Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27-10-2024 17:32
Static task
static1
Behavioral task
behavioral1
Sample
e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe
Resource
win10v2004-20241007-en
General
-
Target
e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe
-
Size
2.6MB
-
MD5
5cfb5045a8a94b4b6c681757807af2b0
-
SHA1
3cbf6a14a1ba6433233a88202d6db47b3bda51ae
-
SHA256
e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086
-
SHA512
78fb6a66d74c148586c47eef9db5a508d7997ce2ca464ed59a4954ca6b3a377b77c2fb2e7bf30cf53ec0460f86647c4ff85284d26c5940628388fdb1ff8b8d91
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bS:sxX7QnxrloE5dpUpNb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe -
Executes dropped EXE 2 IoCs
pid Process 3004 ecabod.exe 2880 aoptisys.exe -
Loads dropped DLL 2 IoCs
pid Process 2316 e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe 2316 e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv1Z\\aoptisys.exe" e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZPJ\\bodxsys.exe" e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2316 e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe 2316 e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe 3004 ecabod.exe 2880 aoptisys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2316 wrote to memory of 3004 2316 e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe 31 PID 2316 wrote to memory of 3004 2316 e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe 31 PID 2316 wrote to memory of 3004 2316 e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe 31 PID 2316 wrote to memory of 3004 2316 e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe 31 PID 2316 wrote to memory of 2880 2316 e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe 32 PID 2316 wrote to memory of 2880 2316 e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe 32 PID 2316 wrote to memory of 2880 2316 e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe 32 PID 2316 wrote to memory of 2880 2316 e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe"C:\Users\Admin\AppData\Local\Temp\e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3004
-
-
C:\SysDrv1Z\aoptisys.exeC:\SysDrv1Z\aoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2880
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD55788db80ada36df5877ffe1fd35f98c8
SHA12ad7e881815315dc2593ee9e517bc814010c35e0
SHA256639ac3413c232d5b9ed49d0c60b829848965fcc00fb3248b2cb560663daabdd7
SHA5129488b286f7fd111ddbc07cf5e7f8b98dc41d6a82a43e010b8dd561d963fdb48103d9c466f3b320bcdedede24940a6c6df5e1744328452cbc5b57096e150d3eb5
-
Filesize
2.6MB
MD56f8bf765a9696f63019c28e09a4bd97d
SHA179dc16c3500b8f70a06d6773169ee17c4ee55367
SHA2568a9a0ebd9a6e638aec6706ae41a5e7a5d34f14048d40a36c13e8df9ff2cf8725
SHA512ad8b16eb54af861c07a35663667f7984e49ec2ce4c64cb2484da00c040dacdbd0d9ab422ca13d479d458b6b3535a34ec9253ae99409aae8964dc0e3b387f7521
-
Filesize
2.6MB
MD5ed53093af7ad4a2557c4f4fc5ed7d93a
SHA131cd930cc1dba8792f4383a18f5765387cfad6d9
SHA25679cd5a6761c8c571ab38a8b8476219902782aeacd16da52efea6657d37d3b6a4
SHA512d1106cacaccfba5cddc967869cf173192bc1e8f983813de34ce698b9a1097da7c5f112dee171e05a4200a0a290dabfe4883919afdf20707ffeec7dff4df90b34
-
Filesize
169B
MD5eafef88255edf1034ef40f0fb205c787
SHA15c09ba9ecae0c538b55e14e6b3afde4fde4b19f7
SHA25637839615fcc987308f343ead0f1bc44b4f4f76741a1fba482f5a75a32c5d1b09
SHA512cc51433f434bb509cdf90b4481f6cdcbe72c6c988ec5e4ef1fa50f94a522d99e72e48ec64af34bb8baa60bbb9e385c59ae7c190040c737ec315793b6accaa73b
-
Filesize
201B
MD5588c93d52d10e7f16e988598105793fb
SHA18243c07b5605cf84d8cae76c8aaeccb741af5647
SHA256d21cbbb425354645e578336aaa2221f67388afa162b1021f4b59ad8bd2207fd7
SHA5122ab6bb1827a920858ac29d820f785a355cf517256809b34f894d6052ea405972bf675687e0e30bbd653fb7bb44158ab8b1cd30420876c6a94cbf6057c2f11a53
-
Filesize
2.6MB
MD5c9d690f958245817fc17cd778fafe548
SHA1ba74af20f9f4022dc0a90578606326446e75293d
SHA256d535c697ebe6b3018effde9cd3af46ffd977f3ae93ba81cb950d85bb4e6dbf79
SHA512c107226f6aa1872754d22fa628e95bf88d5e37d23c680edd5f1bf09b1c0d02ad09b281fe27cc6638e4623ed4b9c2a507a994dba730a30196e4e929efb799aea2