Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 14:03
Static task
static1
Behavioral task
behavioral1
Sample
9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe
Resource
win10v2004-20241007-en
General
-
Target
9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe
-
Size
2.6MB
-
MD5
01f60557ffd5707eeb3f3f0beaea875e
-
SHA1
500a7b246bd9b0f6eeff18098d5b347103e3e447
-
SHA256
9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6
-
SHA512
65c4e81051eda876f55a2bb6d8e9b2081de730670e57e670d2a7c9c4c782724dbd099d9df5d4c89a9cc6a91f999088cd0d4220aba6935465b3a0aafa0b2b13d7
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bSm:sxX7QnxrloE5dpUptb/
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe 9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe -
Executes dropped EXE 2 IoCs
Processes:
ecaopti.exedevbodsys.exepid Process 2708 ecaopti.exe 2696 devbodsys.exe -
Loads dropped DLL 2 IoCs
Processes:
9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exepid Process 880 9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe 880 9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocLS\\devbodsys.exe" 9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB7K\\bodasys.exe" 9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ecaopti.exedevbodsys.exe9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodsys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exeecaopti.exedevbodsys.exepid Process 880 9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe 880 9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe 2708 ecaopti.exe 2696 devbodsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exedescription pid Process procid_target PID 880 wrote to memory of 2708 880 9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe 30 PID 880 wrote to memory of 2708 880 9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe 30 PID 880 wrote to memory of 2708 880 9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe 30 PID 880 wrote to memory of 2708 880 9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe 30 PID 880 wrote to memory of 2696 880 9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe 31 PID 880 wrote to memory of 2696 880 9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe 31 PID 880 wrote to memory of 2696 880 9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe 31 PID 880 wrote to memory of 2696 880 9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe"C:\Users\Admin\AppData\Local\Temp\9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2708
-
-
C:\IntelprocLS\devbodsys.exeC:\IntelprocLS\devbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2696
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD55472ec4779c66e08ba32b922588d8644
SHA1ce2a322ed201915abe64ac312135009f1193bd64
SHA2565284a8f70c4579f6676c27f6100d5bfd693a24febf9a9fb6e352eea0b15aaf6c
SHA51266b9e0beeca9af2116cabbb6c09742b3dae9e5468feccd0703a2578f8f7274c525ac445dca448846964cdd39bc95d384c0af81646a7784b1626b404414ae55ff
-
Filesize
2.6MB
MD596dfcdbc9a767ea0c036ff4f2919d011
SHA12267e2951a3b20c4fd812a5f31ef9fb5187c3a3f
SHA2566de9a38b7cf118daa4f091400b440298e69f898c79d78a9e52408ba965cdbc4b
SHA5127612b80361f129bf49c59229f71363960aa884c9b01c62d25f4c25ec659c5ca0e874ec2de9313c35001609c0b96d4b3f095e04e8ae6925e143f9b9ce8d326a2d
-
Filesize
2.6MB
MD5ea842cb1561876361cd3f9c432d6444a
SHA19be3afb6886b3bfe3c4998797badf1c3383c5aec
SHA25619d8be71ad1d089eb25c98dfaa1d4811445f9eeed5a8402c4590ff566e2ba9da
SHA5128fe6ac926a7ef33631bf3ad511a03c8d1fd0e8c170fd064ff81aef8e1ef239937725c0c18123bf23bc48b938d38e547be48cbba01c0ffdee66379df9b96b63ce
-
Filesize
174B
MD5a323af449f19b4029b45410512675414
SHA1fe30b5f775b68f24a5ebefe2475d4a1a4681ffdd
SHA2567f0122cd95ede0b520a863522d4a8678ca4a28ac0b5d53e7c8b79786d4fccf39
SHA5122e30117bf5aee84a25de551050f0ffbbfd02e44365ed9ec9408d059aff48ba9633ac92d6b7a81c7e08f43f542f4621711b28074b2524ac392c518c722eed14a2
-
Filesize
206B
MD573b3691406e262bc64516f17181a0d27
SHA1bdef5884bb344d356052a281bce039e4407f7da1
SHA256bc0576482a2d4b05f27afca47c125eedba9a486d042b703685844a77f6762423
SHA5128ee5d6e4dac30faea0e3a9c07ca88cb394fd49943520701e381ef95f8cbd08d49fb736d69678a0d374eb43d040edb26740d0d73e65e7942ecd3ff1cfe6c94c34
-
Filesize
2.6MB
MD516eb8daf81b0cb24e5233273668a891f
SHA16ad845c1f49748fcbb9e12d769ce80a0f9020e76
SHA25698bcb696c1f451c11aa2af7e5f5cbd01bb106d97dc4b1f91ed77d9d9eb40066b
SHA512e551c81fc535b93f95b0121a1e4c747bf292e109bdc95b4a609e6b6989f055c9336b2376674e11f081ad81e1028c85c019191e9406a238aee3dd302ae9474020