Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 14:41
Static task
static1
Behavioral task
behavioral1
Sample
15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe
Resource
win10v2004-20241007-en
General
-
Target
15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe
-
Size
4.1MB
-
MD5
1474a1f70a6f904a5b2ab7667ae7d250
-
SHA1
02f5a85e1f974db2e863fcce355cf4d31069655c
-
SHA256
15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbd
-
SHA512
cf84e3944adca2cce6d2620d39849154dc78e045304e1c971dd1cbc845457e493b4dadec9ad74fdd63da0c0b1cd7a8e4f77a851397bd3c18590f994eb827373d
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpsbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe -
Executes dropped EXE 2 IoCs
pid Process 1016 ecabod.exe 2200 xbodsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBW1\\optixsys.exe" 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvH9\\xbodsys.exe" 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2896 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe 2896 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe 2896 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe 2896 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe 1016 ecabod.exe 1016 ecabod.exe 2200 xbodsys.exe 2200 xbodsys.exe 1016 ecabod.exe 1016 ecabod.exe 2200 xbodsys.exe 2200 xbodsys.exe 1016 ecabod.exe 1016 ecabod.exe 2200 xbodsys.exe 2200 xbodsys.exe 1016 ecabod.exe 1016 ecabod.exe 2200 xbodsys.exe 2200 xbodsys.exe 1016 ecabod.exe 1016 ecabod.exe 2200 xbodsys.exe 2200 xbodsys.exe 1016 ecabod.exe 1016 ecabod.exe 2200 xbodsys.exe 2200 xbodsys.exe 1016 ecabod.exe 1016 ecabod.exe 2200 xbodsys.exe 2200 xbodsys.exe 1016 ecabod.exe 1016 ecabod.exe 2200 xbodsys.exe 2200 xbodsys.exe 1016 ecabod.exe 1016 ecabod.exe 2200 xbodsys.exe 2200 xbodsys.exe 1016 ecabod.exe 1016 ecabod.exe 2200 xbodsys.exe 2200 xbodsys.exe 1016 ecabod.exe 1016 ecabod.exe 2200 xbodsys.exe 2200 xbodsys.exe 1016 ecabod.exe 1016 ecabod.exe 2200 xbodsys.exe 2200 xbodsys.exe 1016 ecabod.exe 1016 ecabod.exe 2200 xbodsys.exe 2200 xbodsys.exe 1016 ecabod.exe 1016 ecabod.exe 2200 xbodsys.exe 2200 xbodsys.exe 1016 ecabod.exe 1016 ecabod.exe 2200 xbodsys.exe 2200 xbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2896 wrote to memory of 1016 2896 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe 86 PID 2896 wrote to memory of 1016 2896 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe 86 PID 2896 wrote to memory of 1016 2896 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe 86 PID 2896 wrote to memory of 2200 2896 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe 87 PID 2896 wrote to memory of 2200 2896 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe 87 PID 2896 wrote to memory of 2200 2896 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe"C:\Users\Admin\AppData\Local\Temp\15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1016
-
-
C:\SysDrvH9\xbodsys.exeC:\SysDrvH9\xbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2200
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD51915fdd937da72ae64b0e4efabb29568
SHA1e306db7d90fae6039909a04ae7e257fd803536a7
SHA256fbcd6d33e24252269fd806045921bf489428be0ba8d67c853a2104e25ec156c9
SHA512fe533c42e713f5f3e443a1b480d83c005acc09bf41b0eeb26bbb5ec1a1766acff272f58264d99d53c4a5a76f4309158c70f1859de80f94d71174b956dceee86c
-
Filesize
4.1MB
MD510246f27b319a8814d78c8c45249234c
SHA13a75a12d6fabddaf20052494177322e3c95da7e3
SHA2561f26c6950e626060b0bdcc9f2a6bb9d65b17264f174855c33817973098977430
SHA5128e3dd5ce288931cf5d6e103295f78ba77df4124c647efbb114afe963031ce13129abb4a749844d6177f1fcf20cc33f598c4a239c8e727911755bafe8344f7990
-
Filesize
4.1MB
MD59f3250d618678fc30738d35e2f571ac5
SHA1a8d9ed242f70ac79e10905a237d6a7a078a0bc31
SHA2563a27e940f6ede36879df6e6ce8686ee723a7dd4b60296e6ddc23f06ce9f6f31d
SHA512e878bdc3fdd7aa7fa99821f27e3bf79dc19cd32e4f0656878e5ade180b6597ca08b388ce7fb717698eabf582cee8de04d31fe1db0c0ad96f695e936e5904fcc5
-
Filesize
201B
MD55d29fea3849b636d9c63038162d47568
SHA1dfa0005bf59aef312b05511eec947e3f31a52e2d
SHA2561d3a03913d2147f2e872da9a2a0c5b9f2dedbcc070e0062c2772dbe729b853a5
SHA5122cb3c958d5dfa06b9f04ed97defc955fda9c9b5d2add7c56161c07195ca88b714288e4d03f8c303bdb61680f6778dddc7d9ec7130f92e73de481f99e72bacf09
-
Filesize
169B
MD56e849bf1da8bb45fd8997e76b4e70b7b
SHA195a895a7c7db856b73d8d98f50b980eaabe5576e
SHA25626af3d00ec48f328cf0eb41fefa4c4e93fd85bbb3047ecbb510f2750c8e5eef9
SHA5121179ea821bc33fc12e89c113f6a9dd5f941a40a9cc520185133ec2152557f198a402f162fd85c162ce3577331c9769c26fbcd8128a3beceb64078570fbb8f839
-
Filesize
4.1MB
MD5ebb01d018ee6de3dde060ea803142800
SHA189064fc16fe3d718e2ba2436a8966acb1be5f8a6
SHA256c0c734aa89ce1532df5495e19a6060fe1c46437482da13487230e8a0bf63385b
SHA512344407fa40acab52f96741b3ff062d28cb71b0e9fc3b971043f147797777ce17a257090c9203489dd5600dc2d4f187e548fe8ebff19873152ab819403bfd0784