Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 04:30
Static task
static1
Behavioral task
behavioral1
Sample
15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe
Resource
win10v2004-20241007-en
General
-
Target
15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe
-
Size
2.6MB
-
MD5
779680a307a34a3c91d2090dc6f89fc0
-
SHA1
64082c617087cf1f8e5b179e2cf4a3ece7ec6b2c
-
SHA256
15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448
-
SHA512
ab1dd2eb9b7d479f8b89181243ef1fa401ea920df6636691d41bc100464ae989fb4ad0c8f0b975e33719ea17c881e21fa7a7aabd6e2f7a43ed6ce3e51c85ef87
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bS:sxX7QnxrloE5dpUpmb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe -
Executes dropped EXE 2 IoCs
pid Process 2356 ecdevopti.exe 2032 xbodsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2120 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe 2120 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotCS\\xbodsys.exe" 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidTW\\dobasys.exe" 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2120 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe 2120 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe 2356 ecdevopti.exe 2032 xbodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2120 wrote to memory of 2356 2120 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe 30 PID 2120 wrote to memory of 2356 2120 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe 30 PID 2120 wrote to memory of 2356 2120 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe 30 PID 2120 wrote to memory of 2356 2120 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe 30 PID 2120 wrote to memory of 2032 2120 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe 31 PID 2120 wrote to memory of 2032 2120 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe 31 PID 2120 wrote to memory of 2032 2120 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe 31 PID 2120 wrote to memory of 2032 2120 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe"C:\Users\Admin\AppData\Local\Temp\15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2356
-
-
C:\UserDotCS\xbodsys.exeC:\UserDotCS\xbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2032
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD53a4a4d8840b66fa9ae78da2f121577f4
SHA1b350312aa0d40658985220a5f8bd8f25da7af085
SHA256bd7c1cba70327a236357fa8948003da5889fe33962d87f3d4aebcee09dc05498
SHA5124c77235ded11af1f34e0cc2f1c2ee7e25eb8f863a30c6a23e6afa19cfb9ab045d66605173aa06cd1af898ec6a00d6b06afe3c383d91a5c693bb9180e51456a7d
-
Filesize
171B
MD58a2b6d3f9f8ceb017044c2cdd227d610
SHA1325214b44483a83f82377883a0223daa9e971be0
SHA2567f2fb295326260d74eeb0a43f9f193c2b6e2361f4367c82aa9458f424135a4cc
SHA51202b100b3d8d5c8bc501435224e8e358e600adc3f850e026af3d99124df883305fed1c7b6b042a1ecf42c512131e7f127ca664d3b8c6e815582626b1f535e729f
-
Filesize
203B
MD5c7123403c7d607b2b7fc4f18187853d9
SHA12cf2c5789f07c2d95fea9878b36947aa1f3ddb17
SHA2561f4f89f8182546b29c8f2f391f041efe16d7963426415e97621258f8b7774019
SHA5123106c8b3d17f7b5758129373b397acc056e12542f734b71f3021692048df8727a6a4619a55f5d11fec6aae754343bbd1181b8b59c87676fae9fb24b45e1acc4a
-
Filesize
2.6MB
MD50cac7cacce02f5f5596f5d08d7630358
SHA15da2db0c35b63b470545c75f0aa8d46992ac8e84
SHA25665efafdcd82e51abcea27875cf1cbd9f15023b8b8b2dc60fbe6908ed260951cc
SHA512bf69d89ca3046dec0c6ca002c7a4917bd961831e8f24d135286c84bae7da4f2b28b4b8a24e280b0f243957d1669a1750ed3d92f28fb08c7833fe73adb8741d1d
-
Filesize
2.6MB
MD5467eef31be94831d5bd6003423547169
SHA1d18b8350c7273b5115ea0bfa5d60acffd9d43649
SHA25668a58789cc93159291b04b19a4d2e676cfe93038e25b8385aab49b5b4d4463ed
SHA5123f9b41f8048e7ad66417c822b9d27eb35e20d3912019ae418ee7c1eec55441dcd4d200897063173ecf70437e7a7f2d20f33c5be924018b383e9145d093686c42
-
Filesize
2.6MB
MD5f928f5cb35f3f802095503da21f17900
SHA1b48edbe9c7d1aba9eb967e5ceb50b02daef6a4e3
SHA25609817acd5fa05786ca92decac46bb92cd94333807b764b2a3c12be7a714d332d
SHA5121a02cd9b9be5d5b8099c5a6f5a027ef311764d0935149c6eecfa92338f0b5de0c0d08d23d5a3789ab646f516e01a97ffdd28f2c8258f55ae70d7dc6c085bc54e