Analysis
-
max time kernel
119s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 17:00
Static task
static1
Behavioral task
behavioral1
Sample
d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe
Resource
win10v2004-20241007-en
General
-
Target
d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe
-
Size
2.6MB
-
MD5
f7cf191c3efdf86f2d1a224d2d47fd70
-
SHA1
4d6cc971511f21e001654d7600db6984c71a57ed
-
SHA256
d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8
-
SHA512
730714123d20e8c4dcc046ae7b6f4d1fe5a08f6d044eed175c084f3dfe39ca141222c6f85d8f885db5d8494f0672bc491cd364abdf0ec31e3875ba31f96d0ae3
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBIB/bSq:sxX7QnxrloE5dpUprbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe -
Executes dropped EXE 2 IoCs
pid Process 1236 ecabod.exe 2804 aoptiloc.exe -
Loads dropped DLL 2 IoCs
pid Process 1580 d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe 1580 d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot8Q\\aoptiloc.exe" d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint8B\\dobaloc.exe" d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1580 d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe 1580 d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe 2804 aoptiloc.exe 1236 ecabod.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1580 wrote to memory of 1236 1580 d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe 30 PID 1580 wrote to memory of 1236 1580 d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe 30 PID 1580 wrote to memory of 1236 1580 d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe 30 PID 1580 wrote to memory of 1236 1580 d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe 30 PID 1580 wrote to memory of 2804 1580 d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe 31 PID 1580 wrote to memory of 2804 1580 d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe 31 PID 1580 wrote to memory of 2804 1580 d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe 31 PID 1580 wrote to memory of 2804 1580 d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe"C:\Users\Admin\AppData\Local\Temp\d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1236
-
-
C:\UserDot8Q\aoptiloc.exeC:\UserDot8Q\aoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2804
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5ddbe523fec5896c73ebdfad2a068bbb4
SHA103d285de7fc20968b3022fe31fbb4998204ce1d5
SHA2562ec30346fe5090f040a01935037a0af1ead048def0e2267b4ea9c59a3b8a1317
SHA51290a2037d71839040824d62d827553b896f2aac933626c9f204142b06c140eeae06b3f2d5eb230b84768911da662f64ba26a33e44aaa33e730c0958ffac588ea6
-
Filesize
2.6MB
MD5625e64609280230258b1413393a0e659
SHA1b5b6065c7b685e8b95d677cc0212edfa236680d7
SHA2568532fdb960eb340b32bad72cf25750eff89eadfa1da9d70f5cd98f10c24e62ae
SHA512e65dbd9e9b1be1d7103cc1e2ae1027152508a7603256ca47e28658c71cd391b2af8882aa2a1386e211c7ce1c19d90730a998dbe27fd2c24c631ab1fa1acabfe8
-
Filesize
2.6MB
MD5c14273ffd7e8b7005e6e145ea032d81a
SHA13ea4e1e6f201485bb343ff5aabbbeb0f2259cd48
SHA25644960a2615abb036c26e768b5da4c85394d356885b085ddebca1be2ba93e05a5
SHA5125e6825e0ad609dd2fcd6bf24ee096ad5cd08baa9faf25c2291cef40a7400b731a35db84d1dc2a8bcc5f8ea229849c6bb3776ea4b00edb719478abf673120427c
-
Filesize
170B
MD5bc0718787be037b59227fad328070f24
SHA10c2cf1fce9905ff7cd8ff95d4679c091912c060c
SHA256a094d79b791e03074a91190fc6810d96a4934d1fe16e380289ee4f28ecf799bc
SHA512a77468912e4d1bc6357b39d92dc0d9ddde5f2a0da2b36e8dad70876f97442f4c28a6f7667e6be34342328b7e1be598e1d49c0cd382d51570025ce841d26790b1
-
Filesize
202B
MD56a6ada199eec0a132cf8ea43f1f61c11
SHA19344e3a94a4774324f3e64a315b2930b5b74a10f
SHA256ba6a175748e6033ab285cd1fcea7e71544a9b3059928e59eca30a310c4d114ce
SHA512eac427e2e6dc9f526b83c535815fa7ee2bb7bd5c0fa21fc4ebace7e826429cf8ddf27d69f4263f0e4d9a7cfc53cc8cbf6e0305576403d518f6b0d0eebf8d5535
-
Filesize
2.6MB
MD58dd42663e66714d3cf08c1501ce18029
SHA1af3ce807bda72cb424153ac6eb0367ea8697ac8f
SHA256475f3d8fbca9b480e9830fcf99144dab3d99b0bcab8ea7e18e9304489f3a7abe
SHA51214ce5b74f44825ead4a24a8396a4aea826128fee70a7e493deb2b4335b3e02b72a4e6d20a92eda5f55b2867bcc23bef5ad0d811dbadffd5ac818bb1a7fe2b10f