Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01-11-2024 21:19
Static task
static1
Behavioral task
behavioral1
Sample
e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe
Resource
win10v2004-20241007-en
General
-
Target
e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe
-
Size
2.6MB
-
MD5
3d3ea83b2b8f6d254c654505521506b0
-
SHA1
a4480aae27dfb526384eb179b3896e6d2fada447
-
SHA256
e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276e
-
SHA512
639eeee85e8d6884a1d383f7808702b9d957b71e7914a2fbd3e976b30b61dec755adfde21505b030f53365aabcb1312d761f5ac3a26ed527dc2d6c917275a881
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bS:sxX7QnxrloE5dpUptb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe -
Executes dropped EXE 2 IoCs
pid Process 2056 ecadob.exe 2380 xbodsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2924 e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe 2924 e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOI\\xbodsys.exe" e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZXO\\optixloc.exe" e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2924 e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe 2924 e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe 2056 ecadob.exe 2380 xbodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2924 wrote to memory of 2056 2924 e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe 30 PID 2924 wrote to memory of 2056 2924 e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe 30 PID 2924 wrote to memory of 2056 2924 e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe 30 PID 2924 wrote to memory of 2056 2924 e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe 30 PID 2924 wrote to memory of 2380 2924 e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe 31 PID 2924 wrote to memory of 2380 2924 e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe 31 PID 2924 wrote to memory of 2380 2924 e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe 31 PID 2924 wrote to memory of 2380 2924 e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe"C:\Users\Admin\AppData\Local\Temp\e0e76a2acbfc4a21df7eeafea1574aaf07e7bb595849dfb2fac5a84df370276eN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2056
-
-
C:\FilesOI\xbodsys.exeC:\FilesOI\xbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2380
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD52cf327a72c94214f7465e5e021b9207e
SHA1e89748b21407b6c2c853934271edde05284fba20
SHA2569b3a8f0b295fddcb53592a6af22a1e2ffac0e46b943ff5217e785347ed82b13c
SHA512965dc9f13d599ec8efa6400d4c2c89d2da3d4b1e88ce4330405b713fc4a1fa5b7f9e889c02e7dbea8fa81944dc4c41bc333721c7f40ceb9136f5b23af1c0582a
-
Filesize
2.6MB
MD5a0cb979d7f11fad58e1e68f1d647b8fd
SHA123fe72e31208c28536edcbc69bd12ea0985b6b7a
SHA256e793e162edecfbc6c4bf7158d63a1fef3a22d2d3fdb94655ed842b5dae71ae90
SHA512cf9c1564d4459d0386c4b438e9d58f9f37bfbc0f78f73a72ac3bb20cb7027b761a7a43f6befcda7ed22180ed62d8b627ef5d9c0f003e6f69414046c466413461
-
Filesize
2.6MB
MD503ebfac6e5089ee1bef3eb57753c6e4e
SHA14d76bd3c0c8f12423ef2b5037b8d7c86a1aa34fb
SHA25605a5e1aa9efb1bb53a00b1a077a8574ad923ddd01dbe641d7b5f5f27ff568522
SHA512e2455bfba79c64bddd492e7daff3d99e4670512e8aeac515ddcbbe2db4f20769a17aeaeb46ea4141a766c6991a14b28119a34cfa45efd0a3cf74392cd6b27c57
-
Filesize
168B
MD57de7daa834d985338fd5363e3909a780
SHA12ae121abd7b09b761b269821ef8a2c8670ff2d36
SHA2560493f2b7906b2e219a826b6d7a3f9bc023f92a8d00048f5b25240eb58534e246
SHA512f82d3a24e0f964dcca1b050e85aeca5da1ef5d381bbce00b1cdf3b84e3c1526762bc4f293abbc983e9b1c5a70b04b68eabcd54a1db3273d5e910d92ba6358f4c
-
Filesize
200B
MD54264b2019848f93783ef5182b9e658fe
SHA126cdd31c24a2d0274870434ff39a8de2ed2f531a
SHA2564938401bcee272ba3d1bb312e3cf4880951fb68d3170b22a8cfe6fdcdcdf2288
SHA5121d4260524883a355b2d56b57444114c2fe9a1f93e099188b83071a45b3763e4b8692ef9e77d4c10f4936064fb76e8c57b54aa5bbce410f1f4b5c3b133adfea96
-
Filesize
2.6MB
MD5383f3207756b46e3e20390b7b707319d
SHA1c4e384a0812a83825925f04fdfc45a7b85d11494
SHA25642324e1420fcd19500826a11fd0157f38e795de25100531fddf0cf15bbc193ae
SHA5125459ac471bff77a3f041384a3838bdba1fbbcd8578b4396ce32ffdc2ef917193c7a7f3af25f9e6bc508900d5fa2d2bc96b4189e59b5fb8fcff0deb55ddda33d8