Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 20:13
Static task
static1
Behavioral task
behavioral1
Sample
1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe
Resource
win10v2004-20241007-en
General
-
Target
1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe
-
Size
2.6MB
-
MD5
62790805093f2630379ad1c157760e60
-
SHA1
0a13f012cc8f0a233235607ddbc3852f10ddcab0
-
SHA256
1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9
-
SHA512
bdcd535c45b69db4a4774cde6ede93db6c575ae1349fe1482c748eab4430509171139edcc06e37e89e349d2df2df30a19f119188d2e1326fb8e57fe6bbce774a
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bS:sxX7QnxrloE5dpUpqb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe 1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe -
Executes dropped EXE 2 IoCs
Processes:
ecabod.exexoptisys.exepid Process 4704 ecabod.exe 4636 xoptisys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBQB\\boddevloc.exe" 1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotDH\\xoptisys.exe" 1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exeecabod.exexoptisys.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xoptisys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exeecabod.exexoptisys.exepid Process 320 1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe 320 1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe 320 1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe 320 1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe 4704 ecabod.exe 4704 ecabod.exe 4636 xoptisys.exe 4636 xoptisys.exe 4704 ecabod.exe 4704 ecabod.exe 4636 xoptisys.exe 4636 xoptisys.exe 4704 ecabod.exe 4704 ecabod.exe 4636 xoptisys.exe 4636 xoptisys.exe 4704 ecabod.exe 4704 ecabod.exe 4636 xoptisys.exe 4636 xoptisys.exe 4704 ecabod.exe 4704 ecabod.exe 4636 xoptisys.exe 4636 xoptisys.exe 4704 ecabod.exe 4704 ecabod.exe 4636 xoptisys.exe 4636 xoptisys.exe 4704 ecabod.exe 4704 ecabod.exe 4636 xoptisys.exe 4636 xoptisys.exe 4704 ecabod.exe 4704 ecabod.exe 4636 xoptisys.exe 4636 xoptisys.exe 4704 ecabod.exe 4704 ecabod.exe 4636 xoptisys.exe 4636 xoptisys.exe 4704 ecabod.exe 4704 ecabod.exe 4636 xoptisys.exe 4636 xoptisys.exe 4704 ecabod.exe 4704 ecabod.exe 4636 xoptisys.exe 4636 xoptisys.exe 4704 ecabod.exe 4704 ecabod.exe 4636 xoptisys.exe 4636 xoptisys.exe 4704 ecabod.exe 4704 ecabod.exe 4636 xoptisys.exe 4636 xoptisys.exe 4704 ecabod.exe 4704 ecabod.exe 4636 xoptisys.exe 4636 xoptisys.exe 4704 ecabod.exe 4704 ecabod.exe 4636 xoptisys.exe 4636 xoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exedescription pid Process procid_target PID 320 wrote to memory of 4704 320 1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe 89 PID 320 wrote to memory of 4704 320 1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe 89 PID 320 wrote to memory of 4704 320 1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe 89 PID 320 wrote to memory of 4636 320 1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe 92 PID 320 wrote to memory of 4636 320 1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe 92 PID 320 wrote to memory of 4636 320 1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe"C:\Users\Admin\AppData\Local\Temp\1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4704
-
-
C:\UserDotDH\xoptisys.exeC:\UserDotDH\xoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5a07637f82860b8b7b5e0aeba0fa3cc85
SHA16b14f2580e5c5c37b0623250bd5ffaaebfdd7bd1
SHA2568a6b9af2a3dcd372a7e9193777838c1b88a1b403f9f41760a33245d41f6b3e90
SHA51235e07970ba0348c73c5ff67b2957ee746d929c84d278842d55cb868c327198077525448ae2445a38906c42e28306db01556cfb7be9a1fa6f59ea265e72141115
-
Filesize
2.6MB
MD50b07253be627d5b2d62e42fb2aea0b47
SHA1150ecd8af321c5e7310ce3f378602d7b8041aafd
SHA2568d6cd9e777421e132a64050fb154d4162347f6f88f4b5f5baa64376082808534
SHA512fd4df607504751b81ba51c13ddac16144bfb2edce66645dbf96bbeb5ca3905a14a750ef854c5b500696c9db13e080af87a948397cb0ebdbd7552e982cb3b0168
-
Filesize
2.6MB
MD53f2f2e492aca72b681000b15730f58fa
SHA10045f1196f2b9ffdb973385e39c417cb7a0d33f4
SHA256403d1aa7d26b46aac8b143d916d570eb377226e2cafe62c912baf88b2ea4d1ad
SHA51243f3532e1523d01a71f1be27332e05dbe2a70ce51c23ba8a0dc55208f502b1ac7dc26f6a0847bb3d2cd411091cfda8483a83a91f773c33b28acb3becf18469d2
-
Filesize
204B
MD59752ce21851db248ef43b07e531a72a8
SHA103d4021038cf5f141f26059f6d93cc069cf3c037
SHA2569e81242669b644a0e288f790a755ed0eda09a4951d366b20503315ae2f848eec
SHA51236179b4157c33ae6f5457af80074e5c710d35fc4093f67aeac74edff522c7c1d013fa59815c8af4e5a54874529d3d72c8f14e35a38c3123b39a35f11fd63ed54
-
Filesize
172B
MD5cfd35dbfae7d4e3f2ab701f6cb1e6ead
SHA1ac1aecbc9bca5b9f539292feeb109b7bcffe92f0
SHA256621768cbba0a2ea8cc9ec6246c4cee80e803d8abba6d46112caafa62856de3bc
SHA512728b0b325aef2df4a1cc1c70029a780dffcd93718dcf79baa41140c5538def1104793d3ffe9ac5652266db83e2698e6bf87e069913c5b9101ca3829f9db70d1a
-
Filesize
2.6MB
MD59cb9de0b8f19c7358604e967d7cb751c
SHA1add69ed24b75844953e9e9d03013012443d7c648
SHA256c3a9304d32b80299e8a58a4a0c3343fa01fa9861e6512e0c105ee09e0207c4d3
SHA512eae235019d65643e9cb75e59b502de0575b3b5efb2c02ecf7c429a9e4e47dd8ecd38f30d7d832d2e6441a1f16a1f7870c0a359a660497977ed1e98101b80967b