Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 16:38

General

  • Target

    6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe

  • Size

    2.6MB

  • MD5

    82ee2caabd4291c3f418f19b01e71ef0

  • SHA1

    ae4eecd2446a59803a079037d2cfd42e3cae528c

  • SHA256

    6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad

  • SHA512

    bdd9f4ef5d20e7ea24ae506ba6e929d968bcf38fc66341165b19979dbf9d5f3f57a8272a43adfdeaaea37de372c8329c1b6fd978440aaf22caa8ff9da5f706bb

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBzB/bSq:sxX7QnxrloE5dpUpMbV

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe
    "C:\Users\Admin\AppData\Local\Temp\6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4776
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3508
    • C:\IntelprocWL\xdobsys.exe
      C:\IntelprocWL\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3280

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\GalaxPB\bodasys.exe

          Filesize

          1.3MB

          MD5

          95a736837ca062a591640e8becbe0c44

          SHA1

          de887b853f6d80b71321396e8fba7930559c9a6c

          SHA256

          39eb57fb7b1cf44c0581579accee8db93077f7b4bbbe827bd79e1574a8a48c4b

          SHA512

          3bb5b58bcfbae0bc9ca471e354547c737df99db4d1f55b9e72ad983e6008c6e8659738ee65f5fea0336a222f61c00f448f1c90ec17b86b4f0c07e50c1e913944

        • C:\GalaxPB\bodasys.exe

          Filesize

          2.6MB

          MD5

          18007fbdf320bc6433879ee1e6062efe

          SHA1

          1916ca5471b14af8392cdab02e54514f81662c04

          SHA256

          41748c737808f72d280d15e3776940ce148b5c49c950317e52f6455dfd33bbac

          SHA512

          8acb9fe7a99788ef2e36d3938da6da2bd020b56e203a13a38eabead888dc2597afae0a01f3f4bea17359b7f8c660021129291d524f11f72f537744c39bc19515

        • C:\IntelprocWL\xdobsys.exe

          Filesize

          675KB

          MD5

          57ca0f3f1db9afd72993aa5c289db931

          SHA1

          2be1093a25d6d00e147f36e007513d34357bec5a

          SHA256

          663c55c6ed835acb3cb23c22575996d1f17bed0d990dee29b570e959f06eb7b2

          SHA512

          4f8ebee6a2b0d1e51c4d0ce305750fc46ea2e39b6bdfdb89bbebfbf8d69a02f735904d46ae27c4d48c10d655aef006016c96fe543bd9d6374bfd6e2c09d3d439

        • C:\IntelprocWL\xdobsys.exe

          Filesize

          2.6MB

          MD5

          e50d179addc86cefa500130add0d024b

          SHA1

          7eb8c829ae8dec31101f74da5108da31ef252072

          SHA256

          65f05f87ba32c672c39896d1e425c32129f7118b66182a43b076dd175316ad4b

          SHA512

          6514e2826f8f784ee0f12e29b4486aedbcdc2d5ff47f1fd5248621ef44c71d2d1f0312320366609db9f55d11386265fced8858ecf8a7eff7bc907d2523a8cceb

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          205B

          MD5

          70315d5b3ea3762df6a01a103ffca412

          SHA1

          b59290fd651249307519a235fcc42f370fc963d1

          SHA256

          c488d3ccdd7163a58b1bf63cdc3afeda228426ed2b4cc48c16f84f91680f08d2

          SHA512

          26cc6c506d381705ea5116974fd4e9e70ce7a0cbae97d80582e2181cc6c098b5d255f1c30441d3110f230caf3414b03cbd7504a89c3274ef55d931988c2ecd98

        • C:\Users\Admin\253086396416_10.0_Admin.ini

          Filesize

          173B

          MD5

          76eb5a6fb713225a47057587faf260ce

          SHA1

          0bf3b56d76f20480d7e9f38038674e9a95aee680

          SHA256

          3b76711d13874200b5ded274615b80f5fdb6b3510622a80bb74075c0255ee597

          SHA512

          776bbb292d4adfb61797027c0ab889afaf40c4b0b08cda441dd75ffd14c101d4712cd7898ac31568a50360d91f9f5252663e99063f2f205db0621cfd5bfd3bf9

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

          Filesize

          2.6MB

          MD5

          419c7169a885e87686c37b477ea9ac1d

          SHA1

          5d5b4e53954b992041a6f49b67a172543ff6b489

          SHA256

          4fba313e1bceb6098be4ccbbe50c20968e0635445313d4198bfb378e33048ad1

          SHA512

          7d78bd9c8985a5999a02fdb7481be84a5ca71f47794abb977fcedeeb5906561a42ff4e5a002f45541730fa2b28d8bafb181a237bfd564adbb24e3f147190d7dd