Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 14:16
Static task
static1
Behavioral task
behavioral1
Sample
3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe
Resource
win10v2004-20241007-en
General
-
Target
3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe
-
Size
2.6MB
-
MD5
3e43ac79893671e60cb51956afb88c6c
-
SHA1
a0d7cd7729b11903f090c6aef75e7d2dba4435a7
-
SHA256
3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130
-
SHA512
da1abc2d4b99707afdc13569ff02bcbb440dca4f8eff4b53c59edabd9beb48140ea80130e4d5302a8d678882a5ae69972b19774c3d41215c456ac494e2b0c360
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bSG:sxX7QnxrloE5dpUp1bv
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe -
Executes dropped EXE 2 IoCs
Processes:
ecaopti.exexbodloc.exepid Process 3344 ecaopti.exe 3940 xbodloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZ9\\xbodloc.exe" 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintQ9\\dobasys.exe" 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exeecaopti.exexbodloc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exeecaopti.exexbodloc.exepid Process 2920 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe 2920 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe 2920 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe 2920 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe 3344 ecaopti.exe 3344 ecaopti.exe 3940 xbodloc.exe 3940 xbodloc.exe 3344 ecaopti.exe 3344 ecaopti.exe 3940 xbodloc.exe 3940 xbodloc.exe 3344 ecaopti.exe 3344 ecaopti.exe 3940 xbodloc.exe 3940 xbodloc.exe 3344 ecaopti.exe 3344 ecaopti.exe 3940 xbodloc.exe 3940 xbodloc.exe 3344 ecaopti.exe 3344 ecaopti.exe 3940 xbodloc.exe 3940 xbodloc.exe 3344 ecaopti.exe 3344 ecaopti.exe 3940 xbodloc.exe 3940 xbodloc.exe 3344 ecaopti.exe 3344 ecaopti.exe 3940 xbodloc.exe 3940 xbodloc.exe 3344 ecaopti.exe 3344 ecaopti.exe 3940 xbodloc.exe 3940 xbodloc.exe 3344 ecaopti.exe 3344 ecaopti.exe 3940 xbodloc.exe 3940 xbodloc.exe 3344 ecaopti.exe 3344 ecaopti.exe 3940 xbodloc.exe 3940 xbodloc.exe 3344 ecaopti.exe 3344 ecaopti.exe 3940 xbodloc.exe 3940 xbodloc.exe 3344 ecaopti.exe 3344 ecaopti.exe 3940 xbodloc.exe 3940 xbodloc.exe 3344 ecaopti.exe 3344 ecaopti.exe 3940 xbodloc.exe 3940 xbodloc.exe 3344 ecaopti.exe 3344 ecaopti.exe 3940 xbodloc.exe 3940 xbodloc.exe 3344 ecaopti.exe 3344 ecaopti.exe 3940 xbodloc.exe 3940 xbodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exedescription pid Process procid_target PID 2920 wrote to memory of 3344 2920 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe 85 PID 2920 wrote to memory of 3344 2920 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe 85 PID 2920 wrote to memory of 3344 2920 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe 85 PID 2920 wrote to memory of 3940 2920 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe 86 PID 2920 wrote to memory of 3940 2920 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe 86 PID 2920 wrote to memory of 3940 2920 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe"C:\Users\Admin\AppData\Local\Temp\3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3344
-
-
C:\SysDrvZ9\xbodloc.exeC:\SysDrvZ9\xbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3940
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD53107458fd031850370404c1d8bab33d1
SHA1ce4d7f86f61c51e7219462f8845be862cda5f6a5
SHA256b8d0c770647faac8a65dcb5198895cbea0c3e813ab98894850bc061d9b271f91
SHA51230d13268328564753ebb63dbfe0ec16e927231cd688cf8152c7c0b7ec72caf4ccd9f539f2b481a733b2414c5eda2b6786c37a7b39ade66c2a4f13e7973d58de6
-
Filesize
2.3MB
MD5e68cebea682a898bfea701f6679dda96
SHA17502a4fb2b83511185d0e36c4a1430aae6572365
SHA256d1e0b2b21d28561491691d1cd318774c6bb989352de98e90ca4166e296f08626
SHA51264d05fe2c73085c5c9e2989c0b89996c7cb032232b4f5db95e42a33b98d93e78dac76bcdff21a1360c66977d2a69f26f32ff536bd03127f8fe8f6fba2081a4d9
-
Filesize
2.6MB
MD5fab7e8ba1518ad553c00708f73275d08
SHA1db79cde3d7365db375a65286b79a16654ec7efd1
SHA256f88a0b4ba1b20b675e41d68866eaa93b240d87203d2ae29c98e8fb5d6e409e5d
SHA512d602365b1f6967975e75ec19243a6677e6171d582efdf86a46d203b7c742b19bcc2810a82b6738a07413e655762409f07c9ab036f89f5043b21ec713b1ba7039
-
Filesize
201B
MD5696c17df5ba6348d3ddd91b557d35f89
SHA176eacbc5123f2009e5fc44a29513a80eb3f7d2e7
SHA256bd2ddb42c9e51f52be6bbe7eceae0daf73175fd64c64e837f810d6adb1b33bb3
SHA5120c9de3cd1cd0b4c6a60e5548d018a0953b16202c6fb6f79dfd1c1333e9795e7de7b4bd76aabfdc7ff6cbb8676b1f36e481e15cd5a6f5a8e7aea9d7ce5ca8b1da
-
Filesize
169B
MD5e9f556a7ab853d509f05cdc1263eb710
SHA12f7319899ec343b6727d383e942750713978a842
SHA256ad19bff9c0a53d6f657196ba5d2800bf425690a9e4320940bf416cb23604cdc3
SHA51229e950cc33fdf6fea3d2d7e49e3e08af63fe1ae7b7777ce651d0f85a19c9d5249e55f8101ae54e2b6550aa7ba002aa334dfab4eeecfa1bf12607b2f1d8cb6bac
-
Filesize
2.6MB
MD5dd99effe4f763bebf5a402d2f3ca3d65
SHA14bd47b638a9848d80b659794adeb9173afcafc47
SHA2565dba993c81a00f6220274ec8e61152a885bd322609387b75a1b6aa93bb17b383
SHA512678bf8d66a1baf9c10bafd858f5df864fce7d7e79ce0ff3dd96b28550273e28bdf1c398e94dc3222335434cb0fad141eb0f92ac2fe234cc9089b3336605e1ef5