fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe
Size

4.1MB
MD5

da530171e74c008ced3f9191086d2cd0
SHA1

05d77b59ca883b526b617eeb51d952e90a09f2dc
SHA256

fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01
SHA512

aaf8ac9bef007f0e527ba170555428d6205aa431f68c3f7af97109f7192837cbba5bc12f0454d303199baff7ce2aad7743ba8624d9849ddf7f7037d3514ccbcd
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBgB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpHbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe

Executes dropped EXE 2 IoCs

pid	Process
2164	ecabod.exe
2684	abodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1700	fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe
1700	fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesRA\\abodsys.exe"	fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintXE\\optiasys.exe"	fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1700	fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe
1700	fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe
2164	ecabod.exe
2684	abodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2164	1700	fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe	28
PID 1700 wrote to memory of 2164	1700	fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe	28
PID 1700 wrote to memory of 2164	1700	fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe	28
PID 1700 wrote to memory of 2164	1700	fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe	28
PID 1700 wrote to memory of 2684	1700	fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe	29
PID 1700 wrote to memory of 2684	1700	fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe	29
PID 1700 wrote to memory of 2684	1700	fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe	29
PID 1700 wrote to memory of 2684	1700	fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe	29

C:\Users\Admin\AppData\Local\Temp\fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe
"C:\Users\Admin\AppData\Local\Temp\fac5e2f549cfe62bcad9e0152d388b7e086609c2a24a1bc58585d457092dfa01.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2164
- C:\FilesRA\abodsys.exe
  C:\FilesRA\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesRA\abodsys.exe

Filesize
4.1MB

MD5
07bb289a38522b68ad14ddfdf3f90805

SHA1
b718f9ab8805edcda3110628ab40f598f41c5aae

SHA256
8c5e671757122036c18deb42bc28ad3f3cc79c2ff9ba1c2588dd81406e38225b

SHA512
e828082d86809ff9d6a9d02f4fefda9d1636775aef2b7212c8f12311954cfe0e69fea58bb67ddd25581af2046ac2f7990f22c8443049f0e3b4d89b699638cd77

Download Submit
C:\MintXE\optiasys.exe

Filesize
4.1MB

MD5
820410cd82466909deb7c7136f018a47

SHA1
17c7afe2c5e69c03108db2172b31d4eda1a978e4

SHA256
675159bf18cc1327bb8519cbcc4fbca42f6a6bb8dd2be6d942436e25bf87be37

SHA512
20801b09600be16286aa461552c6f3835d470a2cc2006fa592a159d50c79d266329dfd190b74cfa8c3fb314c41429cc9cfce18770eb39229cfb765a297200e72

Download Submit
C:\MintXE\optiasys.exe

Filesize
4.1MB

MD5
c77ac69e6715d496c1b0f2fc248f3b47

SHA1
989fd3d8502861e6bd5f1bb5429b3b4ea73e49ec

SHA256
aa1d250d4b635544561efcb1ee7ab1b8af4cae5b065dd76679459675802f7806

SHA512
b369f1c74864b2fdc3c7b8c718aaceb122b66d5127bf5c8df59c87c87876eb534b0f388044d6b376dc55bc10d088fec476e64759e2078aa8397c8c38a0cae75d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
c706d8fc597fe10c890258aa03e4defb

SHA1
fe071da16802a145314d8e17651331a8c24db21c

SHA256
1e648df8b1c4135728772bffc527c659e3849989fd90dc4259744931cf284bee

SHA512
48afce71354f094729144ad638db74c318f314c08ed4425bc8e15e53ec2d4b47d9aa3798c7f860e63dd761a9c6ad9b732426b063c03a37a2b40a7ae3b8de1d38

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
837d8d406931c19607f7226e1718c8bc

SHA1
cc6aac10c1e74a6496c10f604569bea449ba7c58

SHA256
118994c2b7dbdab71413348bf940b25055092b9fe694ac8981706bae22e63db7

SHA512
b1e6a4371b68f472617b4f29e1cc58f007708f94dd331373b985fbcaec9cb09f13f177d01d8d1f5097d5ad6628f6b46f6326a49ffe41cec0a4863aa723dad1ad

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
4.1MB

MD5
9ea6687ba76b805ada45a080f06e4cab

SHA1
98d05db30fa8aca404fc4514ccf6e4dabd8df545

SHA256
cde54d2a73b0eeddb6f94c5d1e0c07205911af8a42b3610444ff63b1be93e73b

SHA512
6c4cc0b7ca615707e2e99bd0e8d836b6f89839ac2314e01caa7ea3a526a75a0c812d527f8009a5e2f4e07ec56987f79b3a40828e2b0bc187d527a0478af95c67

Download Submit