d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 09:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe
Size

3.6MB
MD5

29d788614176c36167d75bc7d2cddc46
SHA1

b74df108a16ee27f9f59f2c9c2b0186ff0341b15
SHA256

d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a
SHA512

7fb350077c5e6951c6e38785616851c49e3f9e6b1bedd0b36d8dabeabfa0165f12893a7ffd8e7e83c1814968ee3b3ecd0e0de2c546a8bb153f0aeee78438c7f9
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSqz8:sxX7QnxrloE5dpUp4bVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe

Executes dropped EXE 2 IoCs

pid	Process
2196	ecdevdob.exe
1396	abodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2740	d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe
2740	d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZV\\abodsys.exe"	d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBWE\\dobaec.exe"	d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2740	d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe
2740	d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe
2196	ecdevdob.exe
1396	abodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2196	2740	d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe	28
PID 2740 wrote to memory of 2196	2740	d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe	28
PID 2740 wrote to memory of 2196	2740	d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe	28
PID 2740 wrote to memory of 2196	2740	d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe	28
PID 2740 wrote to memory of 1396	2740	d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe	29
PID 2740 wrote to memory of 1396	2740	d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe	29
PID 2740 wrote to memory of 1396	2740	d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe	29
PID 2740 wrote to memory of 1396	2740	d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe	29

C:\Users\Admin\AppData\Local\Temp\d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe
"C:\Users\Admin\AppData\Local\Temp\d4d3e1c379feab2bad3baf54966fec8100bcc12d80df990a777418859121569a.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2196
- C:\SysDrvZV\abodsys.exe
  C:\SysDrvZV\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBWE\dobaec.exe

Filesize
2.0MB

MD5
2c1ac4dcac0beb0cdf073d5ff538e6a3

SHA1
266f9ece3b2d856723fefa3263b4780204ce87e5

SHA256
8d242fde1aa6972ae1a7f9670780fcb015e25824bccd28c2408a233b97844390

SHA512
bf04d6e0fb042197946aefbaa5d63846fc369aa668983584236fdc422b9cd6b5de2da1d5bf984bcb946b716da60caa8c201a0675a7faa90c339bcc11c3e905e1

Download Submit
C:\KaVBWE\dobaec.exe

Filesize
1.4MB

MD5
8785515ff1be4aa7e9931464a57d8124

SHA1
3fba583750e134e9ef717c3a32a3f5788b9d4f1c

SHA256
426785e7cd3bfcbad95accbbe287f911c55ffc04dd014992f212bdea89eea0a1

SHA512
5a9743e40ee48195636e5165e737fb984db170e27bcd9830d30f6679ec6405ddcf42318370ac0032f8ab85c2d7fb9042ea0a2f2a3a6638fd4d8acffeb56251de

Download Submit
C:\SysDrvZV\abodsys.exe

Filesize
1.4MB

MD5
8952ff7505d5c6c889bee66ff8f8412d

SHA1
1f326638dadab28e75164cd09d160885b8bd1795

SHA256
51dbc1365f9b1ca9b80c31f16d020ed665df9e9c07c6a7d3f1b8a0e63ce0e0a2

SHA512
1429250e045a5ad2c6e1cae4a176f225ad48ea28e8068239a044674447f3b1f0d3986ac54bbc8084d621123310d556122da2a3824d268f872dd4e7bad1c37ead

Download Submit
C:\SysDrvZV\abodsys.exe

Filesize
1.4MB

MD5
1a27ed04a27614e5d431a6c9660a6e24

SHA1
4bb334de7f1107fa0502cdae29df408e08bc5474

SHA256
933584b4291646f41aa201f1bbfa7623eafd94ae60951f6a417493f01a17a978

SHA512
ad34347207f808782ddcd3115a263ecba1773d327670b236d1d78f06d76aa7bc6d9e3706d20b95aa45a4ca08f153a8ec9bdae519e1aada9aeaadba9cc28e7069

Download Submit
C:\SysDrvZV\abodsys.exe

Filesize
1.4MB

MD5
f1d2bc35de7e6f571bf5cc91ea4e41c1

SHA1
bf2fb3bdb843f69284ab82aba96294a43fcfa6af

SHA256
780c2cbba891dfd4611a04887f36b721119f3ed2328e391cdd6864e7843cf259

SHA512
8a854f1db9eb67545fc79608e8163493761913ec5d1ff41f661073d8a4e7e6a8c3ae8545b20ad60406985c051d85f0d655eb4a945fd612f7f6c73ef9bd9ac081

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
fcc32a4274b744a80011930dd4847c20

SHA1
351a6ff986956afacdb72fc679f7b9a3d360d6db

SHA256
c186899607e4bf2db071d576c08d35ae1c760e2a4e80210d16e732e1ee8c9034

SHA512
007c5099d8c4ed5e21c39216475542750058ab02610a014d067438711736d28cbb7e5cbea6e72340aad6d85d9915b3e1186b945d4636f7f393e07d8024d682a4

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
95e087feea966fd96e3cedb2fa5100b1

SHA1
59d42fec209dbb47235e940783552c6c83789e4f

SHA256
9021e73c0690730c333214013a2b369e4eda3eef1cca3f5a2d4be0c6f635325b

SHA512
fe18800b0451a74fc22613d9346d7d59faa8850a9a3d7db9781bc1e4b18158a372f1fc6e0006e11df867fc4c6101ecf95d1d9014b6da90eeabc5676fe49be715

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
2.3MB

MD5
50517713a775fbce31045b8259470b49

SHA1
8eba017ec3b90a16d8a2df21193b9c05feada9ae

SHA256
ff1d649c442beeb96b52173b4068a527f26d70a371871685eb715706f112376e

SHA512
e1433da64b56abfb0b84ce504365291809b775f50299770ab84bed320b4ceffafbf7b4b618bebbbcc885ad30394c1aa43e9109601d2773746301080fd3431ac6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
1.7MB

MD5
462ec1c4dc4ae130401c52bfa4f5225b

SHA1
7b3a33e4cc9c7e99965fa186e91aedc7971ac518

SHA256
b39fd79e5b0e641625877fd179fe3a1f92a7ed71109631297dd343f57068f51d

SHA512
65b5cdf9b826272ad95fb6165eb5ffee16f8c298eee8d96a536f320fa8decf1c4d0c4b6a7094184da10d1c979551df522e7238375312b4ca9d94a8d65de6c491

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
1.9MB

MD5
529a271c2a2695a4cccf482309adcbc3

SHA1
8cfd5fa10ebdce14372b39152aad265e873b1995

SHA256
f24de77de71a64133ffde237bb16ddabbae6a80c06722a322839ec5f35d65895

SHA512
a91c5b4dd44b00e7fb56b238f0c76eba4b949f11787a87d333bad2f56fe1dcfbeadd7f90e6b71d4a4ef296c825fb4f1fae7751b7d83494058d1a8e01399177eb

Download Submit
\SysDrvZV\abodsys.exe

Filesize
1.4MB

MD5
7b0c3accbed346f8445bdd077c83759b

SHA1
9e4768bd7143873db3cdda5b3bc2874ee356def6

SHA256
ac4574d02d6e1e52867d65b5d39940b8618fc84fc1c6050b90901e80a29efd5a

SHA512
b7c912f04b0e63e46d6c61f4dfa345337436ae4b98a075b7b9256a6ab8a34571016d7c7f2d57b0147b318f8a2ada7a17956d3d54948671dd9e8ea5f808b56d3a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
2.7MB

MD5
03b13c6a1948bbbb1cdfa594f651316f

SHA1
18bc758d1e8900d505720b311a1ee3a33eca252c

SHA256
e9808d6fed432aa64b21178a1434e4a22c2b2734379b60cd6d5f9794ffee1cb2

SHA512
f879235914b85d486f75a961551383a2b74cc3c21c306b17c9ab5930af03f1d04a7263a26f9c2ac71d042ef24fa6a1e61f51a3429ee99a7b789bb31e2ba317ff

Download Submit