Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 22:43
Static task
static1
Behavioral task
behavioral1
Sample
c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe
Resource
win10v2004-20241007-en
General
-
Target
c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe
-
Size
2.6MB
-
MD5
fa99b3f3c6accb7de65c3bac44149590
-
SHA1
da03a7623eaf2b009f3f7301675852384fdac01b
-
SHA256
c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299
-
SHA512
4ba7d1ae73e813e318d0f933a4c49650214dccce07a48b99be220919bcd9d868215d1a370ad769f2aa9941034a66e1a0522162f05c5d1beb1f5824b6f7c7d131
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bS:sxX7QnxrloE5dpUpvb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe -
Executes dropped EXE 2 IoCs
pid Process 1604 ecadob.exe 2192 xbodsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2940 c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe 2940 c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOI\\xbodsys.exe" c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZXO\\optixloc.exe" c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2940 c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe 2940 c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe 1604 ecadob.exe 2192 xbodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2940 wrote to memory of 1604 2940 c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe 30 PID 2940 wrote to memory of 1604 2940 c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe 30 PID 2940 wrote to memory of 1604 2940 c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe 30 PID 2940 wrote to memory of 1604 2940 c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe 30 PID 2940 wrote to memory of 2192 2940 c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe 31 PID 2940 wrote to memory of 2192 2940 c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe 31 PID 2940 wrote to memory of 2192 2940 c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe 31 PID 2940 wrote to memory of 2192 2940 c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe"C:\Users\Admin\AppData\Local\Temp\c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1604
-
-
C:\FilesOI\xbodsys.exeC:\FilesOI\xbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2192
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD56bf7aa7fee43a12b95634594558629b0
SHA1959ae81126f770f1e2dd5a18b4db938c0cabb654
SHA25672aaf02b37cc80c3ac36ed833a7bf2ac022a7e8e7e60866a8161a0ac1b9be82b
SHA512b8a21f5a62dd739a5f668082852dceacd7717ab42572324e24345869b606b1c0289551e34d839628be382ad8e6dd9cbd005f71bd94a1963c75c20d3319b63dc4
-
Filesize
2.6MB
MD5fff970666cb81406f64eb2524977628e
SHA1e8cd2c9860fc6f9f0a8ed2d7592e4029d546a8b7
SHA256801f2f0e169eb0c246a2cb10391861a6588f03a97073b567ce73d5451b7cddc2
SHA5129414bee49c23a37d6954c329e1cedb690332af9af580d5568be39b120e82201bd542d503e048617e180e36650343c263ed6b5be85074faff1a70fcd7ebe56923
-
Filesize
2.6MB
MD5bd242d47d03ae802f56329b60209944a
SHA16d66bd7ad6fb281ef63e77bdeb3ff8759985f125
SHA256dbc9567d575ff0b51a23aa0380a0c0552176f7796bffa4421a2c0516c0e1ab66
SHA512ad960782703fa5515b017c45895bce8e7d8159cf013229441131f216d247394a292c08f0a811e331a139b4750c5e435cbdba1f611c8073549579fa1900b17caa
-
Filesize
168B
MD57de7daa834d985338fd5363e3909a780
SHA12ae121abd7b09b761b269821ef8a2c8670ff2d36
SHA2560493f2b7906b2e219a826b6d7a3f9bc023f92a8d00048f5b25240eb58534e246
SHA512f82d3a24e0f964dcca1b050e85aeca5da1ef5d381bbce00b1cdf3b84e3c1526762bc4f293abbc983e9b1c5a70b04b68eabcd54a1db3273d5e910d92ba6358f4c
-
Filesize
200B
MD54264b2019848f93783ef5182b9e658fe
SHA126cdd31c24a2d0274870434ff39a8de2ed2f531a
SHA2564938401bcee272ba3d1bb312e3cf4880951fb68d3170b22a8cfe6fdcdcdf2288
SHA5121d4260524883a355b2d56b57444114c2fe9a1f93e099188b83071a45b3763e4b8692ef9e77d4c10f4936064fb76e8c57b54aa5bbce410f1f4b5c3b133adfea96
-
Filesize
2.6MB
MD5eafe31c88a6e1eedae6fc315246c6ca2
SHA1db96b6d9a974d40f3a3631924d5553f10e7f9bdb
SHA256afd30ed293bf9a0ec52938f88a20ec70f099e911971176ced0573907979eafc6
SHA512867c0632b31672e1eacb1b304c8e7bde10205e89eef6ea85b69874285be5aa72252d16f0b267f7fc47159beb2eaba5bd81202378a95ca364b292362a8a8a2f1c