Analysis
-
max time kernel
119s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 23:08
Static task
static1
Behavioral task
behavioral1
Sample
88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe
Resource
win10v2004-20241007-en
General
-
Target
88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe
-
Size
2.6MB
-
MD5
23d0af67dfe646f9e6e097a3acfa9496
-
SHA1
9de285012d4eecad61214f49f0d85f0908196631
-
SHA256
88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626
-
SHA512
a80122dc354010325dce2a93abf27e6d9b40ddca1e1ddde96dfe1cd58e71e3e33fe1a00313eac94c478da1ec18fa30219b124e21600a73de1aeb06694c43c5c3
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bSA:sxX7QnxrloE5dpUppbR
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe -
Executes dropped EXE 2 IoCs
pid Process 2812 ecdevopti.exe 2204 xbodsys.exe -
Loads dropped DLL 2 IoCs
pid Process 816 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe 816 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBH2\\dobdevloc.exe" 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7M\\xbodsys.exe" 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 816 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe 816 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe 2812 ecdevopti.exe 2204 xbodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 816 wrote to memory of 2812 816 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe 31 PID 816 wrote to memory of 2812 816 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe 31 PID 816 wrote to memory of 2812 816 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe 31 PID 816 wrote to memory of 2812 816 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe 31 PID 816 wrote to memory of 2204 816 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe 32 PID 816 wrote to memory of 2204 816 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe 32 PID 816 wrote to memory of 2204 816 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe 32 PID 816 wrote to memory of 2204 816 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe"C:\Users\Admin\AppData\Local\Temp\88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2812
-
-
C:\Adobe7M\xbodsys.exeC:\Adobe7M\xbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2204
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5ef0f638f6fd6048700a39f1329346d8c
SHA14314421c1828e056da3082f870fb41b17d0c9639
SHA2566126175486c8e7abd7395b934d59abfa03ff18beaaae0bc9b1c971043ae1fcc3
SHA512f38ec4df8a818846c9c8cce5754d5fff2c59cd23d7a17d74cbc173f302cc43bf87dee057b31561cf6b5d83079de0d91092dc5108d9ba8283bd3600f9567bb51c
-
Filesize
2.6MB
MD53f52b1ae4b7529887b4db28b9f5b79a7
SHA19f35439dd3b3d01173f579ae325137975feef39b
SHA2567a7f328a31b6a4ab42fc20ccc3a904a4795f99a2e29cb2e2837125706513d0cc
SHA5127e6d19ebe93e048ff3c186ec08246dad50c8d7a8dce4d9b923e91a2ec5c2a44b030f1ecc47e14fabe68df1fbb8e3cb12d4c11047bf6bb18ebea73704f400ef81
-
Filesize
2.6MB
MD5c59417404731b98ae63cb288bf098027
SHA1c77f55b8e5078a62b266fce73a067eaa05af8207
SHA25639862a44300951a4306713382a74d6b4f4144c03b37a9b11cf0a9f3c433522d5
SHA512e00537a6401e176d81222c6d796ece38b0e82b606da6b56e94df98911f373370eaa431947c70c6bfad915347f80c520f244bc45114eec76a2f5bb9d49a87e191
-
Filesize
172B
MD52bc20f384040ff6141eb24c813a8b134
SHA179361c4432552fbe122fdf2b8a8b5999c5aafa7a
SHA2566aa8d6a17aa1e85742f7cc8575877d399db701db53ce2781c3fe6685bbaf6527
SHA5128292605aa10f91e5ebb6c3dc29b8f89eee52e5e77a0a4737f66d1046930f5593f801a82202545708cb372c98bf5bcf946d81b9b65fd0d07b9f5d0ebce228e62f
-
Filesize
204B
MD5628a7263d740617330f1d8658e3b9b9b
SHA1ececc80e0cae421839ad9af67b077a13a2bb089a
SHA25624cbb48f6f5a1f2df513d4ec945b9cff2fbf70d7c1c937fa77ccd2469f121fcd
SHA5125a85a13857102d61dccd9a2d986c58127e3a04416f20209a04135b7b9fe44f197271928c7c22134c000cbd0221995e6ef12660e21aa5879640aef705905c935c
-
Filesize
2.6MB
MD5dcaa1567e67b55277721aa9dee1d1912
SHA10892a1aab51db8da5422c227f583098fb95c4d13
SHA256c8656736f4118d1803f1143a1da0d1240e12f56b3c9afe1721a06c2487f1431e
SHA5129526654060adfe6b61b19a3f4ad24b5064f2016048f559189a108b543222aecfe3ad0e031b4d72fb1d1cea00e44e5c23505fc928e19f18a2f6e1c9d6d6b48f2d