Analysis
-
max time kernel
119s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 22:53
Static task
static1
Behavioral task
behavioral1
Sample
e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe
Resource
win10v2004-20241007-en
General
-
Target
e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe
-
Size
2.6MB
-
MD5
99bb09ec08a756d69433b3d74452bb40
-
SHA1
ff7b2379ab9fef415b751a26b37bcbcf75cfcc53
-
SHA256
e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348
-
SHA512
eb7d47e90f8f03aa3eca19735585fcfdb77746741543e0d40b7dce36f70447a1292e6fea0b9ced1b3fadcd4fa0c9b3697f8c6fb013611350fc2b82fbe8c8c140
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpyb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe -
Executes dropped EXE 2 IoCs
pid Process 2252 ecdevdob.exe 4216 xbodloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZ0\\xbodloc.exe" e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBDG\\optiaec.exe" e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4984 e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe 4984 e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe 4984 e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe 4984 e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe 2252 ecdevdob.exe 2252 ecdevdob.exe 4216 xbodloc.exe 4216 xbodloc.exe 2252 ecdevdob.exe 2252 ecdevdob.exe 4216 xbodloc.exe 4216 xbodloc.exe 2252 ecdevdob.exe 2252 ecdevdob.exe 4216 xbodloc.exe 4216 xbodloc.exe 2252 ecdevdob.exe 2252 ecdevdob.exe 4216 xbodloc.exe 4216 xbodloc.exe 2252 ecdevdob.exe 2252 ecdevdob.exe 4216 xbodloc.exe 4216 xbodloc.exe 2252 ecdevdob.exe 2252 ecdevdob.exe 4216 xbodloc.exe 4216 xbodloc.exe 2252 ecdevdob.exe 2252 ecdevdob.exe 4216 xbodloc.exe 4216 xbodloc.exe 2252 ecdevdob.exe 2252 ecdevdob.exe 4216 xbodloc.exe 4216 xbodloc.exe 2252 ecdevdob.exe 2252 ecdevdob.exe 4216 xbodloc.exe 4216 xbodloc.exe 2252 ecdevdob.exe 2252 ecdevdob.exe 4216 xbodloc.exe 4216 xbodloc.exe 2252 ecdevdob.exe 2252 ecdevdob.exe 4216 xbodloc.exe 4216 xbodloc.exe 2252 ecdevdob.exe 2252 ecdevdob.exe 4216 xbodloc.exe 4216 xbodloc.exe 2252 ecdevdob.exe 2252 ecdevdob.exe 4216 xbodloc.exe 4216 xbodloc.exe 2252 ecdevdob.exe 2252 ecdevdob.exe 4216 xbodloc.exe 4216 xbodloc.exe 2252 ecdevdob.exe 2252 ecdevdob.exe 4216 xbodloc.exe 4216 xbodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4984 wrote to memory of 2252 4984 e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe 86 PID 4984 wrote to memory of 2252 4984 e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe 86 PID 4984 wrote to memory of 2252 4984 e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe 86 PID 4984 wrote to memory of 4216 4984 e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe 89 PID 4984 wrote to memory of 4216 4984 e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe 89 PID 4984 wrote to memory of 4216 4984 e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe"C:\Users\Admin\AppData\Local\Temp\e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2252
-
-
C:\IntelprocZ0\xbodloc.exeC:\IntelprocZ0\xbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4216
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
320KB
MD521c54beb83097ab82ef74c730e50fabd
SHA139f4b770534b562d4a9848a582e10badc9b1e01d
SHA256fd5b82c1cc131c4c7d9c806e640bd95d5baa0df7adcd1462670d7c07114d6a51
SHA5123c4e75c4fe85b198e5a4a89098b628f61981843eb543d7c5ed70a98a91b2d4cefa93a0701bf185e9ef55413bb0fed14b9af2595c86fc56d4a14f42327997cd94
-
Filesize
2.6MB
MD5b550e59e6acb8517fbc445c31b6346bb
SHA111bb85065e4c5ce5ed8d8bb2717ce3a1d80795e0
SHA256992cad33ce6718ac397ef73d2484685cbbca6a07ef73600b4fa77bf1ca9c69a2
SHA51215f0edf215477abb8c40d0a2c656d640581cab41f67bfac95ab18ccee1eba13ea46ab0241c5152a715ccf5a30ce4480cd70379edd096755965e94a57c684f540
-
Filesize
2.6MB
MD5c13b94b59867a8bb3d2a528c78cb658e
SHA1449b04c57357c29af83c46d408f20aabc367c734
SHA2568f7f340b39217ca3a78d8d50c07cdc5b7dc29a0ad713dbbf1429720ff8ac78a2
SHA512d8a2ff9e68e1f293090ad734c896e25c81c5dfaf511d116dd96d21b298461784887faa9c4547afa22fb97edcefcd0b23d23e16e8ad884b33eb4c874e415c97f9
-
Filesize
2.6MB
MD5ba4e9e4d805d152e5205cf62a80efeaf
SHA1aaa02a8ad588eba63e211885738663e34fae0ed2
SHA256bef956ef1c2542d09c969e02f3901d1b59ef00e82c4d90da901b0570dac3380e
SHA51285179a799eb187d617cbd99ac9f0f77a35fce3df6b1a4d956e7f17147cdf8507db121a5ba31fa19b3b58b914c48e6d8dbc7f6696b8a65c79a86c1fc933e036a4
-
Filesize
205B
MD5ee3409effb682cef31f1272bcb7c2e8a
SHA14967a618d17d3c21898bf79aee6c609da2906a7f
SHA25677ab83d6369f4e0c8489e5e78c2feb8de215580b666d46a1fb5f910e78e9bfc4
SHA512e5c7598235acf0038eb5cae6f40799cc7dfb00668674befd03ddea0ecfbbf01f3aabb96b61edc86699ccdf8b1614b04c12f4f541df7e8e81862718526b59b19b
-
Filesize
173B
MD5b0c0aecdcb00dd07a5b517f5bd39b161
SHA1e76129ffa52ba5dbef676a98111a38246989b03b
SHA25649c711e4607e028d063517e502c7984b19374997682de083d68b9c56f699f1f8
SHA51239d1743754dece3454cdfe7e3b35f0b0e65c1dbacdb7bd2cb56a4952c3a7f5d3a79ae56c572d1f2dd8c07a363fc66f6daa780917e2aa3f0435112c4233de0a9e
-
Filesize
2.6MB
MD559ec889db8355036ab617b98af05fe3c
SHA1460835db1f8a3a90f94e793eb00679b47ade5e28
SHA2561430ba44d10868327474c48f46ec9cc23a474d07e2848ec35437882189623524
SHA512c81f942fe1a3b18f946977907026f264b7d38a517e4fad72b826bfc9d9a578217e722c00266fef0c96221230d7dbb4cb78b6da4bf8bd6d7357ec8c9a059b40a5