7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09/06/2024, 02:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe
Size

3.2MB
MD5

4a7d93131a90e09700908ddd29caf6b4
SHA1

e30603b7ac5b40602edb8054966e5042ceac9cbe
SHA256

7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1
SHA512

d10bfa91b253528012d7b05a5a28fa133b77e1ba26cb8c6047f4e499e70c44a9ac5905853a642e65fa1be9e1b8d800f88e692575ef2f6c79385cb595f46737e9
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpgbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe

Executes dropped EXE 2 IoCs

pid	Process
2896	ecxbod.exe
2560	aoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2400	7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe
2400	7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZG0\\optiasys.exe"	7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe2V\\aoptiec.exe"	7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2400	7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe
2400	7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe
2896	ecxbod.exe
2560	aoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2896	2400	7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe	28
PID 2400 wrote to memory of 2896	2400	7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe	28
PID 2400 wrote to memory of 2896	2400	7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe	28
PID 2400 wrote to memory of 2896	2400	7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe	28
PID 2400 wrote to memory of 2560	2400	7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe	29
PID 2400 wrote to memory of 2560	2400	7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe	29
PID 2400 wrote to memory of 2560	2400	7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe	29
PID 2400 wrote to memory of 2560	2400	7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe	29

C:\Users\Admin\AppData\Local\Temp\7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe
"C:\Users\Admin\AppData\Local\Temp\7a4d25eb0c10b396cd83bf2aebe0bfbf8907c877448dfbb9798c732b673f31f1.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2896
- C:\Adobe2V\aoptiec.exe
  C:\Adobe2V\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe2V\aoptiec.exe

Filesize
3.2MB

MD5
363fe7f368f74aa95535e0ba1a644cf9

SHA1
9c9474863c137ff24210c11b49d3a64679a13e35

SHA256
cc983b58a39778b424bd82e2518ca1949fc26f7ed1bd46eeb04ed92049eab0c9

SHA512
933f1ca34076c3d04870e5343e2d9d8e4056aceb36d1178033ebfb3b126af594634c80e0affd22d4d2af719dc78f4487524844f476ebbef516896bd45c8428ad

Download Submit
C:\LabZG0\optiasys.exe

Filesize
1.8MB

MD5
5f56cd14a7959bb3ef7c4ba2068597b0

SHA1
940f6e5f63b389a331d1c601710fbc8630743852

SHA256
afa755b16d2c49b41651d22a1aac301992bcb690b0c6fde777fb7ff7d5e5b580

SHA512
1c82509c99fb08cccf54fbd17787a7e3ff49b848af0d052cabeb64ea6ba3d22aaad3cac701200773fb6e2965622926b70a6ddb6e07f7bf34c2d04b6b905d1fdb

Download Submit
C:\LabZG0\optiasys.exe

Filesize
3.2MB

MD5
5041b3c24f39d7ebe9830fc3fa212ad2

SHA1
c240ea0e60287f74af9f19c32531568c306e1220

SHA256
a813934ef833a656b17881c4e2d150a97dadcbd9e69550869492dd0a4624fd55

SHA512
37345fea9356e2208eec72e1f9c71f02437da428308541bc8a616cea6b0c9bb48e63fc784b67f237ab9998429d7199023d229dcee3193aa3b4d95282bad02b4c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
81717bfd3cc7532ca415d171df7fd533

SHA1
7e5df5ad724d5d540d249daa5d306689f470e6bf

SHA256
7162f8ff32186e23a4af6d2afdbe858150ebf385090889f82b3b7d446adfae71

SHA512
fc9808453d343bc3c31140d573c23932c6c3d2709a6da59ccabc7b1faf20cfdfd49dd790b454c6ec807da044760a0a0c5690f639e2c5da4da89cc41d55f6edba

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
58502fc9a2b66f10e1ffdc01cb0c7668

SHA1
ba1b2349061ca068201a46e7b6f88e7d0889b3fd

SHA256
13667dc6fc3d501307d422f23e00bc6ce01b184cf43da4db85acc1c89c9dd45e

SHA512
f95db64b484bf3073d7b455d04c9f1a5ddb59278c74dfd8db11cf532adebd208fbb03a604cfc26a814223435b384c362ed2d9ebcd7cc909aeb8b6bbc505873b1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
3.2MB

MD5
75d8876da956f735663f3234ce51c532

SHA1
8146e38cef64d1f2d8978522410172ee0a599fba

SHA256
982750b8a044676ed2a7da9b9554359e649f88d74283328819acc140863cf12b

SHA512
6328048223f930135f03529f5807921a3823c1ba5c6e60ecfcc4235f2f9a02b6d1af70229811812cf19c42a670bad1cdfce0194e9d6a291214f61972d5d1621c

Download Submit