88ce3919fe61bcd4cadce0bab9a661d036fa4f5999be26f5325e248eac9538f9

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/05/2024, 14:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b2733525ba16eaa5582f7c1eb8c472ca.exe
Size

3.2MB
MD5

b2733525ba16eaa5582f7c1eb8c472ca
SHA1

7f7ad83ef8ad967f511b456c87c9575953e2602e
SHA256

88ce3919fe61bcd4cadce0bab9a661d036fa4f5999be26f5325e248eac9538f9
SHA512

0ade74132256e25b1f265525acd2aedd049280640052f7ef9c634053591186f8b37c5dc6756dd51c28247ea853882824d7ceb841047217671ed68b4206e4d384
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpXbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	b2733525ba16eaa5582f7c1eb8c472ca.exe

Executes dropped EXE 2 IoCs

pid	Process
3032	ecadob.exe
2616	xoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
3024	b2733525ba16eaa5582f7c1eb8c472ca.exe
3024	b2733525ba16eaa5582f7c1eb8c472ca.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesGV\\xoptisys.exe"	b2733525ba16eaa5582f7c1eb8c472ca.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxH5\\optiaec.exe"	b2733525ba16eaa5582f7c1eb8c472ca.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3024	b2733525ba16eaa5582f7c1eb8c472ca.exe
3024	b2733525ba16eaa5582f7c1eb8c472ca.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe
3032	ecadob.exe
2616	xoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 3032	3024	b2733525ba16eaa5582f7c1eb8c472ca.exe	28
PID 3024 wrote to memory of 3032	3024	b2733525ba16eaa5582f7c1eb8c472ca.exe	28
PID 3024 wrote to memory of 3032	3024	b2733525ba16eaa5582f7c1eb8c472ca.exe	28
PID 3024 wrote to memory of 3032	3024	b2733525ba16eaa5582f7c1eb8c472ca.exe	28
PID 3024 wrote to memory of 2616	3024	b2733525ba16eaa5582f7c1eb8c472ca.exe	29
PID 3024 wrote to memory of 2616	3024	b2733525ba16eaa5582f7c1eb8c472ca.exe	29
PID 3024 wrote to memory of 2616	3024	b2733525ba16eaa5582f7c1eb8c472ca.exe	29
PID 3024 wrote to memory of 2616	3024	b2733525ba16eaa5582f7c1eb8c472ca.exe	29

C:\Users\Admin\AppData\Local\Temp\b2733525ba16eaa5582f7c1eb8c472ca.exe
"C:\Users\Admin\AppData\Local\Temp\b2733525ba16eaa5582f7c1eb8c472ca.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3032
- C:\FilesGV\xoptisys.exe
  C:\FilesGV\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesGV\xoptisys.exe

Filesize
13KB

MD5
fbe3105945c809e8bf6e00f7fef8ce54

SHA1
e4b4b6a33f2126392c845abd1669f10511f5c42f

SHA256
588c56e8f6a9d537a5bc2c80903c4b2fdfd2efb06c55c8a6c1e1039a485fae2d

SHA512
50cbba09c9369cf432e58eac2131517db247d9a0625def1f06f2359a45a2015fe879017f05ad29c35b344e132039515dfda1d9d5a69c9cf07dc94b14c9bd5a79

Download Submit
C:\FilesGV\xoptisys.exe

Filesize
3.2MB

MD5
d6082a7eb8a9cc4ebe7ad203941609df

SHA1
543721ac99dc88b422247c50643e21eccc077441

SHA256
f57c22a2f47edd1c3adc15d5c6f9cfd86dedd8361380c20d6bc497c5491eb1cd

SHA512
c4ce2ef78524ebd9d2290247cf58a01cfe0ea3a78b5e8bfc1acfb7a697b026b6d088224101cc6a4a3875a9fb3411cad65e58af32381bdbaaf38d065c2257a346

Download Submit
C:\GalaxH5\optiaec.exe

Filesize
2.2MB

MD5
05a847f3736abe4584fdc7278449c578

SHA1
42f5ee8bb0ff146f8e5109f2ddad9837d3c6a1bb

SHA256
67b2b6ef289d89fa60fe4c07df29738586aa2d2d693346f58140197d9fb9d532

SHA512
e623769419be31a9c0c45b74afb913078e242737c49fbb3cb7b71519ec859f1d3ac0b3a5de5d990eea1a7f2df3f3e6a821c705238af2394e509ab88b26855935

Download Submit
C:\GalaxH5\optiaec.exe

Filesize
3.2MB

MD5
9f1be59b9c50f73491507f19116dc538

SHA1
d78886b1a464040ae678000a80014580900e46c3

SHA256
235e36183cd3ae759cb0d409a18bca087149b531dac8ec8143a81aa485b8fe22

SHA512
fd3f6e44477407ca8ae9305154c588b9546f0182dbc41125d051b29104d328db13ed8cbbef9f6b60f9d913806fc3065a8cb62aa3a334e8cedde6b790a1909779

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
e2d9822d032b333903868ca665664980

SHA1
575936674f09b9ec8996595541e49c2a087bdf34

SHA256
af4feabc17f27b21e338ae71a9d8de2529476c289989aab4892949776427a687

SHA512
c9ad1df2c31e0afc2a1fc11b7b4ee7682dc264705cb440d2ae69c618e8079200462609e56c419f242f731bd40228c021f94dee652fd780e4d9ce8530359199b9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
f67737604263f7436b162c14d97f543c

SHA1
66377429b0d083211a2b5f2650277b42ce211491

SHA256
0712bf72cfbdf7f9a6b4f380b3c4556378b8104f20555e8d3037c1a191f18f48

SHA512
4657b21561ec4cb92dcef5a1636541f479f41682f9d890c16d6d59e7277453ae7cb822f15d9bc7119a3fc2316ab403a2e49ef64b4bada8d68e6cb1bfd13fdf44

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
3.2MB

MD5
af5f7a433bd25ae1872a54ce501400c6

SHA1
8371dabbb99076efc4c0db87e27ee68f4e9b2af6

SHA256
83c740b551d726af37690cbe906ea64acb169306c3820e67af634cb1e1b7111d

SHA512
b40196aa2d845fb81d09fd1f9070058cbe6c669bbaa7ad608bb944b3d3d975b0847103afe72d883b1ce8f8970554e67321278411ed700257f5904b521f510e4b

Download Submit