7f66dc94777a091ab724d19833b2715af386861d392e7bc3dbcce4f4c5c4023c

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f66dc94777a091ab724d19833b2715af386861d392e7bc3dbcce4f4c5c4023c.exe
Size

3.0MB
MD5

74db3101e211f3aaf339a31ced997dca
SHA1

1e78d751675de96efb5b9d37a9372f58d1412aa1
SHA256

7f66dc94777a091ab724d19833b2715af386861d392e7bc3dbcce4f4c5c4023c
SHA512

1cf2694e871e49da13dc6690a5ab489892243ee14ed101ce215a3b84351b1fe549d135627b3943ed63a09be06cd4ec4cc4681acc5fd473ac881e2fbd7af8819a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB3B/bSqz8b6LNX:sxX7QnxrloE5dpUp0bVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	7f66dc94777a091ab724d19833b2715af386861d392e7bc3dbcce4f4c5c4023c.exe

Executes dropped EXE 2 IoCs

pid	Process
2572	locaopti.exe
2636	abodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2208	7f66dc94777a091ab724d19833b2715af386861d392e7bc3dbcce4f4c5c4023c.exe
2208	7f66dc94777a091ab724d19833b2715af386861d392e7bc3dbcce4f4c5c4023c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotX5\\abodsys.exe"	7f66dc94777a091ab724d19833b2715af386861d392e7bc3dbcce4f4c5c4023c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ6C\\optixsys.exe"	7f66dc94777a091ab724d19833b2715af386861d392e7bc3dbcce4f4c5c4023c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2208	7f66dc94777a091ab724d19833b2715af386861d392e7bc3dbcce4f4c5c4023c.exe
2208	7f66dc94777a091ab724d19833b2715af386861d392e7bc3dbcce4f4c5c4023c.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe
2572	locaopti.exe
2636	abodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2572	2208	7f66dc94777a091ab724d19833b2715af386861d392e7bc3dbcce4f4c5c4023c.exe	28
PID 2208 wrote to memory of 2572	2208	7f66dc94777a091ab724d19833b2715af386861d392e7bc3dbcce4f4c5c4023c.exe	28
PID 2208 wrote to memory of 2572	2208	7f66dc94777a091ab724d19833b2715af386861d392e7bc3dbcce4f4c5c4023c.exe	28
PID 2208 wrote to memory of 2572	2208	7f66dc94777a091ab724d19833b2715af386861d392e7bc3dbcce4f4c5c4023c.exe	28
PID 2208 wrote to memory of 2636	2208	7f66dc94777a091ab724d19833b2715af386861d392e7bc3dbcce4f4c5c4023c.exe	29
PID 2208 wrote to memory of 2636	2208	7f66dc94777a091ab724d19833b2715af386861d392e7bc3dbcce4f4c5c4023c.exe	29
PID 2208 wrote to memory of 2636	2208	7f66dc94777a091ab724d19833b2715af386861d392e7bc3dbcce4f4c5c4023c.exe	29
PID 2208 wrote to memory of 2636	2208	7f66dc94777a091ab724d19833b2715af386861d392e7bc3dbcce4f4c5c4023c.exe	29

C:\Users\Admin\AppData\Local\Temp\7f66dc94777a091ab724d19833b2715af386861d392e7bc3dbcce4f4c5c4023c.exe
"C:\Users\Admin\AppData\Local\Temp\7f66dc94777a091ab724d19833b2715af386861d392e7bc3dbcce4f4c5c4023c.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2572
- C:\UserDotX5\abodsys.exe
  C:\UserDotX5\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ6C\optixsys.exe

Filesize
3.0MB

MD5
4fd502c1b59b8f3f340acb5ed655b766

SHA1
cdfba6b301235bb0bc32b7d8c8d209939091a637

SHA256
17df360903eac5436729db7b0dcba9fcae4a98ba1ae8ee67a1952f76a012d777

SHA512
c3a0ee84352f74e37565476d7450d4834da4477ad4645655e4f1c62b9d7f894c0d5534aaa7b41e6ae58ff61ccffd53e1e25ba93f42f0b9d84826f9b805671170

Download Submit
C:\LabZ6C\optixsys.exe

Filesize
3.0MB

MD5
f896e2f0a4172a947c67a2fb8ec9a96f

SHA1
1a1666d6ebd0e087307f722475f0ac9c1931d9ff

SHA256
5162e199bd55bbb6743bee80c0c690a6a51b56f77a584df766d4e39d85bd55f0

SHA512
b6d5d5efb714d352def1a1a73ca38c7bdccf26c72338c7cc7a5b7eb8b6164378df76fdeb9032227beab8c77c49732f4147d45fd18de2c58c260e69873b5eb4b2

Download Submit
C:\UserDotX5\abodsys.exe

Filesize
3.0MB

MD5
a4de51dd113e5f5021a059230815abfd

SHA1
91b94d51cf129810e0e657942cd05178bff26fdf

SHA256
084e2629d9ccbcf93318fe0358a29a26ac5f29fa6bec173cf5bb50b5ffb3d131

SHA512
14f162a2dec483f77474c45cd4ac3c03865fb9d706a3d067116c5eb901a2d83a0d81fec0a49f393317df64e93caa3e5215ceb79c42a1eb2486101c9f8084b934

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
94d2c03941d6485d0122c35f7e31cfa4

SHA1
15083799ec9430d72c43597a323f69fc19fae9b8

SHA256
d47ceadc42f48e3777fdeb9c6724a471c329ab04cea3d0f5bbcc397bff8a19c0

SHA512
100051ad972577355983bbab0f338cd4ea41273c6ab56b12a416118c9b82b44d8d95a9d65aa706727e4cad028f637807b0445e8c09bcfa5fa48f3e6f6b1015e7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
55fea36e9d008a93a98c4234d894d6bd

SHA1
b3fb864c512dd88347e5d9d275c394ed521ecc22

SHA256
21c7bb89c8c3c6d43f09aa767e6bc5378d2761462c62cb8588b7586ff7bde74d

SHA512
d7cb7719e2ac6d2225e465c567663fbdb9366615c441c43f3d39825694f4617461e5fe440aa49038b85928d76132a14076bdab5813c3c6207d673597098870d5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
3.0MB

MD5
2e99b9e5e0f24b8a664422316e5e994d

SHA1
c9fc4d5444903c99d82af155db3231d052d5b518

SHA256
3ab88e9603d6c32c8289a6236edb0b17adc86eb51c476b54b3c0e5c3ecde1865

SHA512
03b937ce8f43b85ee7d86140e996b6efdde4b7be3971dbaa55662c53247d408067e378dada70313d51d531d77888fb02e61e0ba09673fb36b2f8a56e0d73eed1

Download Submit