55b2e4030ecedb5aa94d49de7a10c602ddd530c450a226b9555dd16c69c7655e

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7cd19a05211f1179b79078787d18110N.exe
Size

3.9MB
MD5

c7cd19a05211f1179b79078787d18110
SHA1

ca8cc24023fc9e8497b8b7fe9bf3dd71c53ed455
SHA256

55b2e4030ecedb5aa94d49de7a10c602ddd530c450a226b9555dd16c69c7655e
SHA512

87f9d3fe9d41da6f85f437bf24be34c5eab0420910b140aec2de5ae2265cb9b808f51b6bf8c42c4d1abddb297b4852211955dbd59ca527cb1fcd6b33407670b5
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpRbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	c7cd19a05211f1179b79078787d18110N.exe

Executes dropped EXE 2 IoCs

pid	Process
1496	ecaopti.exe
2496	abodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2900	c7cd19a05211f1179b79078787d18110N.exe
2900	c7cd19a05211f1179b79078787d18110N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotDG\\abodec.exe"	c7cd19a05211f1179b79078787d18110N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZUQ\\bodaec.exe"	c7cd19a05211f1179b79078787d18110N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2900	c7cd19a05211f1179b79078787d18110N.exe
2900	c7cd19a05211f1179b79078787d18110N.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe
1496	ecaopti.exe
2496	abodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 1496	2900	c7cd19a05211f1179b79078787d18110N.exe	31
PID 2900 wrote to memory of 1496	2900	c7cd19a05211f1179b79078787d18110N.exe	31
PID 2900 wrote to memory of 1496	2900	c7cd19a05211f1179b79078787d18110N.exe	31
PID 2900 wrote to memory of 1496	2900	c7cd19a05211f1179b79078787d18110N.exe	31
PID 2900 wrote to memory of 2496	2900	c7cd19a05211f1179b79078787d18110N.exe	32
PID 2900 wrote to memory of 2496	2900	c7cd19a05211f1179b79078787d18110N.exe	32
PID 2900 wrote to memory of 2496	2900	c7cd19a05211f1179b79078787d18110N.exe	32
PID 2900 wrote to memory of 2496	2900	c7cd19a05211f1179b79078787d18110N.exe	32

C:\Users\Admin\AppData\Local\Temp\c7cd19a05211f1179b79078787d18110N.exe
"C:\Users\Admin\AppData\Local\Temp\c7cd19a05211f1179b79078787d18110N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1496
- C:\UserDotDG\abodec.exe
  C:\UserDotDG\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZUQ\bodaec.exe

Filesize
3.9MB

MD5
03e59852666b49cbc57a44377c740732

SHA1
c39770aca307fa3c9202f3e3131039d7787c3be3

SHA256
876d6b6a9ec105d57937e8b55ba28eba0f428e12c3d2106d1cf28e683f1a5f81

SHA512
dbb39c9f97f5c456f47a68232588ca25c0821c9e5e826445cb2c6a7441a45e3896464df663c6de6c2674092914c06f364b876a57b9ebbf364f46349746f9cd79

Download Submit
C:\LabZUQ\bodaec.exe

Filesize
3.9MB

MD5
f550844500c4dd715c93d4eee5e3d670

SHA1
9144bf20f2668f20a1ad7445ec398c5b01b12525

SHA256
581e03b9408c8e02407f4efafd28c085150b6c4fac7f167764f013d4644d66a1

SHA512
947862eb32a65e010bfa04585fc971cdedf290fcb7d940304f10c68cfb38b3a9dc9ee86fdf1df1f47d6210b91b1d7d92c7c7b3337ba86a71d16b48acfad25e10

Download Submit
C:\UserDotDG\abodec.exe

Filesize
3.9MB

MD5
71ce4c084919533b68d44fd5d9c07cb4

SHA1
9b660e28228160d94609e133c64604a1edd7b477

SHA256
8e8f21ee72bf0364e53fb762e3bc619a8aad41d7984278bb9e0ca8108f4db3d2

SHA512
6b40e2da33dd49090847994a1e1bd3bf4242843f4c0e7b312a88a1fe74976b2174926894dcbbfc2e55a8a6a73a57cf7b115e7ef1f12adf7979cfd39135cae761

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
154392e6accbb3cdad0b183383f63168

SHA1
1b621acf44c7be2616b824e74dd13e749aec1e55

SHA256
58f28bda0a2600bf34a250a8a0335b7b9f769129973f5a37f1a6dc29f9756008

SHA512
98411e492c09c04f9bfb7eebfb2f8a9e9be84f11ef3c2f83b99f9fbc03f7372ec21aaa3b1099ccc9ce9afd97cce065c5b91bad4f486651e5b4318a3064452d26

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
ebcaa5024acdd690839bda9ea993d787

SHA1
20028e5baaa5de7915ac09a29f8239cb09f83147

SHA256
3738e17276cf6bf1831c1c6542b04a1361b8c0bc59a240da48b449fbac92adc0

SHA512
e1a250fdffeb4a19bbfd906016fb707f578648c53ce3373cd129639da4eaba8ac49982221f508b0d60aa647e4465445949819cf0beff7300730b8219a527c965

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
3.9MB

MD5
a4fe0d06ad2e3b44c2ed9166b6a6e694

SHA1
732ba947def53860dc0c93a656405c94a44e75b8

SHA256
73fa466c0a90abfa4d692123c14a9070ecb6a48f3195560de8df4267ab8136a6

SHA512
e3d79ffdf349980465bd2a2ce500a6d283aed8405844574ad5c23f3b11a48d7a48b0bed9eabc093c2f6a7b0da31f8d6ecc64a355188b9db89ddce20d6eaa1518

Download Submit