3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 21:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe
Size

2.6MB
MD5

4f4f8fdb971a1615625451923e92979c
SHA1

1ab18abc1f5a84a99c8f117b0292bf8e7ee28c2f
SHA256

3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4
SHA512

21f5fb1533d702605985468f3aa73529d5aa604d550e251c12467341a15a1a56007c3152e26c14d196eb4c169b47da0f0935019db62729200286e0f4fe7a9b32
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bS:sxX7QnxrloE5dpUpHb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe

Executes dropped EXE 2 IoCs

pid	Process
2432	ecaopti.exe
1976	abodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2580	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe
2580	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv1Z\\abodec.exe"	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintJB\\bodaec.exe"	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2580	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe
2580	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe
2432	ecaopti.exe
1976	abodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2432	2580	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe	30
PID 2580 wrote to memory of 2432	2580	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe	30
PID 2580 wrote to memory of 2432	2580	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe	30
PID 2580 wrote to memory of 2432	2580	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe	30
PID 2580 wrote to memory of 1976	2580	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe	31
PID 2580 wrote to memory of 1976	2580	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe	31
PID 2580 wrote to memory of 1976	2580	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe	31
PID 2580 wrote to memory of 1976	2580	3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe	31

C:\Users\Admin\AppData\Local\Temp\3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe
"C:\Users\Admin\AppData\Local\Temp\3c22535d901d1fbeb594defa63ffe64a8da4accd8532852fd920b1762879bdb4.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2432
- C:\SysDrv1Z\abodec.exe
  C:\SysDrv1Z\abodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintJB\bodaec.exe

Filesize
229KB

MD5
b376e42b12a779b2c107fe39a957518f

SHA1
2a47ce8923261eafe9152405a3473c097502c656

SHA256
6143948ba2eef2a310c59d4a7730ee856819e6a1b1e2c4a5474f3fcc35330481

SHA512
f4a934896c8f1bf79dd361d08014835a67f1fb55dbc5df489c840c61d4087207d43868e786fd1c971dddeedeb583445472616a1b049f15ac57c3ca9adb44c3f5

Download Submit
C:\MintJB\bodaec.exe

Filesize
2.6MB

MD5
6c33605928ce8bc5331665e9715e9af1

SHA1
45bdb7c85f9545180c4c58ba02289c462b3960b4

SHA256
54eb15b944aa5b39d0776eb724d22ca6e141ed6a5fdb2e97f780fc81c00d955c

SHA512
515a67cbe7477119549610439321e3204cb1abf8c1ceb617ce4e20af17faec358054661a26d5b90c909745cdde22831f4cb9891ca0ffdc33d139eb04201fcd26

Download Submit
C:\SysDrv1Z\abodec.exe

Filesize
48KB

MD5
d48736965f2b8e04bebb694d01483c92

SHA1
835cf4b7af1f69194c52135a66eab049613ced97

SHA256
2f98d5c6795d26c2dd4d5a98ca95180513c6ccfbe3e94e6123b6e2a68ff2cff5

SHA512
f80ad636f5a916fc4377bf1c3728a3067b94a8e39756c9534393fc24d5f28f16ae87fe27c6f8e4e84cb666d648ea7848fecb9e5a1ded31a6e45721ed182f871f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
167B

MD5
a78bbe62e4be170dff888607f793a8a8

SHA1
218bace18fd880d6a269cec5fc07dd2a3af9d537

SHA256
e6b42a8aa519baf3bbfcf98fca8604c3007f37170e525f6c9bfd2c81dfd90d0e

SHA512
e81d3f39ec95fb3dc414b731b6c4de8541ca3c59985c2038761e082cce1fd17a52f2738c2008f04f2cd02edd920265da740a72b556897fdf934ddf2fca09b0c7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
199B

MD5
fb0359dafd6f468f8d5fa7cf48cf516a

SHA1
4e8a2f5a3510e9b4daa54e2096fe904d893e61bd

SHA256
be60eb566f0b318164b01162a71e6f34eb82f9e4209f3e50dde6c9c05bacd5e6

SHA512
830b06ec714e1ab0a607ff9c1a9359b19928c327f6e3db98d96d26bf4c13c452c69ada29da7642c1a84d0b8098df71e3230b906558e44f93562ad36800f74702

Download Submit
\SysDrv1Z\abodec.exe

Filesize
2.6MB

MD5
1397d2392a61a97d61f59049ba9dba10

SHA1
7fadb59653a3971b913f3a46e4144eb6e86b0992

SHA256
838a55cad2626a22bdf031a92632b1cc6b63da342f47674aad3b8d38f544f863

SHA512
219ab3109679e252d188922a2f2308df2e982fcf9e3d9794d9c8eddd48b2c1dc59c8181d26f91cb6e9eb9f5bf7d678ee06f29b7de55d189a98057de7c201a0f4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
2.6MB

MD5
921ed58676d39073ff7553f076750e50

SHA1
17eb0cd701ee7e60b5678c680cc1a161f7ae40de

SHA256
10bc78d9f2005dd17bb92a971d6f05d12642a980fd453e8beab7cc0ccafc10b7

SHA512
1fb1104beb9bedd81df9b830cf58a0d5844945f286389079e56c23fb7d22f6ad8c6e0b75f9bd6dd2a7e0e945451764d4098c6af7827f728afd2cc3d9de784ca1

Download Submit