Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-10-2024 17:32

General

  • Target

    e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe

  • Size

    2.6MB

  • MD5

    5cfb5045a8a94b4b6c681757807af2b0

  • SHA1

    3cbf6a14a1ba6433233a88202d6db47b3bda51ae

  • SHA256

    e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086

  • SHA512

    78fb6a66d74c148586c47eef9db5a508d7997ce2ca464ed59a4954ca6b3a377b77c2fb2e7bf30cf53ec0460f86647c4ff85284d26c5940628388fdb1ff8b8d91

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bS:sxX7QnxrloE5dpUpNb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe
    "C:\Users\Admin\AppData\Local\Temp\e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3004
    • C:\SysDrv1Z\aoptisys.exe
      C:\SysDrv1Z\aoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2880

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZPJ\bodxsys.exe

    Filesize

    2.6MB

    MD5

    5788db80ada36df5877ffe1fd35f98c8

    SHA1

    2ad7e881815315dc2593ee9e517bc814010c35e0

    SHA256

    639ac3413c232d5b9ed49d0c60b829848965fcc00fb3248b2cb560663daabdd7

    SHA512

    9488b286f7fd111ddbc07cf5e7f8b98dc41d6a82a43e010b8dd561d963fdb48103d9c466f3b320bcdedede24940a6c6df5e1744328452cbc5b57096e150d3eb5

  • C:\LabZPJ\bodxsys.exe

    Filesize

    2.6MB

    MD5

    6f8bf765a9696f63019c28e09a4bd97d

    SHA1

    79dc16c3500b8f70a06d6773169ee17c4ee55367

    SHA256

    8a9a0ebd9a6e638aec6706ae41a5e7a5d34f14048d40a36c13e8df9ff2cf8725

    SHA512

    ad8b16eb54af861c07a35663667f7984e49ec2ce4c64cb2484da00c040dacdbd0d9ab422ca13d479d458b6b3535a34ec9253ae99409aae8964dc0e3b387f7521

  • C:\SysDrv1Z\aoptisys.exe

    Filesize

    2.6MB

    MD5

    ed53093af7ad4a2557c4f4fc5ed7d93a

    SHA1

    31cd930cc1dba8792f4383a18f5765387cfad6d9

    SHA256

    79cd5a6761c8c571ab38a8b8476219902782aeacd16da52efea6657d37d3b6a4

    SHA512

    d1106cacaccfba5cddc967869cf173192bc1e8f983813de34ce698b9a1097da7c5f112dee171e05a4200a0a290dabfe4883919afdf20707ffeec7dff4df90b34

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    169B

    MD5

    eafef88255edf1034ef40f0fb205c787

    SHA1

    5c09ba9ecae0c538b55e14e6b3afde4fde4b19f7

    SHA256

    37839615fcc987308f343ead0f1bc44b4f4f76741a1fba482f5a75a32c5d1b09

    SHA512

    cc51433f434bb509cdf90b4481f6cdcbe72c6c988ec5e4ef1fa50f94a522d99e72e48ec64af34bb8baa60bbb9e385c59ae7c190040c737ec315793b6accaa73b

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    201B

    MD5

    588c93d52d10e7f16e988598105793fb

    SHA1

    8243c07b5605cf84d8cae76c8aaeccb741af5647

    SHA256

    d21cbbb425354645e578336aaa2221f67388afa162b1021f4b59ad8bd2207fd7

    SHA512

    2ab6bb1827a920858ac29d820f785a355cf517256809b34f894d6052ea405972bf675687e0e30bbd653fb7bb44158ab8b1cd30420876c6a94cbf6057c2f11a53

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

    Filesize

    2.6MB

    MD5

    c9d690f958245817fc17cd778fafe548

    SHA1

    ba74af20f9f4022dc0a90578606326446e75293d

    SHA256

    d535c697ebe6b3018effde9cd3af46ffd977f3ae93ba81cb950d85bb4e6dbf79

    SHA512

    c107226f6aa1872754d22fa628e95bf88d5e37d23c680edd5f1bf09b1c0d02ad09b281fe27cc6638e4623ed4b9c2a507a994dba730a30196e4e929efb799aea2