Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 14:03

General

  • Target

    9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe

  • Size

    2.6MB

  • MD5

    01f60557ffd5707eeb3f3f0beaea875e

  • SHA1

    500a7b246bd9b0f6eeff18098d5b347103e3e447

  • SHA256

    9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6

  • SHA512

    65c4e81051eda876f55a2bb6d8e9b2081de730670e57e670d2a7c9c4c782724dbd099d9df5d4c89a9cc6a91f999088cd0d4220aba6935465b3a0aafa0b2b13d7

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bSm:sxX7QnxrloE5dpUptb/

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe
    "C:\Users\Admin\AppData\Local\Temp\9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:880
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2708
    • C:\IntelprocLS\devbodsys.exe
      C:\IntelprocLS\devbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocLS\devbodsys.exe

    Filesize

    2.6MB

    MD5

    5472ec4779c66e08ba32b922588d8644

    SHA1

    ce2a322ed201915abe64ac312135009f1193bd64

    SHA256

    5284a8f70c4579f6676c27f6100d5bfd693a24febf9a9fb6e352eea0b15aaf6c

    SHA512

    66b9e0beeca9af2116cabbb6c09742b3dae9e5468feccd0703a2578f8f7274c525ac445dca448846964cdd39bc95d384c0af81646a7784b1626b404414ae55ff

  • C:\KaVB7K\bodasys.exe

    Filesize

    2.6MB

    MD5

    96dfcdbc9a767ea0c036ff4f2919d011

    SHA1

    2267e2951a3b20c4fd812a5f31ef9fb5187c3a3f

    SHA256

    6de9a38b7cf118daa4f091400b440298e69f898c79d78a9e52408ba965cdbc4b

    SHA512

    7612b80361f129bf49c59229f71363960aa884c9b01c62d25f4c25ec659c5ca0e874ec2de9313c35001609c0b96d4b3f095e04e8ae6925e143f9b9ce8d326a2d

  • C:\KaVB7K\bodasys.exe

    Filesize

    2.6MB

    MD5

    ea842cb1561876361cd3f9c432d6444a

    SHA1

    9be3afb6886b3bfe3c4998797badf1c3383c5aec

    SHA256

    19d8be71ad1d089eb25c98dfaa1d4811445f9eeed5a8402c4590ff566e2ba9da

    SHA512

    8fe6ac926a7ef33631bf3ad511a03c8d1fd0e8c170fd064ff81aef8e1ef239937725c0c18123bf23bc48b938d38e547be48cbba01c0ffdee66379df9b96b63ce

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    174B

    MD5

    a323af449f19b4029b45410512675414

    SHA1

    fe30b5f775b68f24a5ebefe2475d4a1a4681ffdd

    SHA256

    7f0122cd95ede0b520a863522d4a8678ca4a28ac0b5d53e7c8b79786d4fccf39

    SHA512

    2e30117bf5aee84a25de551050f0ffbbfd02e44365ed9ec9408d059aff48ba9633ac92d6b7a81c7e08f43f542f4621711b28074b2524ac392c518c722eed14a2

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    206B

    MD5

    73b3691406e262bc64516f17181a0d27

    SHA1

    bdef5884bb344d356052a281bce039e4407f7da1

    SHA256

    bc0576482a2d4b05f27afca47c125eedba9a486d042b703685844a77f6762423

    SHA512

    8ee5d6e4dac30faea0e3a9c07ca88cb394fd49943520701e381ef95f8cbd08d49fb736d69678a0d374eb43d040edb26740d0d73e65e7942ecd3ff1cfe6c94c34

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

    Filesize

    2.6MB

    MD5

    16eb8daf81b0cb24e5233273668a891f

    SHA1

    6ad845c1f49748fcbb9e12d769ce80a0f9020e76

    SHA256

    98bcb696c1f451c11aa2af7e5f5cbd01bb106d97dc4b1f91ed77d9d9eb40066b

    SHA512

    e551c81fc535b93f95b0121a1e4c747bf292e109bdc95b4a609e6b6989f055c9336b2376674e11f081ad81e1028c85c019191e9406a238aee3dd302ae9474020