Analysis
-
max time kernel
118s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 23:38
Static task
static1
Behavioral task
behavioral1
Sample
aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe
Resource
win10v2004-20241007-en
General
-
Target
aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe
-
Size
2.6MB
-
MD5
c7e50d61c00eb75bba1d48ee02bef93a
-
SHA1
e0157de06f8dbeac93620ef7eaa32b5ce9f41339
-
SHA256
aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde
-
SHA512
46b57b94d31730ef3d11c4a22cbeb92888a349f50cd439d3b378959ff64438480d1d7ea145c2dca972629df5502109f81ecf2ebdd6ba26f3be1dfab2a5bcdb5b
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bSqI:sxX7QnxrloE5dpUpobVI
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe -
Executes dropped EXE 2 IoCs
pid Process 5060 ecdevopti.exe 2468 xdobsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesHR\\xdobsys.exe" aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxHY\\bodaec.exe" aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 384 aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe 384 aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe 384 aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe 384 aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe 5060 ecdevopti.exe 5060 ecdevopti.exe 2468 xdobsys.exe 2468 xdobsys.exe 5060 ecdevopti.exe 5060 ecdevopti.exe 2468 xdobsys.exe 2468 xdobsys.exe 5060 ecdevopti.exe 5060 ecdevopti.exe 2468 xdobsys.exe 2468 xdobsys.exe 5060 ecdevopti.exe 5060 ecdevopti.exe 2468 xdobsys.exe 2468 xdobsys.exe 5060 ecdevopti.exe 5060 ecdevopti.exe 2468 xdobsys.exe 2468 xdobsys.exe 5060 ecdevopti.exe 5060 ecdevopti.exe 2468 xdobsys.exe 2468 xdobsys.exe 5060 ecdevopti.exe 5060 ecdevopti.exe 2468 xdobsys.exe 2468 xdobsys.exe 5060 ecdevopti.exe 5060 ecdevopti.exe 2468 xdobsys.exe 2468 xdobsys.exe 5060 ecdevopti.exe 5060 ecdevopti.exe 2468 xdobsys.exe 2468 xdobsys.exe 5060 ecdevopti.exe 5060 ecdevopti.exe 2468 xdobsys.exe 2468 xdobsys.exe 5060 ecdevopti.exe 5060 ecdevopti.exe 2468 xdobsys.exe 2468 xdobsys.exe 5060 ecdevopti.exe 5060 ecdevopti.exe 2468 xdobsys.exe 2468 xdobsys.exe 5060 ecdevopti.exe 5060 ecdevopti.exe 2468 xdobsys.exe 2468 xdobsys.exe 5060 ecdevopti.exe 5060 ecdevopti.exe 2468 xdobsys.exe 2468 xdobsys.exe 5060 ecdevopti.exe 5060 ecdevopti.exe 2468 xdobsys.exe 2468 xdobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 384 wrote to memory of 5060 384 aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe 89 PID 384 wrote to memory of 5060 384 aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe 89 PID 384 wrote to memory of 5060 384 aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe 89 PID 384 wrote to memory of 2468 384 aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe 90 PID 384 wrote to memory of 2468 384 aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe 90 PID 384 wrote to memory of 2468 384 aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe"C:\Users\Admin\AppData\Local\Temp\aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5060
-
-
C:\FilesHR\xdobsys.exeC:\FilesHR\xdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2468
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD52e14ee6125a70de2dd549e74db1c538b
SHA1949385f95d76b6aaded14597aca8198551df421e
SHA2562d956d7b32b40a78a73328d5f24467b3a671304e29b0246b9a20d970a2dca344
SHA512a9417c15ababad2a3e9923faf3dee23b8d2000de14673314d208222a17fca29b885b60c379d7c112b31556d41ddff46a3498c51d8eec69b2129b531901f1a39a
-
Filesize
2.6MB
MD5a8e491d29898b6887eb547e2f4589ec3
SHA1c566090a876f4eb43734a22ea4777e8189032550
SHA25620e1e105da99579bb5491ad3bf6927b1c826935608190f3e77c8f8849df3f490
SHA51229b483bb12cfa967a8ae24a060cca001c0431858e39bfb8e8a683b158df4c4ef5c2b2738c0972279a2665cdcfa9f6b35b83db5bb7e8f689f19cb5ed0c58db0a9
-
Filesize
2.3MB
MD5149fabe738efd2711485730b84d00f8a
SHA17c4493e04792d60e86d0d02b8de857c965e4dcd3
SHA256de613eb2e3fc63775e89e155e2ea2c7ad1214010536fe775ab16cf727a7fa67b
SHA512f3bc7ce3986cc6b100123815fdabd9c239f1510d34ce1b0c2222c86053acbb4140ec31408e03db236b60fff73dba3fd1037b80ac71b0183233b7d61a1ccb8520
-
Filesize
2.6MB
MD582034ff2935be1a2c76118def6115bbb
SHA18b1fd87223feebe5460cbdfe73de927238e9603f
SHA2560d80432c3b077ccd5d7b4b3dde849c274b3d9d78e49a12a48c146eb212e07b90
SHA5124aba53f010317b475d0e6e1cdf730e853b3182eef482c4e14e663dba5e75a7ef5e14625584a7cfd409494ee82a5e7f2b7e0fb996dfc0ac243b233a619a54515b
-
Filesize
202B
MD56c71b80b467bb9ca2e0b4d3ed244c6f5
SHA1acf646bbf6d366f83b44fe508d2524f3b0b46a18
SHA256b04ce25c1714e1976a81cf62f29d766e35e1a3834607491eef5231a79ff44033
SHA5120c2bb56fa4dd1e6c03196603f0d2996939495ae2e32d092b762be529b1567d617bc4e3a96ab134ceaaaddf0172aaa4571e4f487a8efee02d3748f1816d7e287e
-
Filesize
170B
MD57d14e312d954e286bd97e6cd17799e0e
SHA1c7b0a9edaa094b9e62413e8ffd999edb4c9f8b39
SHA2567bdfbab1a8e6dcee91d942e48c059d3b7567519b77bafae1921c205227120f0d
SHA512d565661701570437ff150ce37367b43deb22bdfa73bd4b69f1e86b1c65fa89a57334ff8697cff021928d1eebd1398d5ddefa47ee7125a725b71a481a222f4e16
-
Filesize
2.6MB
MD5dfcfadfb45708033bedc7d3eca206b80
SHA1ad9d01fa0ef828e0f80b772cb962b0b4a3e49ad3
SHA256dcdc488d74d7145fbfda97f5ce43d2e6806b1331bff4330271dfc4784ad2dcdb
SHA5127e4bce8653bf50f15136a9ed9e9f5721776e9955547c99c7fcb0c39f49fb6edb8f448a440a8f9feacb3f47e617678fa8e7647b5b1184f791060393556ebde077