Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 12:22
Static task
static1
Behavioral task
behavioral1
Sample
82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe
Resource
win10v2004-20241007-en
General
-
Target
82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe
-
Size
2.6MB
-
MD5
6bb5890855484aa5c398f0f8625cd5e0
-
SHA1
b319933107d13c293fe93ebd287d73d87c5c0f26
-
SHA256
82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5
-
SHA512
3d3be118d611863225e7f6ef424c24fbd8b43b4f716fb5d28b24597c537a3bea4f8f606750d3d7d53789646c6485b4e9e65a791eb5d6c566f9d1561d270c3c9f
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bSq:sxX7QnxrloE5dpUpBbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe -
Executes dropped EXE 2 IoCs
pid Process 4224 ecdevopti.exe 8 xbodsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvY5\\xbodsys.exe" 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBGG\\bodxec.exe" 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 376 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe 376 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe 376 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe 376 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe 4224 ecdevopti.exe 4224 ecdevopti.exe 8 xbodsys.exe 8 xbodsys.exe 4224 ecdevopti.exe 4224 ecdevopti.exe 8 xbodsys.exe 8 xbodsys.exe 4224 ecdevopti.exe 4224 ecdevopti.exe 8 xbodsys.exe 8 xbodsys.exe 4224 ecdevopti.exe 4224 ecdevopti.exe 8 xbodsys.exe 8 xbodsys.exe 4224 ecdevopti.exe 4224 ecdevopti.exe 8 xbodsys.exe 8 xbodsys.exe 4224 ecdevopti.exe 4224 ecdevopti.exe 8 xbodsys.exe 8 xbodsys.exe 4224 ecdevopti.exe 4224 ecdevopti.exe 8 xbodsys.exe 8 xbodsys.exe 4224 ecdevopti.exe 4224 ecdevopti.exe 8 xbodsys.exe 8 xbodsys.exe 4224 ecdevopti.exe 4224 ecdevopti.exe 8 xbodsys.exe 8 xbodsys.exe 4224 ecdevopti.exe 4224 ecdevopti.exe 8 xbodsys.exe 8 xbodsys.exe 4224 ecdevopti.exe 4224 ecdevopti.exe 8 xbodsys.exe 8 xbodsys.exe 4224 ecdevopti.exe 4224 ecdevopti.exe 8 xbodsys.exe 8 xbodsys.exe 4224 ecdevopti.exe 4224 ecdevopti.exe 8 xbodsys.exe 8 xbodsys.exe 4224 ecdevopti.exe 4224 ecdevopti.exe 8 xbodsys.exe 8 xbodsys.exe 4224 ecdevopti.exe 4224 ecdevopti.exe 8 xbodsys.exe 8 xbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 376 wrote to memory of 4224 376 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe 88 PID 376 wrote to memory of 4224 376 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe 88 PID 376 wrote to memory of 4224 376 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe 88 PID 376 wrote to memory of 8 376 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe 90 PID 376 wrote to memory of 8 376 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe 90 PID 376 wrote to memory of 8 376 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe"C:\Users\Admin\AppData\Local\Temp\82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4224
-
-
C:\SysDrvY5\xbodsys.exeC:\SysDrvY5\xbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:8
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
472KB
MD52b6b5c9a118fdc1e2b983510b101d9d0
SHA1a8158f4a3935a92c601e4a76d466572a251fa8ad
SHA256d4df447dc0d4417943fabdabe0d99eece1627ac88cf2e3ac452abdaa1adea78c
SHA512030d3b9215de49d9f6698a1a8e82ff0a6cc10dba81323eee1198b8b1fce22b12b1417297ed34bfebbf96763a2618323680fbdac5e3b3ca9a93b0a840cfb74f6f
-
Filesize
818KB
MD58f43358efab98b34e760ee94c7f9fbc3
SHA13274cb9f216b7efbd4eb55d16d90242098caf7f5
SHA256111548dd47523ebdb0d2a3f5cb162945ee7f74342eeaafc462835c03ef21f264
SHA512f6b47b4ecc572c905570b75cfd2810f730cb86b8fab99721bc49860413d8628662123114b94eb3caf16ec0117d1632a3772051f3deeae103d43443f45bc1b202
-
Filesize
2.6MB
MD5e1b028b63bb71e547f5c524ae705b316
SHA1429d40b18513c7dff79badeadf32b0867186d669
SHA256028c0b749eff4c601bde013aefc25474e5ae5816ef34ea8d2bdca25aaa7614b0
SHA512b2bd8b686be3f02fc0446d3ee4c8c2d048b7d710016fe44985638e6b2437baa1666cdf6ff4e26f322cc19377f921a2f84410b6642262abf78a5f72dfa7b2663c
-
Filesize
202B
MD5043d6fd56c6f1e02144c7a4ea7b78961
SHA1b282a846a4ae248fa7c9911d954b98ef3d9142cc
SHA25621881750b2d2ab10dd5e8d09e1e3f1b026d9faff7a2dd4ea19a81c976207538e
SHA5129f116deea57968ef5890b7df3485e23fe9fc100425d705a5fb9f965c7344241814a30f5d5d6b6ccf7c6450382291800b07bfc6059376f80efe19f85460a2f96b
-
Filesize
170B
MD5233980f2de43dd8fc771e23a9b967f73
SHA1e6a3f4a75f00d500165e119a256cc451566809ce
SHA2564f04206d889ec4458e6577e1ac18a3c16bad14594099525043490a04b160f8e9
SHA512b9cb5583fe0835ecac36bae827ccf5a3e9aff6c503199703495a0e062f93fdffa60742c6b7a344b766d844faee151529b0da8b2cedb6ff2bbaf96173f8914c6d
-
Filesize
2.6MB
MD558e22bc63a44999c3c68c55967823c17
SHA145c787966890109b89ba061d3a4caf8f8ad2a038
SHA25625bd7fa108b10b183e9cec9bd330921766a04c28faf80f28f5d7f2147f2028c1
SHA51287ed983b81faf5a6eb3e068e7ea1bf99619f4d5bd278bac06641a3d8173e154abb5c202f54cb569020ce62770e06dcc7171775645e87111630346da7c104f93e