b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe
Size

3.6MB
MD5

2fe1a070e5d629a464fb9e069afae6b2
SHA1

67b5892b75ff1d5d5108d4f37fc8d74557e30e6b
SHA256

b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc
SHA512

09ffbeca7f84f8d7b270a688deffceef2c713940a118a6e656c9560876d08ab7ed04890dd3664d0cc40eaa907113b94127897a1d7ba63251045d068b8da5ed53
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBoB/bSqz8:sxX7QnxrloE5dpUpfbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe

Executes dropped EXE 2 IoCs

pid	Process
2032	ecadob.exe
1720	abodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2004	b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe
2004	b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotRC\\abodsys.exe"	b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ7I\\optidevsys.exe"	b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2004	b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe
2004	b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe
2032	ecadob.exe
1720	abodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2032	2004	b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe	28
PID 2004 wrote to memory of 2032	2004	b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe	28
PID 2004 wrote to memory of 2032	2004	b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe	28
PID 2004 wrote to memory of 2032	2004	b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe	28
PID 2004 wrote to memory of 1720	2004	b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe	29
PID 2004 wrote to memory of 1720	2004	b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe	29
PID 2004 wrote to memory of 1720	2004	b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe	29
PID 2004 wrote to memory of 1720	2004	b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe	29

C:\Users\Admin\AppData\Local\Temp\b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe
"C:\Users\Admin\AppData\Local\Temp\b4f2781cee8554e8e16ac17b051928fdb0012fda3cf6ebd0b997a0f51a3042cc.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2032
- C:\UserDotRC\abodsys.exe
  C:\UserDotRC\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ7I\optidevsys.exe

Filesize
3.6MB

MD5
10c833421a8e2e0241f95508fea2d2fb

SHA1
3fa54eaeb4eeb3ae137f12e4b5e9d9240dd66ced

SHA256
cecb514c68092615aeb6eb365cb03b0b7b82ad8290396a363ea07faab1ce6d56

SHA512
fe70963f0814a212c142ff3ec4b8abc0c063b5712f3f9d3f1b05a2123c82e410cc40029af8e53f9d69233baab72d5f6933aea011bba60ece4fb3eb4aa00649d4

Download Submit
C:\LabZ7I\optidevsys.exe

Filesize
3.6MB

MD5
90140a8327222c8a3197f481149f39dc

SHA1
60093834622c59c899c88705934101b6addd6181

SHA256
e168c72a6bf5cb523e2a3ab7f35157df9d8ac1ce5620c980da19a207e1e7fe27

SHA512
5e292174ad4ddd75d85bdd62b72a0ca92c7fce926e2201a9d55dda86af826fe7f4c0e7a3ee41a91a83910a23bc8fa442fe616d95ee1327f1bfafdc9616e0f5ab

Download Submit
C:\UserDotRC\abodsys.exe

Filesize
3.6MB

MD5
db750a071e160751eb326eab7dcd05e1

SHA1
ac15b53716270511f9f108b813b3083909a02fc8

SHA256
b7808b28d1ef0aacec9dc87d4a5a9617b01d0d2174529e8f6e721ad95f8c4d4c

SHA512
db3b162ce2094259fff7c723cf71679ee497ad35451e1f3b0285fb05430ae9f6ae3d6a46678681c36c5901ee104f6a3302908532588695fa202fab43ef5a3108

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
2fd0cdb822047450958120f7b3cc1948

SHA1
9fea4130b6fdf75954fcce738b3fa05c8ff585ab

SHA256
cb4251c4c7bf7e01ef8686c6a7551adc048aa6bf1a4279682fdce5f37f82319d

SHA512
626e935d4dae6f0ff61dfbe556b6dfbdfbb10b0c93cee74666cc69d40825e8ce8401094065ceef03ffe76871f8a20db77b844f547261dde5294a5d7b8b3557dc

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
7b625b29dbae853801445c38c8b49049

SHA1
9f8bf16eeebf139cb17b79692020ff1de1f89859

SHA256
09943339f4359ab404a2a22158ee08c45fbc182125ee744cfe92dcab2d5bffa8

SHA512
c8fd70f284e9fa90dee61dfe380ca3dca2dca26e747b627d3ec528524213c48f558c3393cdb334a3923cb40a612aaf99f426e20b66568322abd6376db65edd60

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
3.6MB

MD5
1fc37aca7c5ac9f616834c45f0afadf1

SHA1
d83b616330b98a9434441c462e5f127448b93183

SHA256
edede28f34d26c1e0ccafc8fab02bd854bc32d83ad981c46998e9365892c8e67

SHA512
b107a78eec164461774379b9841011b50f40a73a1d4f27adbf9bc363c64106e695f66c7571b5e1ede5c021a38b7db50198be62647374e20b2f5ec75b722539f3

Download Submit