Analysis
-
max time kernel
119s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 01:18
Static task
static1
Behavioral task
behavioral1
Sample
95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe
Resource
win10v2004-20241007-en
General
-
Target
95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe
-
Size
2.6MB
-
MD5
905d011a98a1a1811ba2223a881d28f0
-
SHA1
858eee90065ff04f060b3e24ad01be50c29544c2
-
SHA256
95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44
-
SHA512
8ed38b6eec1e6a871f3c9b41e0c4c2578c67253f429eb68492237fab19aee36e136610feab801889825e23953671dac6ab1bb42aa85a0b1ea2315655bc33eec1
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBtB/bSq:sxX7QnxrloE5dpUpWbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe -
Executes dropped EXE 2 IoCs
pid Process 2736 ecabod.exe 3008 aoptisys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvBI\\aoptisys.exe" 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid1J\\bodaloc.exe" 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4984 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe 4984 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe 4984 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe 4984 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe 2736 ecabod.exe 2736 ecabod.exe 3008 aoptisys.exe 3008 aoptisys.exe 2736 ecabod.exe 2736 ecabod.exe 3008 aoptisys.exe 3008 aoptisys.exe 2736 ecabod.exe 2736 ecabod.exe 3008 aoptisys.exe 3008 aoptisys.exe 2736 ecabod.exe 2736 ecabod.exe 3008 aoptisys.exe 3008 aoptisys.exe 2736 ecabod.exe 2736 ecabod.exe 3008 aoptisys.exe 3008 aoptisys.exe 2736 ecabod.exe 2736 ecabod.exe 3008 aoptisys.exe 3008 aoptisys.exe 2736 ecabod.exe 2736 ecabod.exe 3008 aoptisys.exe 3008 aoptisys.exe 2736 ecabod.exe 2736 ecabod.exe 3008 aoptisys.exe 3008 aoptisys.exe 2736 ecabod.exe 2736 ecabod.exe 3008 aoptisys.exe 3008 aoptisys.exe 2736 ecabod.exe 2736 ecabod.exe 3008 aoptisys.exe 3008 aoptisys.exe 2736 ecabod.exe 2736 ecabod.exe 3008 aoptisys.exe 3008 aoptisys.exe 2736 ecabod.exe 2736 ecabod.exe 3008 aoptisys.exe 3008 aoptisys.exe 2736 ecabod.exe 2736 ecabod.exe 3008 aoptisys.exe 3008 aoptisys.exe 2736 ecabod.exe 2736 ecabod.exe 3008 aoptisys.exe 3008 aoptisys.exe 2736 ecabod.exe 2736 ecabod.exe 3008 aoptisys.exe 3008 aoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4984 wrote to memory of 2736 4984 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe 86 PID 4984 wrote to memory of 2736 4984 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe 86 PID 4984 wrote to memory of 2736 4984 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe 86 PID 4984 wrote to memory of 3008 4984 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe 89 PID 4984 wrote to memory of 3008 4984 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe 89 PID 4984 wrote to memory of 3008 4984 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe"C:\Users\Admin\AppData\Local\Temp\95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2736
-
-
C:\SysDrvBI\aoptisys.exeC:\SysDrvBI\aoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3008
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD561e4951a16d686bf9a8cec7c03af7864
SHA125638802cb84d3018e444dc8b9605007fb2c0211
SHA25625c765a42754444ce6edf29060ea95a29492bf9f113b10b959eeabc41708782b
SHA5120280de787dc0cedddd65f9eb7bd3bc0488b2138e3e900d0e41e8bfa525b6e8e0313340e82642341e008db4999773d42292224b85a230bc8de18912de7a30bc78
-
Filesize
200B
MD59df79012a85345a7d0474fae3f250e79
SHA1abe820af610f7f8c88d1e2af8d09a88e8475adfe
SHA256f29fe5caff6bbc4ab481822e45c82e520cadd91e836b103135d146cada962c68
SHA512eb658dcb8d4a800393c6f64c82e998872f11ff6da5699945dc541f82ac5aa1b90ecc892f149275a2b8bd49f359d149f6a06d2f7f192370a70c7158d14bc458ab
-
Filesize
168B
MD5637629d9916ed7bedf650296d38e405d
SHA173f532a070ff0adcbf3255d26b15844ee2745504
SHA256e7d808dce14ca9e815a09fc56b1bd965f0fdb0dc9a284d2167243f2d4191dd14
SHA51294ebce95843673fc2c8017ca446f573efc967cf375a88f869935a613bc95ce0b5892814c87ca93426c42380c4148c56c47315cab200c1fa319e5c9bb7d73b122
-
Filesize
2.6MB
MD50c8a0688f878fcaad50f65aa0b711f0d
SHA13e6662bd0dccca83ff896310feea526299391092
SHA256d35815cb148eca996b1e2643747ecd02ac65825d1872f84500b659f7056e49cd
SHA512a706ef08bc6df4f705fe67fa4f3ce5a6bf596300bbbf3191ca29ba3110f6d63a68551ccb1df946aea3bcbe6815913299e3d9758f442bdc9ca4a115eba9c713d4
-
Filesize
2.6MB
MD5416928fa85ef9d1ceb1dbc79b3978a68
SHA1b69cd2842b6ecca0eb41d84b46ab623e0300b541
SHA256c2bb4431e228e3fe144e347ebdca2c97bf5817cf9c670bbcdff6ce5e4ca3e52a
SHA512dd14010960b9be521799b222d3c3bda43a413aee939534d18601afd1eb96840163ad6de4e6912ba5e295b6f6521a38602f01a8a8d11c5bb6da0cca9d3d453333
-
Filesize
2.6MB
MD52fecb840201439bae032905f19e829ff
SHA1db450f8d3f7bf34c690d3020b38507d5565f026a
SHA25684c16653b8f40f45502e5c70c58465eb23959ccac01e070935ead6e52b8dc8c5
SHA5124c4d4da7fff9b05f28e39262a69975a3c1976b4f2230cd47f142c393670158220ced18fd2d3e86cb7cf6dff2866c1298c1e90c0f10e9861cfb53cbf12a13d5fc