5204a46f8c18f270c34ee130479ee839e7732675eadf022525e3fef47377cf75

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
03/05/2024, 21:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5204a46f8c18f270c34ee130479ee839e7732675eadf022525e3fef47377cf75.exe
Size

3.6MB
MD5

5d1341010db100bafa51549e39a5267e
SHA1

547b1fa6109e05a40ef60468b064ad1bf4066a7b
SHA256

5204a46f8c18f270c34ee130479ee839e7732675eadf022525e3fef47377cf75
SHA512

1b5010b9b5e38c3fcb8f0ac75d093e8bc59042c9a130ef082f2e8857028116cf103e16b5fcd5d3cde383bbd68366f5877e518bfc8bee56037da2160bd64104ab
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBhB/bSqz8:sxX7QnxrloE5dpUp2bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	5204a46f8c18f270c34ee130479ee839e7732675eadf022525e3fef47377cf75.exe

Executes dropped EXE 2 IoCs

pid	Process
3008	ecdevbod.exe
2644	abodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2200	5204a46f8c18f270c34ee130479ee839e7732675eadf022525e3fef47377cf75.exe
2200	5204a46f8c18f270c34ee130479ee839e7732675eadf022525e3fef47377cf75.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocA4\\abodec.exe"	5204a46f8c18f270c34ee130479ee839e7732675eadf022525e3fef47377cf75.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidBE\\optiaec.exe"	5204a46f8c18f270c34ee130479ee839e7732675eadf022525e3fef47377cf75.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2200	5204a46f8c18f270c34ee130479ee839e7732675eadf022525e3fef47377cf75.exe
2200	5204a46f8c18f270c34ee130479ee839e7732675eadf022525e3fef47377cf75.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe
3008	ecdevbod.exe
2644	abodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 3008	2200	5204a46f8c18f270c34ee130479ee839e7732675eadf022525e3fef47377cf75.exe	28
PID 2200 wrote to memory of 3008	2200	5204a46f8c18f270c34ee130479ee839e7732675eadf022525e3fef47377cf75.exe	28
PID 2200 wrote to memory of 3008	2200	5204a46f8c18f270c34ee130479ee839e7732675eadf022525e3fef47377cf75.exe	28
PID 2200 wrote to memory of 3008	2200	5204a46f8c18f270c34ee130479ee839e7732675eadf022525e3fef47377cf75.exe	28
PID 2200 wrote to memory of 2644	2200	5204a46f8c18f270c34ee130479ee839e7732675eadf022525e3fef47377cf75.exe	29
PID 2200 wrote to memory of 2644	2200	5204a46f8c18f270c34ee130479ee839e7732675eadf022525e3fef47377cf75.exe	29
PID 2200 wrote to memory of 2644	2200	5204a46f8c18f270c34ee130479ee839e7732675eadf022525e3fef47377cf75.exe	29
PID 2200 wrote to memory of 2644	2200	5204a46f8c18f270c34ee130479ee839e7732675eadf022525e3fef47377cf75.exe	29

C:\Users\Admin\AppData\Local\Temp\5204a46f8c18f270c34ee130479ee839e7732675eadf022525e3fef47377cf75.exe
"C:\Users\Admin\AppData\Local\Temp\5204a46f8c18f270c34ee130479ee839e7732675eadf022525e3fef47377cf75.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3008
- C:\IntelprocA4\abodec.exe
  C:\IntelprocA4\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocA4\abodec.exe

Filesize
3.6MB

MD5
90679748e55b0ca1457fe306ddfb8374

SHA1
f062794fcd6ff6b723d0823b0917ba5332dc7630

SHA256
0659ffbde2ed6eebe41b5fb614b3bd520522e6ebcfdf47aaf73947cad4b7a0c4

SHA512
606bf188c8ca32344a57c5d9b2f8aa4fa3175d89c62f3debd9e3086befcc0feb64a02f501a9d3b8bdbc8b7ae39405d272fe73f7b73e1a149b1102a06732ab3c6

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
306cfd732666f6cfef37e3aa40eb503d

SHA1
086f53ddcc860ad15fec93c5a5d4e7d8892669db

SHA256
2ead675401cec3a4274121d0ef19bcd02039ad297c76da09dae73949bf29ef49

SHA512
9206bd3cb9d952bed2a5e7a9791ea68e67aff7df9d3e4ac43960a9697e5213f7b08f1a1a5ab691c36ef7ebc2bcf348dbb4b833334fce05a2f11aab21fd3497d8

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
7016efb98343a5c2b39d639035e40673

SHA1
6081d73d0dc4b8abd3b78bc6e1659e214c966834

SHA256
f10113d679d59c3d243b8f68ae1779290388668e98038522fc9f6ef018dba521

SHA512
ceb6d5e4f8e437aed92c5c185f922d22c89fa584ad01a55effb3c5dd528a575535e0881e180b2a2f3358d168aabd054f00c744a8bc33c4717938ce05b1bbbc2f

Download Submit
C:\VidBE\optiaec.exe

Filesize
3.6MB

MD5
b814675134b8b6d1411118e76ee15727

SHA1
88bb6bbb05fd235ec89c1f2bc459a751d047f05d

SHA256
84ac588b885e53b0761d07235ee8aca503ddd633bf551152073209f152efe755

SHA512
06aaa4207dae2462f87759d9e81b8e661a04ddabef7471371590829ab68a29d025c92428bc466a8fab639de141e07224b366836e4aed205de6de678ff7a213f1

Download Submit
C:\VidBE\optiaec.exe

Filesize
3.6MB

MD5
00a5daef5f464efd55c77cfae09469b8

SHA1
8cc0c0d74ef2a33c07d30ebcd501eadedf4baeff

SHA256
ef5ed9e21d15c12844277f132460b443e227bc1961c2030a71d3419381bd53a7

SHA512
a82e17f3f3d363368b021519f1d23ccd55d88cee9ee4decccedab67d91b508b52911f5b8803ae24c613a09eeb4b5db642a516e8375a5aa01ec3b08cb73c96785

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
3.6MB

MD5
148726362b1e0ca27c10809485a8d983

SHA1
de6385f21cf02c0245f584ce1cc16bdf6ee98d8d

SHA256
9a6aa59d12ae579bb5141d53b4d2e841f0f48804a474901b2a058f9b2a4918d3

SHA512
3e316b0517589824c52822f1ef0b18ead0eb1b7f29be34ed2e3359c3f2bb3c06239798cfcc0136d04a500dc16ab16ccecc2984678091beea1ffca30fe4271af0

Download Submit