a7cbcc3e77172cff1cdb68b39702b345d691598cdacb04e83b85e93e0d748b0e

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7cbcc3e77172cff1cdb68b39702b345d691598cdacb04e83b85e93e0d748b0e.exe
Size

2.6MB
MD5

4bf88531c59a41a8e5dd789535954e6a
SHA1

c11c618b724e6e5dc89f1b5cfeedb70e20566388
SHA256

a7cbcc3e77172cff1cdb68b39702b345d691598cdacb04e83b85e93e0d748b0e
SHA512

2513a1d1e177eb655524cac1638a18e5d4e930c5338a5b7ef79e36e3ccd77a377a85a9ea68e125b18668f8f43f756f56a7d819a06c6f5e6f2e45197410caa173
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBBB/bS:sxX7QnxrloE5dpUpmb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	a7cbcc3e77172cff1cdb68b39702b345d691598cdacb04e83b85e93e0d748b0e.exe

Executes dropped EXE 2 IoCs

pid	Process
1652	ecaopti.exe
1148	devbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1904	a7cbcc3e77172cff1cdb68b39702b345d691598cdacb04e83b85e93e0d748b0e.exe
1904	a7cbcc3e77172cff1cdb68b39702b345d691598cdacb04e83b85e93e0d748b0e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotF1\\devbodsys.exe"	a7cbcc3e77172cff1cdb68b39702b345d691598cdacb04e83b85e93e0d748b0e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxGO\\optidevec.exe"	a7cbcc3e77172cff1cdb68b39702b345d691598cdacb04e83b85e93e0d748b0e.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a7cbcc3e77172cff1cdb68b39702b345d691598cdacb04e83b85e93e0d748b0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1904	a7cbcc3e77172cff1cdb68b39702b345d691598cdacb04e83b85e93e0d748b0e.exe
1904	a7cbcc3e77172cff1cdb68b39702b345d691598cdacb04e83b85e93e0d748b0e.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe
1652	ecaopti.exe
1148	devbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 1652	1904	a7cbcc3e77172cff1cdb68b39702b345d691598cdacb04e83b85e93e0d748b0e.exe	30
PID 1904 wrote to memory of 1652	1904	a7cbcc3e77172cff1cdb68b39702b345d691598cdacb04e83b85e93e0d748b0e.exe	30
PID 1904 wrote to memory of 1652	1904	a7cbcc3e77172cff1cdb68b39702b345d691598cdacb04e83b85e93e0d748b0e.exe	30
PID 1904 wrote to memory of 1652	1904	a7cbcc3e77172cff1cdb68b39702b345d691598cdacb04e83b85e93e0d748b0e.exe	30
PID 1904 wrote to memory of 1148	1904	a7cbcc3e77172cff1cdb68b39702b345d691598cdacb04e83b85e93e0d748b0e.exe	31
PID 1904 wrote to memory of 1148	1904	a7cbcc3e77172cff1cdb68b39702b345d691598cdacb04e83b85e93e0d748b0e.exe	31
PID 1904 wrote to memory of 1148	1904	a7cbcc3e77172cff1cdb68b39702b345d691598cdacb04e83b85e93e0d748b0e.exe	31
PID 1904 wrote to memory of 1148	1904	a7cbcc3e77172cff1cdb68b39702b345d691598cdacb04e83b85e93e0d748b0e.exe	31

C:\Users\Admin\AppData\Local\Temp\a7cbcc3e77172cff1cdb68b39702b345d691598cdacb04e83b85e93e0d748b0e.exe
"C:\Users\Admin\AppData\Local\Temp\a7cbcc3e77172cff1cdb68b39702b345d691598cdacb04e83b85e93e0d748b0e.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1652
- C:\UserDotF1\devbodsys.exe
  C:\UserDotF1\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxGO\optidevec.exe

Filesize
23KB

MD5
3802e70e50917db6adbff13a6824dce7

SHA1
1ec74804dcbb5eac9158cc01b922116000bd27f6

SHA256
b81d5b38681149b114bf47a1e7fa43ddd85131b90d90958a3b1ff715a6be3573

SHA512
2ae50667aa5c3bf216c71d67c60ef19a77841a00f44d71976aa8f97b9a6fd7f512a1183679559970fb5175722a27db103b3b44cbae08e134908cdae961b88b2b

Download Submit
C:\GalaxGO\optidevec.exe

Filesize
2.6MB

MD5
80a10565ba4cee8f4f612dab6dc47441

SHA1
8f55bc172d5f2005e0eff6dfe68f2838153f3f4e

SHA256
f814df3a583e5a268de8fcf62a63782e9c4c69067c4d6932f2f3af62bdf34b5f

SHA512
6433ac446144659bf4ac8760be81650e293c65ec5cf1bbdd4beaacc9fe94fa603eedca6b77737c846ccf3d1bfc85fb72d925c27c702c0d7bedf006830f75c23b

Download Submit
C:\UserDotF1\devbodsys.exe

Filesize
10KB

MD5
1b916c50de9513bd35995ff6e69aef92

SHA1
52937fef400b241d4a8b1ddd227652b7c677d4bb

SHA256
87b86902356dc8919842b25007d34f46886d02128a2a02cb251d67dde3bccbe0

SHA512
7d45f793fac4540d35fd63f20caf5172cb11727e67a9016311072bbe1de9cbfac63ba2f8cb9bc93bb3b067ce7a65d0ee23b7d88fc199ffd6728e49343007d85e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
e15739c7f1b2d1ad7c109e4bd0bf84c6

SHA1
001f6fa077ebf63d1c1e879ad3279135d4c46a18

SHA256
11185eb966daed4348cbe178c39edb5a30f6a6d55dd6dadb0caffa99c9d83e73

SHA512
0c4209b23a5a72eec0c5d80327dffb0a6401962cf16186e1c26d6c81b4be1d417630a437f62dedf649cd7976f7fb155daddad6089f2b0f2399509ebe7ad93fbd

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
0bc305a6c2f44d8c9f611f5d007848c5

SHA1
1f3e0dca2a5aa0baa9fc1edf7426966ad9961dcc

SHA256
3155ae32df92ba1059f8e9abff137e41546ffd9b08855b891e8ee989f8ffbd0a

SHA512
2f8c0bbe18c31923bcc0a472e56be8621a13439f745cc2927af1e7b5549e35d941fc83e18cd248889dde04a4190d300ae6c9d11de0313610a677d62d64ad1f97

Download Submit
\UserDotF1\devbodsys.exe

Filesize
2.6MB

MD5
4b344ba71be4618be0333e7908a3e63c

SHA1
6ae1b9c25c01548252ea53dafe3c11c3ef734c71

SHA256
3329a3a7ef8127cae0adae39fd851452a3cff08ad1fa1dc533dee068a78f2867

SHA512
6e0352fb8a4e2a9fc4330d47273f05d57757e35af61b3cb041d3e11eea4092b294a32fa6819a892373d4cdf122aa2e4cac1a5341974735d468243b6e6182f038

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
2.6MB

MD5
54124aab569ad8834ac107a1703af6f8

SHA1
4226fc8f242aace64c8df878d312f849422b9610

SHA256
1ff4fc3eb506bb0c84c5a28caaf766429a12cb92d7422afb5406ee79e99fc364

SHA512
dc97a28b624e5ea0f259db5e008ae542ec867f4c71aa2a31161e31228689f09cbbd45639e540d7c6f433397e985f8f10d3ba23d56eb5a843dfd3e249fa336baf

Download Submit