Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 20:05
Static task
static1
Behavioral task
behavioral1
Sample
db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe
Resource
win10v2004-20241007-en
General
-
Target
db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe
-
Size
2.6MB
-
MD5
1804e3d044e72e1b2954bbc7c97cc510
-
SHA1
9a0df2dae401ca018676a81265780def3eebca20
-
SHA256
db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9f
-
SHA512
de1065df57fc1cccdc4baf44a56e312ee9c3c0c7e1d8e543e21cb3292eaabdbe1591f17b608559231c089f64380c19386ae2cfbab765d7d93aefcba02d2d74f4
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bS:sxX7QnxrloE5dpUpCb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe -
Executes dropped EXE 2 IoCs
Processes:
ecaopti.exedevbodloc.exepid Process 3012 ecaopti.exe 2112 devbodloc.exe -
Loads dropped DLL 2 IoCs
Processes:
db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exepid Process 2372 db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe 2372 db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocF7\\devbodloc.exe" db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintHI\\boddevsys.exe" db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exeecaopti.exedevbodloc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecaopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exeecaopti.exedevbodloc.exepid Process 2372 db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe 2372 db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe 3012 ecaopti.exe 2112 devbodloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exedescription pid Process procid_target PID 2372 wrote to memory of 3012 2372 db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe 31 PID 2372 wrote to memory of 3012 2372 db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe 31 PID 2372 wrote to memory of 3012 2372 db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe 31 PID 2372 wrote to memory of 3012 2372 db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe 31 PID 2372 wrote to memory of 2112 2372 db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe 32 PID 2372 wrote to memory of 2112 2372 db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe 32 PID 2372 wrote to memory of 2112 2372 db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe 32 PID 2372 wrote to memory of 2112 2372 db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe"C:\Users\Admin\AppData\Local\Temp\db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3012
-
-
C:\IntelprocF7\devbodloc.exeC:\IntelprocF7\devbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2112
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5c7cae401176155dccd042a571fac8818
SHA1b9fd9b8a5e880cea58579f813a3e1b8c37ce9513
SHA2567581b006e2e9b799484788103d9fd3414daede52d3b435ce5babbcc6afffbb5c
SHA5128e6e43e9fdfe7d3f93595b045dccdbdc8248397aa7c9da35e541a9c8a1d2e8f7c64c70bd7f8f6a7b6d4e13b9877cab2f2f2fe319e62530d6f19711cb6e06f61f
-
Filesize
2.6MB
MD52719ca20d9509d01814a22f1d4743f14
SHA13e5655ee0bf7456279f9e692a6b322ad321f6c74
SHA256a4c250d44d43362adb143f36715f8bf3951ce1d6d442a28a59fde12681eab781
SHA512b41fb92f64b109cf96072182f288f4433e80f0c5971e857ade54b74f8fea4dca563e5ac87efc57403041c53765cf215eed3c43dd797d32050067f323a5dc1595
-
Filesize
2.6MB
MD5f3a24a59afbe17d52edf76a85a5c9572
SHA15c06d06703f5ebbd68a2f69d9fea9c68ed686f36
SHA256b301bf2fc5c221bcacd828849e3f7b5fecb1a36aac39942d9fe226c86f5e22de
SHA5122d9865c67ed25fbe722aeaf710a291126bad9d2fd413bc7cbb34733a80f989524262e19b0d8b5b408b3ca90e1e52ef1b074b4cfe0dff86f9be4f005209b76a10
-
Filesize
176B
MD51dc7aa5ea432558316d16dc625b9212c
SHA142aa895bc586cdaa3d6ec9d71a87de8339a70eba
SHA256b3723f2ac97d969788fc6631878d736a7274815de9bd588c798fb2fa02ebc3ed
SHA5125ee3714df7c60fc6ff510fb014b5580ad06bbb6fe74867a37786fae92c395939e96ca50638495d58b76bbac645afe9680dd1ad7d74ac4b29e154b766683b5e7a
-
Filesize
208B
MD5fda0b68d30890faa25943cf7e033e08d
SHA1ec8bae9e166ee1492b9e990c320ab2a2855ce427
SHA256734c45571116cdaaa94af27cc6ddb50b1871f332eaaf3b89424afcdd8a213974
SHA512a5121007f68a69eacd77f4c2d7fa6e2c0f841d63b3e6a3a7510075c17e7bf054fdac3dca255091dab90c756b0741f7bb9ce282cc26cde717b11ca9e3c5e9c9d8
-
Filesize
2.6MB
MD5f3b2b395ada98d83990d0b8c1c6a86a4
SHA14f70ce1778f519dbbd3ac337b000d1fea389f3b3
SHA256299f0e3e8027adf2e34c1937b2b87c30c19b0ba3780f049ad84f4e79c1aaad14
SHA51251f2c05a1108aa4986bdf5938bd2d6c02e0e993afcd07f224af0fa17f5b50c993f5ae123e8bedfdc164c14e06f9310f3a8400e1b28cc5ba291f7726c5be987b6