Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 22:59
Static task
static1
Behavioral task
behavioral1
Sample
619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe
Resource
win10v2004-20241007-en
General
-
Target
619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe
-
Size
2.6MB
-
MD5
fbad5430cd662d3af22592e04b2bc074
-
SHA1
22e9540411b99d83a2fbe15c3377e483c44f2031
-
SHA256
619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80
-
SHA512
0e9431853152383f66ea06829ee052fac4bcb0404e45ae3e0703eabe01f0889909feb311d442d8c5bb094907926a37b3288df179729c459e2bd9f5b96ff0810b
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBZB/bSq:sxX7QnxrloE5dpUp6bV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe -
Executes dropped EXE 2 IoCs
pid Process 3104 ecabod.exe 4236 xoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvXL\\xoptiec.exe" 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB9D\\dobxec.exe" 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4796 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe 4796 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe 4796 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe 4796 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe 3104 ecabod.exe 3104 ecabod.exe 4236 xoptiec.exe 4236 xoptiec.exe 3104 ecabod.exe 3104 ecabod.exe 4236 xoptiec.exe 4236 xoptiec.exe 3104 ecabod.exe 3104 ecabod.exe 4236 xoptiec.exe 4236 xoptiec.exe 3104 ecabod.exe 3104 ecabod.exe 4236 xoptiec.exe 4236 xoptiec.exe 3104 ecabod.exe 3104 ecabod.exe 4236 xoptiec.exe 4236 xoptiec.exe 3104 ecabod.exe 3104 ecabod.exe 4236 xoptiec.exe 4236 xoptiec.exe 3104 ecabod.exe 3104 ecabod.exe 4236 xoptiec.exe 4236 xoptiec.exe 3104 ecabod.exe 3104 ecabod.exe 4236 xoptiec.exe 4236 xoptiec.exe 3104 ecabod.exe 3104 ecabod.exe 4236 xoptiec.exe 4236 xoptiec.exe 3104 ecabod.exe 3104 ecabod.exe 4236 xoptiec.exe 4236 xoptiec.exe 3104 ecabod.exe 3104 ecabod.exe 4236 xoptiec.exe 4236 xoptiec.exe 3104 ecabod.exe 3104 ecabod.exe 4236 xoptiec.exe 4236 xoptiec.exe 3104 ecabod.exe 3104 ecabod.exe 4236 xoptiec.exe 4236 xoptiec.exe 3104 ecabod.exe 3104 ecabod.exe 4236 xoptiec.exe 4236 xoptiec.exe 3104 ecabod.exe 3104 ecabod.exe 4236 xoptiec.exe 4236 xoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4796 wrote to memory of 3104 4796 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe 88 PID 4796 wrote to memory of 3104 4796 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe 88 PID 4796 wrote to memory of 3104 4796 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe 88 PID 4796 wrote to memory of 4236 4796 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe 91 PID 4796 wrote to memory of 4236 4796 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe 91 PID 4796 wrote to memory of 4236 4796 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe"C:\Users\Admin\AppData\Local\Temp\619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3104
-
-
C:\SysDrvXL\xoptiec.exeC:\SysDrvXL\xoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4236
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5b3fe316653a050c97979922b587a6f40
SHA16e265faa92cc6ec9ce3d902dfabcc5890e3207e5
SHA256c2454c2e86bfc377d9bd8f87dbc6d226c46af1c63d9d256f0a3dcaa2de34dd4f
SHA5125f29a7ca83560afa6682e8abd6be6cc4b359a467586e40677bea68f7a93d5ab74236d866af1dc3b61a941f08b8a104da4549c5ce7f401e78565ceff62b491693
-
Filesize
1015KB
MD5ce1e4653ab125653cb8daee5ade3db99
SHA1e5cd3fb67d670398b35863c7dea12cb972571397
SHA256fae9d95858e344767a41f67f5896eeb04291338e6ae607a0c2b60569b5b32546
SHA512bf6d81338a530263db4fa8b280fa91134dd496102d86afa3c21a9ce3565d070b392732bbcf1563e3befa1b9ef96cb7a4608bd9f2e3e8d316a45c83121b2610ab
-
Filesize
2.6MB
MD59c51f5867980da5ef74c551c64fc3141
SHA143a66c047b4aa05f992fac3efd20fe0a4f28d291
SHA2560f38b67e03ba42936b6d33031c77b85244385529381551ba83eefa13263f3cc3
SHA51229615a68fa0e36ce527546a06f48c9e83e1929deb8532d89a9dc5e59d698884e35c83bcb52882a172cf42bae5b06441d2bef836c9c7c6548e5418b635626be80
-
Filesize
199B
MD5661695a8229b21f5ef9b948fcb18a3f7
SHA144a29723945a010652adb65093023a1f6505dd52
SHA256c17fae0c01415e1691dc78813577d6f87b08889e3c44c9a507a1ddb51e3bc963
SHA51214f0920d0106545704cc40a7ecf2693397c87452da0fdb676726dd7a3f6a61231b311621958f2c626f2cc0f4d1c2128d8b01949462086246d803f11722de86c0
-
Filesize
167B
MD5a15e5d8d21dc32a7be474afbafa56b49
SHA1677fa3409f5821d0347666b4a7d12e8df52545b9
SHA256e3e3feec800d63dc05af01f7ca95b93c02d9f599bd7b73564ce164be4cee4b2b
SHA512c464733cb45d871b711195712c90657506840e53b83c58a003f410f018af7e98e5a6285a3eec294cd67590261cc8dd8f3f2a4a1618b35e82c52faec8ff4d5dab
-
Filesize
2.6MB
MD5610aed4d2a02e31c74c8b59649f7807c
SHA10f7f7b11eab6c8c5f0a29550faf5be5b10b509ad
SHA2561b0b5c4bdc072801bb8239681281129506eafa1001de20237c59e6e40475d4d9
SHA512ca316d4a14249de64a8998a7b25ce6f48f40538f962a0f97a1e2172d5609b9f3e11f10d6605de62e4794eeb7c3c5ccab4540bba1bcea3d07f41a0c43e2680b3e