Analysis

  • max time kernel
    119s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 01:18

General

  • Target

    95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe

  • Size

    2.6MB

  • MD5

    905d011a98a1a1811ba2223a881d28f0

  • SHA1

    858eee90065ff04f060b3e24ad01be50c29544c2

  • SHA256

    95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44

  • SHA512

    8ed38b6eec1e6a871f3c9b41e0c4c2578c67253f429eb68492237fab19aee36e136610feab801889825e23953671dac6ab1bb42aa85a0b1ea2315655bc33eec1

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBtB/bSq:sxX7QnxrloE5dpUpWbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe
    "C:\Users\Admin\AppData\Local\Temp\95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4984
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2736
    • C:\SysDrvBI\aoptisys.exe
      C:\SysDrvBI\aoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3008

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\SysDrvBI\aoptisys.exe

          Filesize

          2.6MB

          MD5

          61e4951a16d686bf9a8cec7c03af7864

          SHA1

          25638802cb84d3018e444dc8b9605007fb2c0211

          SHA256

          25c765a42754444ce6edf29060ea95a29492bf9f113b10b959eeabc41708782b

          SHA512

          0280de787dc0cedddd65f9eb7bd3bc0488b2138e3e900d0e41e8bfa525b6e8e0313340e82642341e008db4999773d42292224b85a230bc8de18912de7a30bc78

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          200B

          MD5

          9df79012a85345a7d0474fae3f250e79

          SHA1

          abe820af610f7f8c88d1e2af8d09a88e8475adfe

          SHA256

          f29fe5caff6bbc4ab481822e45c82e520cadd91e836b103135d146cada962c68

          SHA512

          eb658dcb8d4a800393c6f64c82e998872f11ff6da5699945dc541f82ac5aa1b90ecc892f149275a2b8bd49f359d149f6a06d2f7f192370a70c7158d14bc458ab

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          168B

          MD5

          637629d9916ed7bedf650296d38e405d

          SHA1

          73f532a070ff0adcbf3255d26b15844ee2745504

          SHA256

          e7d808dce14ca9e815a09fc56b1bd965f0fdb0dc9a284d2167243f2d4191dd14

          SHA512

          94ebce95843673fc2c8017ca446f573efc967cf375a88f869935a613bc95ce0b5892814c87ca93426c42380c4148c56c47315cab200c1fa319e5c9bb7d73b122

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

          Filesize

          2.6MB

          MD5

          0c8a0688f878fcaad50f65aa0b711f0d

          SHA1

          3e6662bd0dccca83ff896310feea526299391092

          SHA256

          d35815cb148eca996b1e2643747ecd02ac65825d1872f84500b659f7056e49cd

          SHA512

          a706ef08bc6df4f705fe67fa4f3ce5a6bf596300bbbf3191ca29ba3110f6d63a68551ccb1df946aea3bcbe6815913299e3d9758f442bdc9ca4a115eba9c713d4

        • C:\Vid1J\bodaloc.exe

          Filesize

          2.6MB

          MD5

          416928fa85ef9d1ceb1dbc79b3978a68

          SHA1

          b69cd2842b6ecca0eb41d84b46ab623e0300b541

          SHA256

          c2bb4431e228e3fe144e347ebdca2c97bf5817cf9c670bbcdff6ce5e4ca3e52a

          SHA512

          dd14010960b9be521799b222d3c3bda43a413aee939534d18601afd1eb96840163ad6de4e6912ba5e295b6f6521a38602f01a8a8d11c5bb6da0cca9d3d453333

        • C:\Vid1J\bodaloc.exe

          Filesize

          2.6MB

          MD5

          2fecb840201439bae032905f19e829ff

          SHA1

          db450f8d3f7bf34c690d3020b38507d5565f026a

          SHA256

          84c16653b8f40f45502e5c70c58465eb23959ccac01e070935ead6e52b8dc8c5

          SHA512

          4c4d4da7fff9b05f28e39262a69975a3c1976b4f2230cd47f142c393670158220ced18fd2d3e86cb7cf6dff2866c1298c1e90c0f10e9861cfb53cbf12a13d5fc