Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 23:38
Static task
static1
Behavioral task
behavioral1
Sample
aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe
Resource
win10v2004-20241007-en
General
-
Target
aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe
-
Size
2.6MB
-
MD5
c7e50d61c00eb75bba1d48ee02bef93a
-
SHA1
e0157de06f8dbeac93620ef7eaa32b5ce9f41339
-
SHA256
aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde
-
SHA512
46b57b94d31730ef3d11c4a22cbeb92888a349f50cd439d3b378959ff64438480d1d7ea145c2dca972629df5502109f81ecf2ebdd6ba26f3be1dfab2a5bcdb5b
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bSqI:sxX7QnxrloE5dpUpobVI
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe -
Executes dropped EXE 2 IoCs
pid Process 2364 ecdevopti.exe 2700 xbodloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2980 aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe 2980 aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files9A\\xbodloc.exe" aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidY9\\boddevsys.exe" aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2980 aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe 2980 aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe 2364 ecdevopti.exe 2700 xbodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2364 2980 aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe 30 PID 2980 wrote to memory of 2364 2980 aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe 30 PID 2980 wrote to memory of 2364 2980 aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe 30 PID 2980 wrote to memory of 2364 2980 aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe 30 PID 2980 wrote to memory of 2700 2980 aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe 31 PID 2980 wrote to memory of 2700 2980 aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe 31 PID 2980 wrote to memory of 2700 2980 aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe 31 PID 2980 wrote to memory of 2700 2980 aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe"C:\Users\Admin\AppData\Local\Temp\aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2364
-
-
C:\Files9A\xbodloc.exeC:\Files9A\xbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2700
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5ab40f8f2e62200bb1ee9dee46be5a572
SHA1c3bf48527f2c3ae74d72236dd6067d0957f6ccc8
SHA256ac0bccea708a01c39038314e81ad131bcb1f6d07d1e955afb7faa35de5fa39dd
SHA512bba359ab38212c54e397bb74abcf0a03fbf5eb9fcb6d1296ba22d4a6fabe60dfc82db04750122382fd9f9f0d851716d42fbe3adaf0d30be1a1f586fb2b30ab20
-
Filesize
171B
MD560151bbe6453256c273a81b6ba25146a
SHA146e5f038c3e30ca153cebc9e53a680e44faba881
SHA2567db7bc0c7179b17a9799eb73b9fc7da340b6da90b04a76614d149dbd1f7beea6
SHA512ab055009c3ec3ba7dcaf6b97b189a593ca7d9441a7f83279726f241b7f54a4a0499c337f5be476e4bb293ea44364e58b6b451e8692cc31f7cc4bc288b312623d
-
Filesize
203B
MD5478a7bc2b9f9478fb3850f7d8e89c557
SHA1b4360a28f1b6def3490fd4ca6c0e5b3e74e679a0
SHA2563d153829e970f9e58d3c73428552a0d5c3e2968500e7c42a892b8085963cc2c2
SHA51263c11c270fa1e36611ed874be000d791e4ac40322e463ef2e579541e462def2f01f802dc2127ce92c027fac2e49bfad24825b9f33e747545f11a69d47d8783e9
-
Filesize
2.6MB
MD555e522d0df04f016d41eb9c70fba2229
SHA17779ed5d0ede5f8ff781d7ab77b93d32215ed099
SHA256a514983d65c0a79dce30255d214f1737874922956cb46cfb25f60421910b8758
SHA512c08db5cfcc9cdee57c224217644cd7dd2d54e262e1010e76f799dcd5972d839729ef9ee0ebb117d1ca7beed0f783fcf386d6054aad5b029073ee2191f5e0a809
-
Filesize
2.6MB
MD5d95f209c6ed6c820112bee01886eebc9
SHA1459e56c005f66cd9cc9923a66109d7b9330d8ad1
SHA2560f0fc81d47826f86350624cad74595c681237b96988d7b25034b357c778ed8ae
SHA5122b8902a2ddb15f77d6d3891e495c431214eae96e136af9e947defbdadd30acd394fac7f8152926c958681e402e0459df6d76bdc1b30f6a771065a3fda0f7be36
-
Filesize
2.6MB
MD56b92cb0243a50aa83c7a656d1b89b31d
SHA1086750dd9b8c8dfe45e0d6249a9f460cf6168def
SHA25644fda56c86395f9b42493e2244cc36137a421cc0757db3de69ad6a61dbaa67ce
SHA5121751f2f1c404b0e83cde9176549fb1c0ef066ceadad3840d892283cafce2f198a44510bd52295799a83f2b42d31e274aee4de0ecb7b4c11f90a45a57b8dfc2c6