Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2024, 23:27

General

  • Target

    6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe

  • Size

    2.6MB

  • MD5

    69bf32f0b90f257c1afc1c95df1be3b2

  • SHA1

    1e87ae5ec09ff190786587c8ba55b65a782e048d

  • SHA256

    6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c

  • SHA512

    d0d6d2893d18581bbf62a9e532796a500145bdd1dab54efcb0a76cb9c70245b7d502b695ffddc2a2d9b798c68268b6baef6d58866e819c28dfc722d3f9c2e7c4

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bSN:sxX7QnxrloE5dpUpzba

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe
    "C:\Users\Admin\AppData\Local\Temp\6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2056
    • C:\FilesBR\xdobsys.exe
      C:\FilesBR\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1536

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesBR\xdobsys.exe

          Filesize

          2.6MB

          MD5

          4e0f5a14dc5973b2270184f3bbcf82e1

          SHA1

          2e6fd54043fa4ccaf01efa1c1da9a822962342ab

          SHA256

          07f4d10b1321f363d20bff63c877b23b8a791e93ab6394e00119d0c47937c45e

          SHA512

          aa9107455e0bbdc3fc5dceba75e01d0257332ad0c22be4db1440c671f3a182d159aa876fd9acbd941fc1e69dd0dbf0691298ebeb761ae642c194951b853dfc5e

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          167B

          MD5

          bd4468da1ad114ed959544ada3ec4d0b

          SHA1

          75461c145b05964aa12c7a7293d8722478fe6870

          SHA256

          de381b89553dcae477e4b7dfc0e5a4431b3de1e810cfeed73c1e584728ba6fde

          SHA512

          a90e43596dcc8cd6c932c4d3a3436d0c39769be396ec7df3568764932a7accc82b241f50cbd4707cc3a318919d4c782a31050f6722b9d52314af3721834c5e10

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          199B

          MD5

          98765776447b50c305868231c4b1e325

          SHA1

          461aab684d7e8aac0e51165850c9854c3c85c0f3

          SHA256

          206e71db5bab10d7302baafa30d1d243e49d738854737f9d2608f950a3133dcc

          SHA512

          b01b344047b8e70b0773895b92d09bf8ac470672375b269c897cf7d44b127ec7b6a3599c4f9b04bb3988bdda9476caf887c860f667dc9bd7b54f9ec0cfef1aba

        • C:\VidOO\bodaloc.exe

          Filesize

          2.6MB

          MD5

          8ba215bcf1dd16866cc0f41472d80c78

          SHA1

          f1e067d52c7f4544bbd29fec23d903b42c31852b

          SHA256

          b0f0948cce9f8c8968372ebe7f5eae326277711cea577ca032cbd3abbdf2d4c0

          SHA512

          878c00f72e0ac44b578ea4ef7da5b0f9e51c099c27960d1b085751ce35b046b57c8f19aa314237426260c0b14dee14338ae173e3d63ad91f0acbc2c71bf4a428

        • C:\VidOO\bodaloc.exe

          Filesize

          2.6MB

          MD5

          8a937f36dca27de363ec9fb773c64f30

          SHA1

          9e013314f35c8e763990f9a31bb5c694cbd69a1f

          SHA256

          6e1ccc9e4e792df465a44d81419ad3615212c5309c28ae0500504cdddd675d5c

          SHA512

          60ed30c70c91e9f6fe41633763b183e222b3537867257cde0708e85e935ce93b688084c85ab90e78165b7f4b999fd3292a468609f83edbc7c86f0655d8e5e5bc

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

          Filesize

          2.6MB

          MD5

          43d71ee55c74e3e6d48d93879e832f04

          SHA1

          accdb93ca7ba6022937249a95594de41f250ef34

          SHA256

          66acb7c06a97d337d247f48b58016fe259cf7d7cf62dd89e9f210b54195e31c6

          SHA512

          31d071dfa0c8be4ecc88619ae6dee1cf250a3d4b2fd2a766084d5381811e3e6a31d6504cbc4e5edd864d0120c8f1604cc1fc81e8cab839fb008167eda41b1388