Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 03:30
Static task
static1
Behavioral task
behavioral1
Sample
30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe
Resource
win10v2004-20241007-en
General
-
Target
30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe
-
Size
2.6MB
-
MD5
9de6fa8f790d4cc461b260907f377ed0
-
SHA1
87caef779744371cc0f5cb9a2ec912f5b6a9f80d
-
SHA256
30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50
-
SHA512
c19917e2a5bf5a9953e48e7f0e4d30c328cde4094425e2090be0f2187e7f935325936e6aeb66b1e0e6c4542865f6a4985b08b06a3967d5e43d5b8f257085d1ed
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LByB/bS:sxX7QnxrloE5dpUpRb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe -
Executes dropped EXE 2 IoCs
pid Process 2696 ecdevopti.exe 2732 xbodloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2788 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe 2788 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files9A\\xbodloc.exe" 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidY9\\boddevsys.exe" 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2788 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe 2788 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe 2696 ecdevopti.exe 2732 xbodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2788 wrote to memory of 2696 2788 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe 31 PID 2788 wrote to memory of 2696 2788 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe 31 PID 2788 wrote to memory of 2696 2788 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe 31 PID 2788 wrote to memory of 2696 2788 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe 31 PID 2788 wrote to memory of 2732 2788 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe 32 PID 2788 wrote to memory of 2732 2788 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe 32 PID 2788 wrote to memory of 2732 2788 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe 32 PID 2788 wrote to memory of 2732 2788 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe"C:\Users\Admin\AppData\Local\Temp\30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2696
-
-
C:\Files9A\xbodloc.exeC:\Files9A\xbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2732
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5814039714f546629801b3047f049a201
SHA1b84a1cca1e97c89b0804b532465c841d896010e5
SHA256429b29eacb036167712437df4d73d7853a23908e8869851d12ce86026cb74c0c
SHA512388d247e977dafb4a549100d415cb5efdca2c5b984bc49438fae3785421edf98ccdbd7accacdede165facc6b97c39811674af4fadf42575cbc75e5bb9f600c80
-
Filesize
171B
MD560151bbe6453256c273a81b6ba25146a
SHA146e5f038c3e30ca153cebc9e53a680e44faba881
SHA2567db7bc0c7179b17a9799eb73b9fc7da340b6da90b04a76614d149dbd1f7beea6
SHA512ab055009c3ec3ba7dcaf6b97b189a593ca7d9441a7f83279726f241b7f54a4a0499c337f5be476e4bb293ea44364e58b6b451e8692cc31f7cc4bc288b312623d
-
Filesize
203B
MD5478a7bc2b9f9478fb3850f7d8e89c557
SHA1b4360a28f1b6def3490fd4ca6c0e5b3e74e679a0
SHA2563d153829e970f9e58d3c73428552a0d5c3e2968500e7c42a892b8085963cc2c2
SHA51263c11c270fa1e36611ed874be000d791e4ac40322e463ef2e579541e462def2f01f802dc2127ce92c027fac2e49bfad24825b9f33e747545f11a69d47d8783e9
-
Filesize
2.6MB
MD58662396c1e4afc713b01501c42900ad6
SHA145a35d02a58869d6d3b27fe7e22bbf320df3e251
SHA256b43ecc3f6730a193130ee2b7fd2dcb6b913006b28bf90b214f4f79d29f813704
SHA5120fb09ba191ed0133b8eb83985e7334b3f5c95223827d75ab22f1ee9e8ebfe68554a0d843c7f31c151f8304948edcb242d72cf2128bb4375890a964efbe925307
-
Filesize
2.6MB
MD592e7358bd80e3bcf619adba852d66be5
SHA1cfa209b6c36d616a69dff3caedaade4b929d0e8f
SHA256fa916b3e2e03840e3c2fd856ec18b9872450bc1a872c9b291769caffcdc7d41e
SHA5127a45d20f377b3f770bfb55e15e6a8ad92c9c08fb32aee95460a485dc20e9d58a55743f1fa56e380f53d44b86d6a1c5c563ad6f0119dde45fa12ecb6bdfff0c42
-
Filesize
2.6MB
MD510b0d8cc1ea309ddbad132186b02a24e
SHA11a2a3d8a89a6dfbdd361cfcd443f72814d226c41
SHA2561bf9f6560a39e757ed45e976cab948004fde37c6fbab457bcc2d80ccdea329da
SHA512fa0175317c2170c19eb306a931444c1047f99490cb2a6b88fd943969354a1883bbd4a88cc9383690fc4a38030aec8138846ed9e26a8f0d29fc886e4229025a18