d7a52f7332fd58d9964247d3fd6884f984b55f9e4f73a5fd1b0259e0ef6e32322e94a6a4417a345d9ffb5f8bbb86665

Download Submit
C:\SysDrv13\xoptiec.exe

Filesize
2.6MB

MD5
e479ea1bf6846711c90c63bfbd667726

SHA1
e6856d6bf6b604c67a9bf44ade70bfecb11df0ef

SHA256
d1a0f6cb915c8add16cf0d9359701c2dcf6d6734afb8405f610a872919113077

SHA512
a7ff5ac8485b6a4b0f16cca926bb1bf37e4e297e3237da3fff0b6fcde6204d722692a5ec850aa53d06411d554d0205681e593cc614e61b15bd7f6abc7f2e67bb

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
086faf0dcd1021213be470f97912604a

SHA1
1eeb32386f859e906c1f4af19aaff1bfc935bcc3

SHA256
e9d0677fa1f911ab21d68adab2a8804fe301f82a9fef657c9464041f8ae5b624

SHA512
a7bd37c568c704fb934b1bcb61ed5518f20249eb2f8d09d9df99ec416f056ef6e504fb20cc0db45cd901252c107574cc522ded8c3e14c115179b3dc66c0737b4

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
b59076a632040feca385b9f50c2e0bf1

SHA1
e7d7d76c63349352297f787cdee6b765a2a2d489

SHA256
6d893b434aa2e4bd280760e2c3bca939a0900ca84caddfa3325d39759dffb4c6

SHA512
ed434da2233d44a3b24cdf87d372032a731eaf192d35cb60ca525bbdcbfae04df03aa2976d9a2ded349c4beba02147abcdee0309cd0d66e3c040ed8288b22887

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
2.6MB

MD5
eed531c14c2e39c8a28091946e4f80e0

SHA1
abfc9d685ba6ee764bc4f3dd090303cf3e0853d5

SHA256
178ab44ba7f7af702056ee7a02524cef1a8a49cf24e951efc10441c5a2d95544

SHA512
ca3c9c3279337c8106b9863048b10978d11dac5ff4be0476187df61a2569e2fbd426d18c179b849ca4ca06ceb47d6c4147515cd1740ddd4963cbb57579d4a944

Download Submit