Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 20:13

General

  • Target

    1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe

  • Size

    2.6MB

  • MD5

    62790805093f2630379ad1c157760e60

  • SHA1

    0a13f012cc8f0a233235607ddbc3852f10ddcab0

  • SHA256

    1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9

  • SHA512

    bdcd535c45b69db4a4774cde6ede93db6c575ae1349fe1482c748eab4430509171139edcc06e37e89e349d2df2df30a19f119188d2e1326fb8e57fe6bbce774a

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bS:sxX7QnxrloE5dpUpqb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe
    "C:\Users\Admin\AppData\Local\Temp\1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:320
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4704
    • C:\UserDotDH\xoptisys.exe
      C:\UserDotDH\xoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4636

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\KaVBQB\boddevloc.exe

    Filesize

    2.6MB

    MD5

    a07637f82860b8b7b5e0aeba0fa3cc85

    SHA1

    6b14f2580e5c5c37b0623250bd5ffaaebfdd7bd1

    SHA256

    8a6b9af2a3dcd372a7e9193777838c1b88a1b403f9f41760a33245d41f6b3e90

    SHA512

    35e07970ba0348c73c5ff67b2957ee746d929c84d278842d55cb868c327198077525448ae2445a38906c42e28306db01556cfb7be9a1fa6f59ea265e72141115

  • C:\KaVBQB\boddevloc.exe

    Filesize

    2.6MB

    MD5

    0b07253be627d5b2d62e42fb2aea0b47

    SHA1

    150ecd8af321c5e7310ce3f378602d7b8041aafd

    SHA256

    8d6cd9e777421e132a64050fb154d4162347f6f88f4b5f5baa64376082808534

    SHA512

    fd4df607504751b81ba51c13ddac16144bfb2edce66645dbf96bbeb5ca3905a14a750ef854c5b500696c9db13e080af87a948397cb0ebdbd7552e982cb3b0168

  • C:\UserDotDH\xoptisys.exe

    Filesize

    2.6MB

    MD5

    3f2f2e492aca72b681000b15730f58fa

    SHA1

    0045f1196f2b9ffdb973385e39c417cb7a0d33f4

    SHA256

    403d1aa7d26b46aac8b143d916d570eb377226e2cafe62c912baf88b2ea4d1ad

    SHA512

    43f3532e1523d01a71f1be27332e05dbe2a70ce51c23ba8a0dc55208f502b1ac7dc26f6a0847bb3d2cd411091cfda8483a83a91f773c33b28acb3becf18469d2

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    9752ce21851db248ef43b07e531a72a8

    SHA1

    03d4021038cf5f141f26059f6d93cc069cf3c037

    SHA256

    9e81242669b644a0e288f790a755ed0eda09a4951d366b20503315ae2f848eec

    SHA512

    36179b4157c33ae6f5457af80074e5c710d35fc4093f67aeac74edff522c7c1d013fa59815c8af4e5a54874529d3d72c8f14e35a38c3123b39a35f11fd63ed54

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    cfd35dbfae7d4e3f2ab701f6cb1e6ead

    SHA1

    ac1aecbc9bca5b9f539292feeb109b7bcffe92f0

    SHA256

    621768cbba0a2ea8cc9ec6246c4cee80e803d8abba6d46112caafa62856de3bc

    SHA512

    728b0b325aef2df4a1cc1c70029a780dffcd93718dcf79baa41140c5538def1104793d3ffe9ac5652266db83e2698e6bf87e069913c5b9101ca3829f9db70d1a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

    Filesize

    2.6MB

    MD5

    9cb9de0b8f19c7358604e967d7cb751c

    SHA1

    add69ed24b75844953e9e9d03013012443d7c648

    SHA256

    c3a9304d32b80299e8a58a4a0c3343fa01fa9861e6512e0c105ee09e0207c4d3

    SHA512

    eae235019d65643e9cb75e59b502de0575b3b5efb2c02ecf7c429a9e4e47dd8ecd38f30d7d832d2e6441a1f16a1f7870c0a359a660497977ed1e98101b80967b