Analysis

  • max time kernel
    120s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 23:14

General

  • Target

    aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe

  • Size

    2.6MB

  • MD5

    1a9eb84e3c93211f62724b53b0d7c603

  • SHA1

    37dee78b4ca56a1671b13927063cc2131e6dc565

  • SHA256

    aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9

  • SHA512

    26512f8bcb571306b20bebab9cc7ea682c1a76b54908ad2511cd5ab0ff64a5c3807b0727ccf74fce877b400a19bb5cdfb3b406626e1c0e5cd48921b2a7fb147a

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSP:sxX7QnxrloE5dpUpbbM

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe
    "C:\Users\Admin\AppData\Local\Temp\aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1480
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3064
    • C:\FilesMK\xbodsys.exe
      C:\FilesMK\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2328

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesMK\xbodsys.exe

          Filesize

          2.6MB

          MD5

          998f819f2a22ec804835ffeec5fd497b

          SHA1

          bed64f8acb4a0a4718231a49d4d5ae533622d460

          SHA256

          39e2b277b57e192e4844e72e1d510082254cbfda03f10784c8e405849af44e0c

          SHA512

          81f1813778f8f81695d0d65ae1aef2889e375b87ce5eeaf463b6f9262489edee9369b1581410ce897ca43e8cf4a9aa8d3e8fee56c24d8350590d7b7e8da6040a

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          170B

          MD5

          0eb9431ed772b86c20561c89774441b5

          SHA1

          38596249ca2337806894ebbcbeb07154ab92528c

          SHA256

          3e63d02d245288a0dfa7ba0d5daa8fb5b1fac032f4f4f2ef7e390f88938062ef

          SHA512

          6684f5fb1ddb8f1fb50de6f24b3acad943aac76e39b6cd58ec8ed77b3ea7dd443380b85cb30dceb0fd4802aec6d07eb5972b377e50c1e35186eaaf41b6b26067

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          202B

          MD5

          89788810f7b8b627802692b6dd6eea4b

          SHA1

          497b7d725f6c83f934ecc9204a66b22ae472194c

          SHA256

          b5480bfa43f47b6a92e846355150361b7bd749ba440dd3a2be8f0bb81b14430c

          SHA512

          09c4e7a9b0a9f5969d10f7d1cb903b687d7690003170a6f894f4ca73f33590808836c6cb3bc0c4b5bcc70d3685725ead518b38f8e95e272c45b541c3d3ba57f3

        • C:\VidSV\optidevsys.exe

          Filesize

          2.6MB

          MD5

          6f3ebac4b21315a1e865dd0b207f232c

          SHA1

          e2c3b154765994e12fcd5c11fb0c64c905814927

          SHA256

          70d3a6ec4f20b2e35f31d22f016d5ad41a130777c19a6639f26861b6c793add8

          SHA512

          94e4ea1ef8ac1bde5797cbb05caaa00e3bd2b086de4ed762f26028d354c51d74bfb2d0a22aa6e7b914b01e29ec8780cfa6a41b82c0282b59943461188fa178ab

        • C:\VidSV\optidevsys.exe

          Filesize

          2.6MB

          MD5

          aa2d7ae2f430dbb9470d5967b1c15235

          SHA1

          e344ff5796c6b6018953ee569262d0007d13b11d

          SHA256

          9fe91b79faccd3894deb107697375decf1309f89298268a64a2da96717735f49

          SHA512

          72e62be0ebb17cf52540d6f66d808291ab392bb708bc6d6f89e62799d367ff011ee3cc4b68b0e296a37b5ee00932a431839f4f2f5b01064aede990690052b980

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

          Filesize

          2.6MB

          MD5

          fc3d28b7936b6c80e07524daf2ae003b

          SHA1

          063a9c94a13a5e3998423adfd0e2c95a91d69b07

          SHA256

          7936f85ae4ca82c2e14ea1a3336e21753b96f7ca40735d0eba243663ee75cf17

          SHA512

          6d0bf0d98001c99b9ae2110f04f98eefc4f44c0276620ccf1e9ea2eec00a8df82b11130f708ebaa9f1a2bfaec88ea7411e1c53eb887967d48c383fea859e5b8d