Analysis
-
max time kernel
149s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 22:18
Static task
static1
Behavioral task
behavioral1
Sample
52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe
Resource
win10v2004-20241007-en
General
-
Target
52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe
-
Size
2.6MB
-
MD5
40a89c9c1f86c5fa732987e226becb5f
-
SHA1
ae3dac667d036cc775a0c271bd628db6169c070d
-
SHA256
52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6
-
SHA512
882b9ea8fd55b355c6463664f39c30279707dd667db28e1ad8ce301dc05c8a23295ad0cf4440071f7aa13654a0dbbbfedc65d5330a2efe0768f1b7f9b0a65907
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bS:sxX7QnxrloE5dpUpyb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe -
Executes dropped EXE 2 IoCs
pid Process 4864 ecdevopti.exe 2716 xbodsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesXB\\xbodsys.exe" 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidX9\\optiasys.exe" 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3944 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe 3944 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe 3944 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe 3944 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe 4864 ecdevopti.exe 4864 ecdevopti.exe 2716 xbodsys.exe 2716 xbodsys.exe 4864 ecdevopti.exe 4864 ecdevopti.exe 2716 xbodsys.exe 2716 xbodsys.exe 4864 ecdevopti.exe 4864 ecdevopti.exe 2716 xbodsys.exe 2716 xbodsys.exe 4864 ecdevopti.exe 4864 ecdevopti.exe 2716 xbodsys.exe 2716 xbodsys.exe 4864 ecdevopti.exe 4864 ecdevopti.exe 2716 xbodsys.exe 2716 xbodsys.exe 4864 ecdevopti.exe 4864 ecdevopti.exe 2716 xbodsys.exe 2716 xbodsys.exe 4864 ecdevopti.exe 4864 ecdevopti.exe 2716 xbodsys.exe 2716 xbodsys.exe 4864 ecdevopti.exe 4864 ecdevopti.exe 2716 xbodsys.exe 2716 xbodsys.exe 4864 ecdevopti.exe 4864 ecdevopti.exe 2716 xbodsys.exe 2716 xbodsys.exe 4864 ecdevopti.exe 4864 ecdevopti.exe 2716 xbodsys.exe 2716 xbodsys.exe 4864 ecdevopti.exe 4864 ecdevopti.exe 2716 xbodsys.exe 2716 xbodsys.exe 4864 ecdevopti.exe 4864 ecdevopti.exe 2716 xbodsys.exe 2716 xbodsys.exe 4864 ecdevopti.exe 4864 ecdevopti.exe 2716 xbodsys.exe 2716 xbodsys.exe 4864 ecdevopti.exe 4864 ecdevopti.exe 2716 xbodsys.exe 2716 xbodsys.exe 4864 ecdevopti.exe 4864 ecdevopti.exe 2716 xbodsys.exe 2716 xbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3944 wrote to memory of 4864 3944 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe 86 PID 3944 wrote to memory of 4864 3944 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe 86 PID 3944 wrote to memory of 4864 3944 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe 86 PID 3944 wrote to memory of 2716 3944 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe 89 PID 3944 wrote to memory of 2716 3944 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe 89 PID 3944 wrote to memory of 2716 3944 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe"C:\Users\Admin\AppData\Local\Temp\52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4864
-
-
C:\FilesXB\xbodsys.exeC:\FilesXB\xbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2716
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD59043a689c43841a881ffa666aa9b94a5
SHA1d8b5e84975f8ad886833e0e968c6ac32c370b384
SHA2562110f0b4333f9ed98b3de4d8eb20bb4dd078324f8ddc6fdc04cfc7410290ecab
SHA512010074c7f25ba25b566f2cdb1234d2190cd8e71f1d9782bcfab6d3d2c876acbcbcf4d6abccad595d570a019422b5bbdefb56e7655c035425f36ed69ee72cab07
-
Filesize
202B
MD5e149b68aadb1e7a8d4a5d93616054a19
SHA1ceed2c9a42b05299d5ecc9a0ea091bab205ab162
SHA256e77b093adbe728c37e8aada7749ed13ac9dda29de16f059a5a717f2dc9b71387
SHA512a8d72f9e0356dd5fa44b0c0fc66ff4a871d06708f646ceaa4e9a823f279fd550a0f149475fde99f1e43ff6e7a9f2e2cad6e80de2012aafad85ad17c3994133fe
-
Filesize
170B
MD5e077d49bc1494b02eaeee565b9a47e76
SHA188167be303025f191f470c68adea3bb1d440072a
SHA256ebbd83abc86975250845e582f61a2baa3c349fa5c0d926f636778b9cdce53287
SHA5120a2c9177b180b5086e3d4cd6c209bea8957611912a4bd86054df3c2082e8f942fd9a675a426dcce957b32f9f70100923e2a59bfaa05f1f4e1ec7c7649fbce965
-
Filesize
2.6MB
MD5c19be8c156afbf4237aa28eaaf7dae58
SHA14ed79f0a39481954b7d45d2e6c3cc215e51ef3c5
SHA25698ff78b705845404afcdc623e1e747c9c454674c145ede1f12e8bb2f551aa760
SHA512ecbc0671b33ebb76a98b9bd291f8298a4861c4479837c9476d5935c605a785d347a313b97c4b7954c3b8c373325a94ff0117065b47d2a6127c6d4325ab0abb6e
-
Filesize
2.6MB
MD586dcdc7c746dd936df1bebaa92f80541
SHA180b12cea304b75359e21a307c6510f1e67536957
SHA2565a38b6eed759f906fe1e7a927e3400fcf197d7cf18432bfc7ac3b1f886128d39
SHA51270758e8a811e0c3aa68a2c19144296bdb2413077105a659d292f2be58b15e66e88406aab7562ab694dd527d8d1584b420e3e0e4d22be11d92ebb720c18488807
-
Filesize
2.6MB
MD5c289535fd4b1ea2fee12772be483d1e9
SHA12f7bc4e741fda1cfc86daf038ae329809090851d
SHA256dd23f41a30f70d70b9f26aedff398e4736bfef453c91fbaa8fc893c3c0594637
SHA512c15ca827ae31f678da3f7aafae9e093f807554da090ae63d1f026821966e2b8bcbc9ddc56e6a3a634fa94ff779000db75179ae1cc49aeeab8bacc054d6399c63