Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 16:38
Static task
static1
Behavioral task
behavioral1
Sample
6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe
Resource
win10v2004-20241007-en
General
-
Target
6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe
-
Size
2.6MB
-
MD5
82ee2caabd4291c3f418f19b01e71ef0
-
SHA1
ae4eecd2446a59803a079037d2cfd42e3cae528c
-
SHA256
6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad
-
SHA512
bdd9f4ef5d20e7ea24ae506ba6e929d968bcf38fc66341165b19979dbf9d5f3f57a8272a43adfdeaaea37de372c8329c1b6fd978440aaf22caa8ff9da5f706bb
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBzB/bSq:sxX7QnxrloE5dpUpMbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe -
Executes dropped EXE 2 IoCs
pid Process 3508 ecaopti.exe 3280 xdobsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocWL\\xdobsys.exe" 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxPB\\bodasys.exe" 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4776 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe 4776 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe 4776 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe 4776 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe 3508 ecaopti.exe 3508 ecaopti.exe 3280 xdobsys.exe 3280 xdobsys.exe 3508 ecaopti.exe 3508 ecaopti.exe 3280 xdobsys.exe 3280 xdobsys.exe 3508 ecaopti.exe 3508 ecaopti.exe 3280 xdobsys.exe 3280 xdobsys.exe 3508 ecaopti.exe 3508 ecaopti.exe 3280 xdobsys.exe 3280 xdobsys.exe 3508 ecaopti.exe 3508 ecaopti.exe 3280 xdobsys.exe 3280 xdobsys.exe 3508 ecaopti.exe 3508 ecaopti.exe 3280 xdobsys.exe 3280 xdobsys.exe 3508 ecaopti.exe 3508 ecaopti.exe 3280 xdobsys.exe 3280 xdobsys.exe 3508 ecaopti.exe 3508 ecaopti.exe 3280 xdobsys.exe 3280 xdobsys.exe 3508 ecaopti.exe 3508 ecaopti.exe 3280 xdobsys.exe 3280 xdobsys.exe 3508 ecaopti.exe 3508 ecaopti.exe 3280 xdobsys.exe 3280 xdobsys.exe 3508 ecaopti.exe 3508 ecaopti.exe 3280 xdobsys.exe 3280 xdobsys.exe 3508 ecaopti.exe 3508 ecaopti.exe 3280 xdobsys.exe 3280 xdobsys.exe 3508 ecaopti.exe 3508 ecaopti.exe 3280 xdobsys.exe 3280 xdobsys.exe 3508 ecaopti.exe 3508 ecaopti.exe 3280 xdobsys.exe 3280 xdobsys.exe 3508 ecaopti.exe 3508 ecaopti.exe 3280 xdobsys.exe 3280 xdobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4776 wrote to memory of 3508 4776 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe 88 PID 4776 wrote to memory of 3508 4776 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe 88 PID 4776 wrote to memory of 3508 4776 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe 88 PID 4776 wrote to memory of 3280 4776 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe 90 PID 4776 wrote to memory of 3280 4776 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe 90 PID 4776 wrote to memory of 3280 4776 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe"C:\Users\Admin\AppData\Local\Temp\6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3508
-
-
C:\IntelprocWL\xdobsys.exeC:\IntelprocWL\xdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3280
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD595a736837ca062a591640e8becbe0c44
SHA1de887b853f6d80b71321396e8fba7930559c9a6c
SHA25639eb57fb7b1cf44c0581579accee8db93077f7b4bbbe827bd79e1574a8a48c4b
SHA5123bb5b58bcfbae0bc9ca471e354547c737df99db4d1f55b9e72ad983e6008c6e8659738ee65f5fea0336a222f61c00f448f1c90ec17b86b4f0c07e50c1e913944
-
Filesize
2.6MB
MD518007fbdf320bc6433879ee1e6062efe
SHA11916ca5471b14af8392cdab02e54514f81662c04
SHA25641748c737808f72d280d15e3776940ce148b5c49c950317e52f6455dfd33bbac
SHA5128acb9fe7a99788ef2e36d3938da6da2bd020b56e203a13a38eabead888dc2597afae0a01f3f4bea17359b7f8c660021129291d524f11f72f537744c39bc19515
-
Filesize
675KB
MD557ca0f3f1db9afd72993aa5c289db931
SHA12be1093a25d6d00e147f36e007513d34357bec5a
SHA256663c55c6ed835acb3cb23c22575996d1f17bed0d990dee29b570e959f06eb7b2
SHA5124f8ebee6a2b0d1e51c4d0ce305750fc46ea2e39b6bdfdb89bbebfbf8d69a02f735904d46ae27c4d48c10d655aef006016c96fe543bd9d6374bfd6e2c09d3d439
-
Filesize
2.6MB
MD5e50d179addc86cefa500130add0d024b
SHA17eb8c829ae8dec31101f74da5108da31ef252072
SHA25665f05f87ba32c672c39896d1e425c32129f7118b66182a43b076dd175316ad4b
SHA5126514e2826f8f784ee0f12e29b4486aedbcdc2d5ff47f1fd5248621ef44c71d2d1f0312320366609db9f55d11386265fced8858ecf8a7eff7bc907d2523a8cceb
-
Filesize
205B
MD570315d5b3ea3762df6a01a103ffca412
SHA1b59290fd651249307519a235fcc42f370fc963d1
SHA256c488d3ccdd7163a58b1bf63cdc3afeda228426ed2b4cc48c16f84f91680f08d2
SHA51226cc6c506d381705ea5116974fd4e9e70ce7a0cbae97d80582e2181cc6c098b5d255f1c30441d3110f230caf3414b03cbd7504a89c3274ef55d931988c2ecd98
-
Filesize
173B
MD576eb5a6fb713225a47057587faf260ce
SHA10bf3b56d76f20480d7e9f38038674e9a95aee680
SHA2563b76711d13874200b5ded274615b80f5fdb6b3510622a80bb74075c0255ee597
SHA512776bbb292d4adfb61797027c0ab889afaf40c4b0b08cda441dd75ffd14c101d4712cd7898ac31568a50360d91f9f5252663e99063f2f205db0621cfd5bfd3bf9
-
Filesize
2.6MB
MD5419c7169a885e87686c37b477ea9ac1d
SHA15d5b4e53954b992041a6f49b67a172543ff6b489
SHA2564fba313e1bceb6098be4ccbbe50c20968e0635445313d4198bfb378e33048ad1
SHA5127d78bd9c8985a5999a02fdb7481be84a5ca71f47794abb977fcedeeb5906561a42ff4e5a002f45541730fa2b28d8bafb181a237bfd564adbb24e3f147190d7dd