Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 23:27
Static task
static1
Behavioral task
behavioral1
Sample
6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe
Resource
win10v2004-20241007-en
General
-
Target
6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe
-
Size
2.6MB
-
MD5
69bf32f0b90f257c1afc1c95df1be3b2
-
SHA1
1e87ae5ec09ff190786587c8ba55b65a782e048d
-
SHA256
6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c
-
SHA512
d0d6d2893d18581bbf62a9e532796a500145bdd1dab54efcb0a76cb9c70245b7d502b695ffddc2a2d9b798c68268b6baef6d58866e819c28dfc722d3f9c2e7c4
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bSN:sxX7QnxrloE5dpUpzba
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe -
Executes dropped EXE 2 IoCs
pid Process 2056 ecaopti.exe 1536 xdobsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2536 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe 2536 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesBR\\xdobsys.exe" 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidOO\\bodaloc.exe" 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2536 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe 2536 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe 2056 ecaopti.exe 1536 xdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2536 wrote to memory of 2056 2536 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe 30 PID 2536 wrote to memory of 2056 2536 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe 30 PID 2536 wrote to memory of 2056 2536 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe 30 PID 2536 wrote to memory of 2056 2536 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe 30 PID 2536 wrote to memory of 1536 2536 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe 32 PID 2536 wrote to memory of 1536 2536 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe 32 PID 2536 wrote to memory of 1536 2536 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe 32 PID 2536 wrote to memory of 1536 2536 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe"C:\Users\Admin\AppData\Local\Temp\6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2056
-
-
C:\FilesBR\xdobsys.exeC:\FilesBR\xdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1536
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD54e0f5a14dc5973b2270184f3bbcf82e1
SHA12e6fd54043fa4ccaf01efa1c1da9a822962342ab
SHA25607f4d10b1321f363d20bff63c877b23b8a791e93ab6394e00119d0c47937c45e
SHA512aa9107455e0bbdc3fc5dceba75e01d0257332ad0c22be4db1440c671f3a182d159aa876fd9acbd941fc1e69dd0dbf0691298ebeb761ae642c194951b853dfc5e
-
Filesize
167B
MD5bd4468da1ad114ed959544ada3ec4d0b
SHA175461c145b05964aa12c7a7293d8722478fe6870
SHA256de381b89553dcae477e4b7dfc0e5a4431b3de1e810cfeed73c1e584728ba6fde
SHA512a90e43596dcc8cd6c932c4d3a3436d0c39769be396ec7df3568764932a7accc82b241f50cbd4707cc3a318919d4c782a31050f6722b9d52314af3721834c5e10
-
Filesize
199B
MD598765776447b50c305868231c4b1e325
SHA1461aab684d7e8aac0e51165850c9854c3c85c0f3
SHA256206e71db5bab10d7302baafa30d1d243e49d738854737f9d2608f950a3133dcc
SHA512b01b344047b8e70b0773895b92d09bf8ac470672375b269c897cf7d44b127ec7b6a3599c4f9b04bb3988bdda9476caf887c860f667dc9bd7b54f9ec0cfef1aba
-
Filesize
2.6MB
MD58ba215bcf1dd16866cc0f41472d80c78
SHA1f1e067d52c7f4544bbd29fec23d903b42c31852b
SHA256b0f0948cce9f8c8968372ebe7f5eae326277711cea577ca032cbd3abbdf2d4c0
SHA512878c00f72e0ac44b578ea4ef7da5b0f9e51c099c27960d1b085751ce35b046b57c8f19aa314237426260c0b14dee14338ae173e3d63ad91f0acbc2c71bf4a428
-
Filesize
2.6MB
MD58a937f36dca27de363ec9fb773c64f30
SHA19e013314f35c8e763990f9a31bb5c694cbd69a1f
SHA2566e1ccc9e4e792df465a44d81419ad3615212c5309c28ae0500504cdddd675d5c
SHA51260ed30c70c91e9f6fe41633763b183e222b3537867257cde0708e85e935ce93b688084c85ab90e78165b7f4b999fd3292a468609f83edbc7c86f0655d8e5e5bc
-
Filesize
2.6MB
MD543d71ee55c74e3e6d48d93879e832f04
SHA1accdb93ca7ba6022937249a95594de41f250ef34
SHA25666acb7c06a97d337d247f48b58016fe259cf7d7cf62dd89e9f210b54195e31c6
SHA51231d071dfa0c8be4ecc88619ae6dee1cf250a3d4b2fd2a766084d5381811e3e6a31d6504cbc4e5edd864d0120c8f1604cc1fc81e8cab839fb008167eda41b1388