7ec2228f05c98c6194788edc72fd3ba74bf9c0d99239026f3e8ea10bb67d681c

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 23:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7ec2228f05c98c6194788edc72fd3ba74bf9c0d99239026f3e8ea10bb67d681c.exe
Size

2.6MB
MD5

305892c827d0a3158477e44cd50f2624
SHA1

13253c3cd80d466d5294b099f97b4a6e6cb5c608
SHA256

7ec2228f05c98c6194788edc72fd3ba74bf9c0d99239026f3e8ea10bb67d681c
SHA512

f3366e284a303dc4d22765ab922e0b7f954627aeaa620253df14e3e37a851c8bacb8105352864fce44fad673e25680c3bc0beac8c1fcfabb4dcb339a02b763e5
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bS:sxX7QnxrloE5dpUpVb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	7ec2228f05c98c6194788edc72fd3ba74bf9c0d99239026f3e8ea10bb67d681c.exe

Executes dropped EXE 2 IoCs

pid	Process
2112	ecxbod.exe
8	aoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesXB\\aoptisys.exe"	7ec2228f05c98c6194788edc72fd3ba74bf9c0d99239026f3e8ea10bb67d681c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZLY\\bodxsys.exe"	7ec2228f05c98c6194788edc72fd3ba74bf9c0d99239026f3e8ea10bb67d681c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3624	7ec2228f05c98c6194788edc72fd3ba74bf9c0d99239026f3e8ea10bb67d681c.exe
3624	7ec2228f05c98c6194788edc72fd3ba74bf9c0d99239026f3e8ea10bb67d681c.exe
3624	7ec2228f05c98c6194788edc72fd3ba74bf9c0d99239026f3e8ea10bb67d681c.exe
3624	7ec2228f05c98c6194788edc72fd3ba74bf9c0d99239026f3e8ea10bb67d681c.exe
2112	ecxbod.exe
2112	ecxbod.exe
8	aoptisys.exe
8	aoptisys.exe
2112	ecxbod.exe
2112	ecxbod.exe
8	aoptisys.exe
8	aoptisys.exe
2112	ecxbod.exe
2112	ecxbod.exe
8	aoptisys.exe
8	aoptisys.exe
2112	ecxbod.exe
2112	ecxbod.exe
8	aoptisys.exe
8	aoptisys.exe
2112	ecxbod.exe
2112	ecxbod.exe
8	aoptisys.exe
8	aoptisys.exe
2112	ecxbod.exe
2112	ecxbod.exe
8	aoptisys.exe
8	aoptisys.exe
2112	ecxbod.exe
2112	ecxbod.exe
8	aoptisys.exe
8	aoptisys.exe
2112	ecxbod.exe
2112	ecxbod.exe
8	aoptisys.exe
8	aoptisys.exe
2112	ecxbod.exe
2112	ecxbod.exe
8	aoptisys.exe
8	aoptisys.exe
2112	ecxbod.exe
2112	ecxbod.exe
8	aoptisys.exe
8	aoptisys.exe
2112	ecxbod.exe
2112	ecxbod.exe
8	aoptisys.exe
8	aoptisys.exe
2112	ecxbod.exe
2112	ecxbod.exe
8	aoptisys.exe
8	aoptisys.exe
2112	ecxbod.exe
2112	ecxbod.exe
8	aoptisys.exe
8	aoptisys.exe
2112	ecxbod.exe
2112	ecxbod.exe
8	aoptisys.exe
8	aoptisys.exe
2112	ecxbod.exe
2112	ecxbod.exe
8	aoptisys.exe
8	aoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 2112	3624	7ec2228f05c98c6194788edc72fd3ba74bf9c0d99239026f3e8ea10bb67d681c.exe	85
PID 3624 wrote to memory of 2112	3624	7ec2228f05c98c6194788edc72fd3ba74bf9c0d99239026f3e8ea10bb67d681c.exe	85
PID 3624 wrote to memory of 2112	3624	7ec2228f05c98c6194788edc72fd3ba74bf9c0d99239026f3e8ea10bb67d681c.exe	85
PID 3624 wrote to memory of 8	3624	7ec2228f05c98c6194788edc72fd3ba74bf9c0d99239026f3e8ea10bb67d681c.exe	86
PID 3624 wrote to memory of 8	3624	7ec2228f05c98c6194788edc72fd3ba74bf9c0d99239026f3e8ea10bb67d681c.exe	86
PID 3624 wrote to memory of 8	3624	7ec2228f05c98c6194788edc72fd3ba74bf9c0d99239026f3e8ea10bb67d681c.exe	86

C:\Users\Admin\AppData\Local\Temp\7ec2228f05c98c6194788edc72fd3ba74bf9c0d99239026f3e8ea10bb67d681c.exe
"C:\Users\Admin\AppData\Local\Temp\7ec2228f05c98c6194788edc72fd3ba74bf9c0d99239026f3e8ea10bb67d681c.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2112
- C:\FilesXB\aoptisys.exe
  C:\FilesXB\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesXB\aoptisys.exe

Filesize
2.6MB

MD5
78b4a21ca1cf4238c20cbddc8dec3036

SHA1
1e94b57eaa0c62988c95ee821188331d6195e359

SHA256
8d577df5d16add431873f843a73ca1f4625cfb23b2834ebff95317ff64a51d40

SHA512
8dd0d58df655788c790d0150018a4fd4dabcacb09dbf9b75155bc533f8af3825eb62cc4d1cbff5330e2bb3b1aee556080636f353c94baf3c46243d1cdd63d6d3

Download Submit
C:\LabZLY\bodxsys.exe

Filesize
878KB

MD5
7215a60e0fd0e9d9e88a551c62a586fa

SHA1
7ff816edda18423a5be7f829bc7cd72531dd7aa1

SHA256
f39c4735e4d9f36d7ad026cbe2ebba67085f36d3158debcdab6a12bfbbdb907e

SHA512
c53c0585536c8310ba437fca6828d3f399cdb6cf77045de2b0a133bdd69e39bfd59416c19b818d46d6e2a4bb818e1114907f79368d155e390c6b94ab5f132aff

Download Submit
C:\LabZLY\bodxsys.exe

Filesize
2.6MB

MD5
f3aba1c819fd6611bc6f36ce49d62a99

SHA1
3b31049f3844283d8e69f3516d39fc5af7dd87e1

SHA256
c87091886a1e68225b373429d33c4f0a22e8f3f88ad95d0df81e3e2bbc575220

SHA512
70171527697e848c7e2533ba61594e6f943f4d494d1573b3f078e3d787c3cbf3e2182e631eaa61e66f9bdb160fea6f8e0e3e55a128550c2800aee1e4ee1fd2e7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
019728fa92d34a7a515df167d72d9769

SHA1
1295793b02fb46215b547cd8849bdf23fc5310ae

SHA256
5ac777eb3f7346ad00ccda1244344684a0a164ad9fa0411fdc1615a8e80a1459

SHA512
0c2e19a5cb517638833942c41ec4c7e8f041d0c2af3f2b660d50251554efbdf339ed47914c93b5ec39cfa91dec6fe27d20eeffe9879de9f0c197834cda97581c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
1e13e171ba957a68d940b9b8a02e66b5

SHA1
d00a09c250b3409f973cd50c827651f8c62e5aea

SHA256
3b956b817f51ccb1d581f4b75c4e8583f36aeee9639c2c85d983ed6fa55c72d3

SHA512
66b0d76af2ec8a46cda810c3671a380731fb561bda13f1723f9951a8f6de09e3024bdaba39b245b4956be7ab988bbecd64b35a6ec8b92e1df69325c570430996

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
2.6MB

MD5
0c89d4d0886dadbbcde441f24c2fbf30

SHA1
c8fc04488b2701e5f3e01d8f7afc0fd5137ceeb8

SHA256
c527ad062cc803052cd8c4fcfd6f69bcebfcac72411c74dc88875de2197032a2

SHA512
a269fec8147ebe7d92795770f9d71ff676a7435d88535bb53ca607d42b2dc6caa7512f7367db13331fef98819fdb5522151b604aba18e4c5d46e7d67f6970024

Download Submit