3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe
Size

2.6MB
MD5

7f43e702314cf44035235486e870f2c0
SHA1

11d17ff50bccbcda964d01d2439bd3012256f7a0
SHA256

3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4
SHA512

19ab02b8003b9fc4f8009e5aa974da8f643f9bdde5bdae40540f6b283365a8a3a20822cd1cb82e5199ae8a1e1b74384856c180265a09b5c81a0cc38d17b9c5e0
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB3B/bSq:sxX7QnxrloE5dpUpQbV

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe

Executes dropped EXE 2 IoCs

pid	Process
1652	ecaopti.exe
2956	devbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2420	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe
2420	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc5G\\devbodsys.exe"	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintY0\\boddevec.exe"	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2420	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe
2420	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe
1652	ecaopti.exe
2956	devbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 1652	2420	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe	28
PID 2420 wrote to memory of 1652	2420	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe	28
PID 2420 wrote to memory of 1652	2420	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe	28
PID 2420 wrote to memory of 1652	2420	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe	28
PID 2420 wrote to memory of 2956	2420	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe	29
PID 2420 wrote to memory of 2956	2420	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe	29
PID 2420 wrote to memory of 2956	2420	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe	29
PID 2420 wrote to memory of 2956	2420	3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe	29

C:\Users\Admin\AppData\Local\Temp\3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe
"C:\Users\Admin\AppData\Local\Temp\3ab3c26cb500e2288c16e23af3ea4f5e4d2bc6242889691e9cc7ad07a4ee9af4N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1652
- C:\Intelproc5G\devbodsys.exe
  C:\Intelproc5G\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc5G\devbodsys.exe

Filesize
2.6MB

MD5
6fbd39a7f280cbc9f73ab6f3f2378ebc

SHA1
c04840c18bfc5e3daf66bb7fd6c9040662f5dd77

SHA256
0213b12b07b95e41dce713a1513581fe224621efba35e9d7581ae5162c242a76

SHA512
ef2bb0453df01e62e5a83fe17c48e61fd55ea8116c109c16cbcc70079e2e723888708947b29eb25bf20ccf7ab13e24fd4bec9f1b82bc7b6572dd1c5f48a97780

Download Submit
C:\MintY0\boddevec.exe

Filesize
2.6MB

MD5
6a217173e4b0047d7b6f955d9fb5a01e

SHA1
1a0c953a2a11d5263fed16c1f29b35622a595d78

SHA256
2107d99565ef4aa824839c5e376e3a18c8830203c0c65404973c49e607a2e3a6

SHA512
46b1f8ccc11cd492bbf69de002c1d501de2f201f1563a5475b5c17fff40238dc65eefbe8fac9c9565e17f6da73afa1c63a8d46d85feb6c5268482702b09beb6c

Download Submit
C:\MintY0\boddevec.exe

Filesize
2.6MB

MD5
2c3aff78e3582c556c565fb9540780e7

SHA1
c9816d84fecc209d0b004f0c9c3acfdde4f5f229

SHA256
61465692299b864942eb82aed0198ba0cb600d4681c8b0be653e27dbcde3f3c5

SHA512
2240fd08462e7aa534e1cfb2d78a5cbcdb81edd9ed7c2bb37b79847ebcb294b95411d4063d2e8448a2386fb4cffa8edb8f1ff5003635dade4b0a03139aeb50e8

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
a0c725db69fd48c1f6a3f4ca8f6e442b

SHA1
5c5b5052f1a1a4212a8ec853f638f4cee9426f6c

SHA256
fa0aafd43fcbb7ae741bb604297dd9c35c861409aafec49bca28f62d0493e218

SHA512
0846470f53c8cf49690bdab08559f79943ed68c12298c091a5144aa3da9b89410ba3d41c15252b5149452fc185ef5b9241f6f5189aef05278252d04d23be2d46

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
dc0736a47e4ac5682f8c83235f0f0f05

SHA1
1de2a6ab4283be1523373958f358a0ebbd1a3b56

SHA256
2afa24316c671995cf4cab40f1dff240ff45108e9b9419f800c650bc17aed92b

SHA512
73f815535233161929cba498a1ce03f17c549e4e1d99a2c2aee4175ef15eab5331c0756cdde7a905b89936bdb2b05731ee75a67501b0af6b5a530d778a2498b4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
2.6MB

MD5
e5fd92602a0e48e8e818682ec7dabeec

SHA1
49e9bf8a0a7b49503213cc091c6b20dc30d9cd88

SHA256
3229830b78b04039571ce101400f6a331fafa33c8db3a31d605cdb1ddf8a75d2

SHA512
1dd91dc2a9309221466b0511ebe69c0b64a05e8f07d5e3c1b11bc495d915d0052aab0c6652c3bb4806a79d70e1b0beae0d8521db43a0b72756dd6c98888d2704

Download Submit