ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe
Size

3.6MB
MD5

854495e9b6b427e26813d567c4b1ea53
SHA1

7afaf89691e942a739253144c87629ec8fe58ad2
SHA256

ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3
SHA512

1503ea391240b6d369e95f3475e49fdd0c0580b0ca135540a8a82cd64b7c8d20ea6aeaa30234f0d260aa7852b671a83ee57f21bd5cd21e3f39c8c33012f73bd0
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBBB/bSqz8:sxX7QnxrloE5dpUpObVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe

Executes dropped EXE 2 IoCs

pid	Process
2828	ecaopti.exe
3036	abodec.exe

Loads dropped DLL 2 IoCs

pid	Process
1900	ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe
1900	ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesWX\\abodec.exe"	ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintG0\\optidevsys.exe"	ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1900	ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe
1900	ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe
2828	ecaopti.exe
3036	abodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2828	1900	ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe	28
PID 1900 wrote to memory of 2828	1900	ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe	28
PID 1900 wrote to memory of 2828	1900	ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe	28
PID 1900 wrote to memory of 2828	1900	ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe	28
PID 1900 wrote to memory of 3036	1900	ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe	29
PID 1900 wrote to memory of 3036	1900	ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe	29
PID 1900 wrote to memory of 3036	1900	ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe	29
PID 1900 wrote to memory of 3036	1900	ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe	29

C:\Users\Admin\AppData\Local\Temp\ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe
"C:\Users\Admin\AppData\Local\Temp\ba79a57ad1d1bcfbd34b0ac68dbbe62d54616da8946012f27f2c88330c0ec3c3.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2828
- C:\FilesWX\abodec.exe
  C:\FilesWX\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesWX\abodec.exe

Filesize
31KB

MD5
6767e44b8f8de6e616ff4b3523b078e9

SHA1
c871cc62c3911e5350a063da1333dbe1aede5281

SHA256
fb9f9c9a72e0e98d461054f92faed7837baed42691d98807657f573b5375a6cf

SHA512
5660382a8368b7e9ffc099dc84a891904199c2feaa7bc7a16b39b7231f5102c04d6703a2b85492b3db7f9c101333e9b3270fe6657fd524d50c26b9d07958c2bc

Download Submit
C:\MintG0\optidevsys.exe

Filesize
29KB

MD5
8dc4d9694c17621720c320e82829dbd9

SHA1
a9ac9ea870162fc6dc14d43c98824d48c29ec74c

SHA256
73310f0dab90499fcda3b7fc967815f59418fd9a16eb2c5fdae380da74753d78

SHA512
bc76ddbcf70495f591f732f5a318f0de053184a7f9a94a2200be2db198ca084994c595437e721fa7d00df285a550501c22df2af8f77fd72840210ccca0fc8b3b

Download Submit
C:\MintG0\optidevsys.exe

Filesize
3.6MB

MD5
2e4303568b44a3c2d4c59f88df6f402f

SHA1
4e9508aebebca26c1a8fbfe207f0560deccd1c8d

SHA256
32a84729b5bc818f0a878b8ff349533112e116ef6c9ab6fa9e88595457c06314

SHA512
61cd1ea5f3a351a4dd6b533a1b37a985609302ada368f757ceff64db40710907a82c8239a0961d870d0d86ad0f52b659bc0b221539a7f36bd3c4bf57c7d60078

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
4423d8985a060cd9bd3b1d4b5766f39d

SHA1
4dc16421e1e317cd5b92937047086242ee7cea61

SHA256
566c0e565781e13cd044bdfe5e0763f37ede9dad54c155ff3e7920628b10f207

SHA512
bdd26d1dba96ed9a46d474b86bea59952d7fe2aa5cd1802c98316ec619dffeb6a0c5455daa06480da0ff06eb310b93f00db54a89797d07786bedd034faed9e05

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
28d1a6f7c1c1f2c063999b16ce2d3f3f

SHA1
36be69732768971ca93e898011dc669bdec099b4

SHA256
492227cd47d25a382c7faac41d1831a237232f73b10c1605e337ba5f9ded068c

SHA512
395b4ce53cf9467543271a9f4152c0db91df356810083c0d070b383a9116058f5f02e5b2c4d643310ae0181add644d80739d9a4fe85f6b145b970bf60083fe93

Download Submit
\FilesWX\abodec.exe

Filesize
3.6MB

MD5
7eb01e86cabe8c4fad0c9b7837f4c9c7

SHA1
8814b6255bbe230da9e55471440f8f9600bb7fc7

SHA256
69b136d91827aa752c52eff529cfde4816c543da9a4498d8f9f16195b9e7f140

SHA512
f048965206824d625ba7b46e0621e353b98348f0a114952116e0a31ba1a8b8b8549aa03a5e56ff5219707213c23a834151c7de94cc1d5a44b6152b2ff47eea26

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
3.6MB

MD5
84c61c721240e6b04f5e0e72e1779594

SHA1
3c36bfae56ad0b31b042c4bd7faa084e62fb8136

SHA256
fe2234f248ff659e9bcf7f8057248f95576deaf458b1b20328cd02b6d0bc34b6

SHA512
84d70e683f90fb27de4250f2f9a44b7b62423a0c1009763153625787d2ae720baca3f54c60e5365b4470144df045ec747381becf58bc3a9dbfea74c604b83765

Download Submit