b5a6c06aef9a854803c89f08624cf3e71c68df02c166299dd8fd14f3ffe622c1

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5a6c06aef9a854803c89f08624cf3e71c68df02c166299dd8fd14f3ffe622c1N.exe
Size

2.6MB
MD5

4be4cf1d7701bb2a386c452ec9577130
SHA1

5d6cccb56d87dbafcff675f88328f0990f7efee4
SHA256

b5a6c06aef9a854803c89f08624cf3e71c68df02c166299dd8fd14f3ffe622c1
SHA512

6f8c709d8fd57295ab94571163f24180ffb73e727e6db918ecd02bc144000127d2fd4adfa030a31fbddbf5c692e68d8e48256f41f78fcacd3e06b380b5343d01
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LByB/bS:sxX7QnxrloE5dpUpxb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	b5a6c06aef9a854803c89f08624cf3e71c68df02c166299dd8fd14f3ffe622c1N.exe

Executes dropped EXE 2 IoCs

pid	Process
2164	ecadob.exe
2316	abodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2936	b5a6c06aef9a854803c89f08624cf3e71c68df02c166299dd8fd14f3ffe622c1N.exe
2936	b5a6c06aef9a854803c89f08624cf3e71c68df02c166299dd8fd14f3ffe622c1N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotYD\\abodec.exe"	b5a6c06aef9a854803c89f08624cf3e71c68df02c166299dd8fd14f3ffe622c1N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBPP\\optidevloc.exe"	b5a6c06aef9a854803c89f08624cf3e71c68df02c166299dd8fd14f3ffe622c1N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5a6c06aef9a854803c89f08624cf3e71c68df02c166299dd8fd14f3ffe622c1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2936	b5a6c06aef9a854803c89f08624cf3e71c68df02c166299dd8fd14f3ffe622c1N.exe
2936	b5a6c06aef9a854803c89f08624cf3e71c68df02c166299dd8fd14f3ffe622c1N.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe
2164	ecadob.exe
2316	abodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2164	2936	b5a6c06aef9a854803c89f08624cf3e71c68df02c166299dd8fd14f3ffe622c1N.exe	30
PID 2936 wrote to memory of 2164	2936	b5a6c06aef9a854803c89f08624cf3e71c68df02c166299dd8fd14f3ffe622c1N.exe	30
PID 2936 wrote to memory of 2164	2936	b5a6c06aef9a854803c89f08624cf3e71c68df02c166299dd8fd14f3ffe622c1N.exe	30
PID 2936 wrote to memory of 2164	2936	b5a6c06aef9a854803c89f08624cf3e71c68df02c166299dd8fd14f3ffe622c1N.exe	30
PID 2936 wrote to memory of 2316	2936	b5a6c06aef9a854803c89f08624cf3e71c68df02c166299dd8fd14f3ffe622c1N.exe	31
PID 2936 wrote to memory of 2316	2936	b5a6c06aef9a854803c89f08624cf3e71c68df02c166299dd8fd14f3ffe622c1N.exe	31
PID 2936 wrote to memory of 2316	2936	b5a6c06aef9a854803c89f08624cf3e71c68df02c166299dd8fd14f3ffe622c1N.exe	31
PID 2936 wrote to memory of 2316	2936	b5a6c06aef9a854803c89f08624cf3e71c68df02c166299dd8fd14f3ffe622c1N.exe	31

C:\Users\Admin\AppData\Local\Temp\b5a6c06aef9a854803c89f08624cf3e71c68df02c166299dd8fd14f3ffe622c1N.exe
"C:\Users\Admin\AppData\Local\Temp\b5a6c06aef9a854803c89f08624cf3e71c68df02c166299dd8fd14f3ffe622c1N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2164
- C:\UserDotYD\abodec.exe
  C:\UserDotYD\abodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBPP\optidevloc.exe

Filesize
2.6MB

MD5
4a2aa4ef32d4ca38779a5f03762b7471

SHA1
3c863b20280b731952e4eaf62af05a2f404786e9

SHA256
1e985899f176e3b91c8da310f85d555d937975e4963eaa9a6122bc93ab96c487

SHA512
64b7fd9e6c61c5e1d8913b5115c621d3266bf3fa0983974167038ee45d2c35dc23a2a67560d57e97c231789d2d7330832a7a070eb597ebe366bf2b762bf63a2f

Download Submit
C:\KaVBPP\optidevloc.exe

Filesize
2.6MB

MD5
8cf6afb1e92a6d7ad70817398fd9e4cb

SHA1
e7160e8317c588b61be7b0a283eadf09610fde25

SHA256
1baeaf91b503f5c700271e563282913aea42ae76c9b46de56c377e6d208511bc

SHA512
8c5257782f532633ca26f611cfd73073e216f14fd62b471a47e1ef7b22086f8fe8ba17b3764e12ba5487018ee85287dd1262a140a6ffcfd31309da67983e46db

Download Submit
C:\UserDotYD\abodec.exe

Filesize
2.6MB

MD5
d643dc480d7fbe4280ce33d260614af6

SHA1
5aa50f54b1b7a65068f44ce132d41a891cb48751

SHA256
d096b687a21d88f1ab377b19efedd827862d87afd419f95a7bd05c2f55b6dd3f

SHA512
07fad25083cd183385bff3bb033738ae761d88cd1091984c35f251c73cf9baf7e3be1ca04912a0370bfad3e1d79c22f0cf21cabbb27a9f34c8a81ddc7b59cb58

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
6c9dbcb0143e4da20af1c36f8f3ddd3f

SHA1
ee4b266319814e20cde971e713c222c182c17386

SHA256
93e67eb4c0640a847178460d694e8ad8979e5e81e62e6e52c49a1aaef3a2a41e

SHA512
85833b33f36d3c976bbbc3a9e9818f64bd5a8a292a5ab5e193a15480ee9c6378d280f842a6df16e6240919ebf337946bc9ded07e5616777f5da8098cc9b44223

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
1c048c32eba16bf199908cc27ef8d174

SHA1
44cc9bce15dac102637fc270a6588e04544e46f1

SHA256
f122f77abf036a46624fb12580c374eabc6a03a58aef3016a182fc12b4d073f8

SHA512
fa50d1701b2a704842d28edeb3babf7c4b72edcd583daf5f809f6de668700823eecd544324cf9c970b8f9c73f691fe430f7ba0377c1811b951b46c42c1b6f9d9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
2.6MB

MD5
211d3a8b0cd3d078340fee25413eaa43

SHA1
79e773e0663b3dc301416647a0ec3528b0a724a8

SHA256
9f77cb1ad4f51d6dd652bf5e9f1852484bc3f8a0254b492f83801cb53a57cc54

SHA512
e690e4eb1d186845365dd9bdfd5424d719eca7258152acd2dc6a4ef9db5662dc51f04b565ed72135774de693388346570f6692158116cc809b20f7e63c469aea

Download Submit