7bf32c6ac0cdc0b3d1f8a8edab395ad657684a6727add540ef549e0c061e64ae

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20-08-2024 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ea787ebf2699318c40579ee8c734410N.exe
Size

2.6MB
MD5

4ea787ebf2699318c40579ee8c734410
SHA1

6c1df063f60e4a28ed791310e465680d702eaed9
SHA256

7bf32c6ac0cdc0b3d1f8a8edab395ad657684a6727add540ef549e0c061e64ae
SHA512

64dae9089f6492ce856cf8d20e89f643dee39e9b658bf4dc6312b49abee2078df71ea89ea2773406c007b0186ae89f1901043fbd86c7f928c39541acb155152a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bS:sxX7QnxrloE5dpUpib

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	4ea787ebf2699318c40579ee8c734410N.exe

Executes dropped EXE 2 IoCs

pid	Process
2252	ecxbod.exe
1880	aoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2516	4ea787ebf2699318c40579ee8c734410N.exe
2516	4ea787ebf2699318c40579ee8c734410N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeV4\\aoptiec.exe"	4ea787ebf2699318c40579ee8c734410N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ8A\\bodaec.exe"	4ea787ebf2699318c40579ee8c734410N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ea787ebf2699318c40579ee8c734410N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2516	4ea787ebf2699318c40579ee8c734410N.exe
2516	4ea787ebf2699318c40579ee8c734410N.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe
2252	ecxbod.exe
1880	aoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2252	2516	4ea787ebf2699318c40579ee8c734410N.exe	31
PID 2516 wrote to memory of 2252	2516	4ea787ebf2699318c40579ee8c734410N.exe	31
PID 2516 wrote to memory of 2252	2516	4ea787ebf2699318c40579ee8c734410N.exe	31
PID 2516 wrote to memory of 2252	2516	4ea787ebf2699318c40579ee8c734410N.exe	31
PID 2516 wrote to memory of 1880	2516	4ea787ebf2699318c40579ee8c734410N.exe	32
PID 2516 wrote to memory of 1880	2516	4ea787ebf2699318c40579ee8c734410N.exe	32
PID 2516 wrote to memory of 1880	2516	4ea787ebf2699318c40579ee8c734410N.exe	32
PID 2516 wrote to memory of 1880	2516	4ea787ebf2699318c40579ee8c734410N.exe	32

C:\Users\Admin\AppData\Local\Temp\4ea787ebf2699318c40579ee8c734410N.exe
"C:\Users\Admin\AppData\Local\Temp\4ea787ebf2699318c40579ee8c734410N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2252
- C:\AdobeV4\aoptiec.exe
  C:\AdobeV4\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeV4\aoptiec.exe

Filesize
2.6MB

MD5
600822a7c1d95f28d4aa81b51cb42b37

SHA1
6040c0d34a43fbc27fceb5f93c3b119738aee7c2

SHA256
f301d6d82e788394b40cf1178efbec6819ca007f396cd482c8c58cba7a14551d

SHA512
3d5b3b29caaa3746ba34dca73dacf8ab5e86abf818c3af6d8ca41bcdc05b27beed62a0eaac274ba6077746d809440f61af856acc2f41181a4f159426b5a22016

Download Submit
C:\LabZ8A\bodaec.exe

Filesize
2.6MB

MD5
8a907de164f8842b6a81d36734d11eee

SHA1
a4c2685d4511cf467ebb021cf9c4e1682d128026

SHA256
c55013585642fafba4ee4d9aa8c26dbab6ccd2b5c8cfd6023c5fb42f7525c8ff

SHA512
59c3ac37fe23b38c3d6eab1b9011486b69596cf3f09c89b34cef9c8bab3ff93fea3cbe96225648c80de53028a56c49a84a8d24e96e0a89ec3d7d517eb0b1240b

Download Submit
C:\LabZ8A\bodaec.exe

Filesize
2.6MB

MD5
46cf4f40db4663e7b94a9759bc93c0c4

SHA1
9075298ee194954ec86b2bc4281b4f93d7e0d78e

SHA256
60680424b06f8134af22224512eee62173cf86e3425d67dcdbb6111bf393c0c5

SHA512
e64b6e72a3a0716a9dcb9557a63e62207cfcb201846d978d06e30f7ec1eb0c1767817e17296136f8743bd65829b8af215893cc5406a8ff60f3f094a2d6c5de26

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
166B

MD5
78ba6f2743c02b1f156cb7eeb0b91a0f

SHA1
fb917389ea02d19d8290d329602c6fb1dd1b4f8c

SHA256
d51c4e03a9aef20580ed77e5a56b60624eadeb6c06d126f05813517e94c46461

SHA512
d2b5b0fabad63e6885b2929497d34404b9f686ae59bb9ef67a5ffd1ef7f4957d4e5475ccc1f7aa0aa760f1d853421536c1f3d69dd56cc8bb351b4dc1de5f3830

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
198B

MD5
b9cf59cc26fb838c012d6ce9b43e7909

SHA1
9f647bfc14c4926bfe8d79005c97440d8d96775f

SHA256
baa614e2c7767f5514f4e1605a393a8df05644492a7990f8ad7e8f4ee95610cc

SHA512
aa4b8f4f2c3e0a8525ecb8baa49b6d356e387f3367ab3b657e8456a035046efebf1744d6b752032ca6c39d0e4780c9e2fc9db58eb7ce9539f0b880b447e6b8b6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
2.6MB

MD5
8d56dbd10cb8a0968bd97bb879c6c160

SHA1
9627ba6d6c45c09f65b84b11277930086fedd9f0

SHA256
64ab1a30896fbaa016371d7a1933313d834a5f2424736cf83303310a7c947d5a

SHA512
4ce1dc9e305e75a5c0a4afef5a0ea19b683ad5c078b863af81cde51d0e0993c531da9ff1107b2e10897e472c864f4e10da72d66ba40512192ae23726b17f853c

Download Submit