Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 23:14
Static task
static1
Behavioral task
behavioral1
Sample
aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe
Resource
win10v2004-20241007-en
General
-
Target
aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe
-
Size
2.6MB
-
MD5
1a9eb84e3c93211f62724b53b0d7c603
-
SHA1
37dee78b4ca56a1671b13927063cc2131e6dc565
-
SHA256
aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9
-
SHA512
26512f8bcb571306b20bebab9cc7ea682c1a76b54908ad2511cd5ab0ff64a5c3807b0727ccf74fce877b400a19bb5cdfb3b406626e1c0e5cd48921b2a7fb147a
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSP:sxX7QnxrloE5dpUpbbM
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe -
Executes dropped EXE 2 IoCs
pid Process 3064 ecxopti.exe 2328 xbodsys.exe -
Loads dropped DLL 2 IoCs
pid Process 1480 aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe 1480 aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidSV\\optidevsys.exe" aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesMK\\xbodsys.exe" aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxopti.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1480 aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe 1480 aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe 3064 ecxopti.exe 2328 xbodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1480 wrote to memory of 3064 1480 aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe 30 PID 1480 wrote to memory of 3064 1480 aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe 30 PID 1480 wrote to memory of 3064 1480 aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe 30 PID 1480 wrote to memory of 3064 1480 aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe 30 PID 1480 wrote to memory of 2328 1480 aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe 31 PID 1480 wrote to memory of 2328 1480 aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe 31 PID 1480 wrote to memory of 2328 1480 aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe 31 PID 1480 wrote to memory of 2328 1480 aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe"C:\Users\Admin\AppData\Local\Temp\aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3064
-
-
C:\FilesMK\xbodsys.exeC:\FilesMK\xbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2328
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5998f819f2a22ec804835ffeec5fd497b
SHA1bed64f8acb4a0a4718231a49d4d5ae533622d460
SHA25639e2b277b57e192e4844e72e1d510082254cbfda03f10784c8e405849af44e0c
SHA51281f1813778f8f81695d0d65ae1aef2889e375b87ce5eeaf463b6f9262489edee9369b1581410ce897ca43e8cf4a9aa8d3e8fee56c24d8350590d7b7e8da6040a
-
Filesize
170B
MD50eb9431ed772b86c20561c89774441b5
SHA138596249ca2337806894ebbcbeb07154ab92528c
SHA2563e63d02d245288a0dfa7ba0d5daa8fb5b1fac032f4f4f2ef7e390f88938062ef
SHA5126684f5fb1ddb8f1fb50de6f24b3acad943aac76e39b6cd58ec8ed77b3ea7dd443380b85cb30dceb0fd4802aec6d07eb5972b377e50c1e35186eaaf41b6b26067
-
Filesize
202B
MD589788810f7b8b627802692b6dd6eea4b
SHA1497b7d725f6c83f934ecc9204a66b22ae472194c
SHA256b5480bfa43f47b6a92e846355150361b7bd749ba440dd3a2be8f0bb81b14430c
SHA51209c4e7a9b0a9f5969d10f7d1cb903b687d7690003170a6f894f4ca73f33590808836c6cb3bc0c4b5bcc70d3685725ead518b38f8e95e272c45b541c3d3ba57f3
-
Filesize
2.6MB
MD56f3ebac4b21315a1e865dd0b207f232c
SHA1e2c3b154765994e12fcd5c11fb0c64c905814927
SHA25670d3a6ec4f20b2e35f31d22f016d5ad41a130777c19a6639f26861b6c793add8
SHA51294e4ea1ef8ac1bde5797cbb05caaa00e3bd2b086de4ed762f26028d354c51d74bfb2d0a22aa6e7b914b01e29ec8780cfa6a41b82c0282b59943461188fa178ab
-
Filesize
2.6MB
MD5aa2d7ae2f430dbb9470d5967b1c15235
SHA1e344ff5796c6b6018953ee569262d0007d13b11d
SHA2569fe91b79faccd3894deb107697375decf1309f89298268a64a2da96717735f49
SHA51272e62be0ebb17cf52540d6f66d808291ab392bb708bc6d6f89e62799d367ff011ee3cc4b68b0e296a37b5ee00932a431839f4f2f5b01064aede990690052b980
-
Filesize
2.6MB
MD5fc3d28b7936b6c80e07524daf2ae003b
SHA1063a9c94a13a5e3998423adfd0e2c95a91d69b07
SHA2567936f85ae4ca82c2e14ea1a3336e21753b96f7ca40735d0eba243663ee75cf17
SHA5126d0bf0d98001c99b9ae2110f04f98eefc4f44c0276620ccf1e9ea2eec00a8df82b11130f708ebaa9f1a2bfaec88ea7411e1c53eb887967d48c383fea859e5b8d