Analysis
-
max time kernel
120s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 23:24
Static task
static1
Behavioral task
behavioral1
Sample
233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe
Resource
win10v2004-20241007-en
General
-
Target
233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe
-
Size
2.6MB
-
MD5
2e47363aafdf52a77e53e93942f5cff0
-
SHA1
7ecd9a116d4e5e7b3c5d4342a05984e86c777bd2
-
SHA256
233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7b
-
SHA512
0a0c086e1bb060fb85c6b75befb53710db13a8eb54d5587444b18dc6d8e1122dad733c91b6c4200e4c4bb1f75166434bcc09736e0efda3a01326549bd55fa4bf
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bS:sxX7QnxrloE5dpUp6b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe -
Executes dropped EXE 2 IoCs
pid Process 2084 ecxbod.exe 2904 aoptiec.exe -
Loads dropped DLL 2 IoCs
pid Process 2412 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe 2412 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ8A\\bodaec.exe" 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeV4\\aoptiec.exe" 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2412 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe 2412 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe 2084 ecxbod.exe 2904 aoptiec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2084 2412 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe 31 PID 2412 wrote to memory of 2084 2412 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe 31 PID 2412 wrote to memory of 2084 2412 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe 31 PID 2412 wrote to memory of 2084 2412 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe 31 PID 2412 wrote to memory of 2904 2412 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe 32 PID 2412 wrote to memory of 2904 2412 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe 32 PID 2412 wrote to memory of 2904 2412 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe 32 PID 2412 wrote to memory of 2904 2412 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe"C:\Users\Admin\AppData\Local\Temp\233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2084
-
-
C:\AdobeV4\aoptiec.exeC:\AdobeV4\aoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2904
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD5aa404e81fdc4946ac80a30fbf1b10c14
SHA1ed71e23df81576b945ef2f6e00f8f5b35f6a533b
SHA25693b7a38f773796c870936ed5977333e42c13a41c33ba790d40d9ee15d294bd79
SHA5123e210cc458293feedc8e52a4502d6a1fa12b5f5987d3bcb5323174b27f832f654224255aed64448d908132cb1173f0557d9a2234ee5e6d9caa220da210ee1ef0
-
Filesize
2.6MB
MD5c591efcad97a654bef2575cd58d4a0b1
SHA10b921bfdf205f29802ce6969c1e07c776635c42e
SHA256492568b6ff3aed2deccc990f35438dd3eccfbb329129b1dfb292665a79a8743f
SHA512b395a44d7acdf69851d48f81affab34e9ae934295fc950d2af04bd3e7dfb69c258052e4f0e1c6a61bb8d45331aa7aafb6fe3a7f9665474e4d8f79014f04994c4
-
Filesize
2.6MB
MD59e3a71ac94137568ad74cd951436126b
SHA1e6670517c50348cae97a5f3b5fddaef8c40dae66
SHA2569215fbdd55399cda225e2226edd2ef7618c4955200cf7f56a8421846b94e0d77
SHA51244be26e214abf0766b3b281fbf236b09620e045469c463ff878e1c319754cd3a2a1fe716d543c45fefee1384897ef50776cbf15f75d713d9988c908bbc814275
-
Filesize
166B
MD578ba6f2743c02b1f156cb7eeb0b91a0f
SHA1fb917389ea02d19d8290d329602c6fb1dd1b4f8c
SHA256d51c4e03a9aef20580ed77e5a56b60624eadeb6c06d126f05813517e94c46461
SHA512d2b5b0fabad63e6885b2929497d34404b9f686ae59bb9ef67a5ffd1ef7f4957d4e5475ccc1f7aa0aa760f1d853421536c1f3d69dd56cc8bb351b4dc1de5f3830
-
Filesize
198B
MD5b9cf59cc26fb838c012d6ce9b43e7909
SHA19f647bfc14c4926bfe8d79005c97440d8d96775f
SHA256baa614e2c7767f5514f4e1605a393a8df05644492a7990f8ad7e8f4ee95610cc
SHA512aa4b8f4f2c3e0a8525ecb8baa49b6d356e387f3367ab3b657e8456a035046efebf1744d6b752032ca6c39d0e4780c9e2fc9db58eb7ce9539f0b880b447e6b8b6
-
Filesize
2.6MB
MD5ff5a5d7f5f622a427e890fbaf8f98211
SHA13917a1b54977efc0848970e1f39805180488dcb5
SHA256c040eb2b101acdaa0ddf9bb6a19a9e648ba4a870e08dd4cba2f57350cca8ab2e
SHA512670c189cd591f8a6f25f5bee7273d263834ab2f567f3931f1d282d514f1c042d0046d67badfb234577340a8897d84dead0e54b7a1d27d28da3cfcc2b165519d9
-
Filesize
2.6MB
MD53bf0ea8743e0801be5a7ef1de0a73ff3
SHA1e0c8b807c4f9eabc23787cc696e50788ad60f922
SHA256837c7a2a1c38fbbb4f3c8fb8eaceba4d136d86e91eeca214597103158e4b0bd6
SHA512cb9f82109f282caeaa6a328f3397b28c1d053d0cfe2d2e2aa49189750e7d83ebda711da0c5a6f0bd99fd2ffb6afb21caa9030baeecb86ebb0e508aedc13f38e2