Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 14:41

General

  • Target

    15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe

  • Size

    4.1MB

  • MD5

    1474a1f70a6f904a5b2ab7667ae7d250

  • SHA1

    02f5a85e1f974db2e863fcce355cf4d31069655c

  • SHA256

    15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbd

  • SHA512

    cf84e3944adca2cce6d2620d39849154dc78e045304e1c971dd1cbc845457e493b4dadec9ad74fdd63da0c0b1cd7a8e4f77a851397bd3c18590f994eb827373d

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpsbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe
    "C:\Users\Admin\AppData\Local\Temp\15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1016
    • C:\SysDrvH9\xbodsys.exe
      C:\SysDrvH9\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2200

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\KaVBW1\optixsys.exe

          Filesize

          1.9MB

          MD5

          1915fdd937da72ae64b0e4efabb29568

          SHA1

          e306db7d90fae6039909a04ae7e257fd803536a7

          SHA256

          fbcd6d33e24252269fd806045921bf489428be0ba8d67c853a2104e25ec156c9

          SHA512

          fe533c42e713f5f3e443a1b480d83c005acc09bf41b0eeb26bbb5ec1a1766acff272f58264d99d53c4a5a76f4309158c70f1859de80f94d71174b956dceee86c

        • C:\KaVBW1\optixsys.exe

          Filesize

          4.1MB

          MD5

          10246f27b319a8814d78c8c45249234c

          SHA1

          3a75a12d6fabddaf20052494177322e3c95da7e3

          SHA256

          1f26c6950e626060b0bdcc9f2a6bb9d65b17264f174855c33817973098977430

          SHA512

          8e3dd5ce288931cf5d6e103295f78ba77df4124c647efbb114afe963031ce13129abb4a749844d6177f1fcf20cc33f598c4a239c8e727911755bafe8344f7990

        • C:\SysDrvH9\xbodsys.exe

          Filesize

          4.1MB

          MD5

          9f3250d618678fc30738d35e2f571ac5

          SHA1

          a8d9ed242f70ac79e10905a237d6a7a078a0bc31

          SHA256

          3a27e940f6ede36879df6e6ce8686ee723a7dd4b60296e6ddc23f06ce9f6f31d

          SHA512

          e878bdc3fdd7aa7fa99821f27e3bf79dc19cd32e4f0656878e5ade180b6597ca08b388ce7fb717698eabf582cee8de04d31fe1db0c0ad96f695e936e5904fcc5

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          201B

          MD5

          5d29fea3849b636d9c63038162d47568

          SHA1

          dfa0005bf59aef312b05511eec947e3f31a52e2d

          SHA256

          1d3a03913d2147f2e872da9a2a0c5b9f2dedbcc070e0062c2772dbe729b853a5

          SHA512

          2cb3c958d5dfa06b9f04ed97defc955fda9c9b5d2add7c56161c07195ca88b714288e4d03f8c303bdb61680f6778dddc7d9ec7130f92e73de481f99e72bacf09

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          169B

          MD5

          6e849bf1da8bb45fd8997e76b4e70b7b

          SHA1

          95a895a7c7db856b73d8d98f50b980eaabe5576e

          SHA256

          26af3d00ec48f328cf0eb41fefa4c4e93fd85bbb3047ecbb510f2750c8e5eef9

          SHA512

          1179ea821bc33fc12e89c113f6a9dd5f941a40a9cc520185133ec2152557f198a402f162fd85c162ce3577331c9769c26fbcd8128a3beceb64078570fbb8f839

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

          Filesize

          4.1MB

          MD5

          ebb01d018ee6de3dde060ea803142800

          SHA1

          89064fc16fe3d718e2ba2436a8966acb1be5f8a6

          SHA256

          c0c734aa89ce1532df5495e19a6060fe1c46437482da13487230e8a0bf63385b

          SHA512

          344407fa40acab52f96741b3ff062d28cb71b0e9fc3b971043f147797777ce17a257090c9203489dd5600dc2d4f187e548fe8ebff19873152ab819403bfd0784