6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 23:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe
Size

3.6MB
MD5

c2e13e5c8ce944a26ae0283f83643209
SHA1

bd4b3aabcc644c6d0f071804c6c6bc0dbd6578de
SHA256

6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4
SHA512

b927035f5c3653ac01e1f5625db3b43936cf35d96801a95262b2df8409c84e996bddaf7df10333d2fc87ac97527834b9560ee721960b805b6e54b5d8f81bb251
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bSqz8:sxX7QnxrloE5dpUpgbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe

Executes dropped EXE 2 IoCs

pid	Process
3576	ecdevdob.exe
2900	abodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot8V\\abodec.exe"	6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintST\\dobasys.exe"	6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3796	6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe
3796	6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe
3796	6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe
3796	6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe
3576	ecdevdob.exe
3576	ecdevdob.exe
2900	abodec.exe
2900	abodec.exe
3576	ecdevdob.exe
3576	ecdevdob.exe
2900	abodec.exe
2900	abodec.exe
3576	ecdevdob.exe
3576	ecdevdob.exe
2900	abodec.exe
2900	abodec.exe
3576	ecdevdob.exe
3576	ecdevdob.exe
2900	abodec.exe
2900	abodec.exe
3576	ecdevdob.exe
3576	ecdevdob.exe
2900	abodec.exe
2900	abodec.exe
3576	ecdevdob.exe
3576	ecdevdob.exe
2900	abodec.exe
2900	abodec.exe
3576	ecdevdob.exe
3576	ecdevdob.exe
2900	abodec.exe
2900	abodec.exe
3576	ecdevdob.exe
3576	ecdevdob.exe
2900	abodec.exe
2900	abodec.exe
3576	ecdevdob.exe
3576	ecdevdob.exe
2900	abodec.exe
2900	abodec.exe
3576	ecdevdob.exe
3576	ecdevdob.exe
2900	abodec.exe
2900	abodec.exe
3576	ecdevdob.exe
3576	ecdevdob.exe
2900	abodec.exe
2900	abodec.exe
3576	ecdevdob.exe
3576	ecdevdob.exe
2900	abodec.exe
2900	abodec.exe
3576	ecdevdob.exe
3576	ecdevdob.exe
2900	abodec.exe
2900	abodec.exe
3576	ecdevdob.exe
3576	ecdevdob.exe
2900	abodec.exe
2900	abodec.exe
3576	ecdevdob.exe
3576	ecdevdob.exe
2900	abodec.exe
2900	abodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3796 wrote to memory of 3576	3796	6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe	90
PID 3796 wrote to memory of 3576	3796	6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe	90
PID 3796 wrote to memory of 3576	3796	6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe	90
PID 3796 wrote to memory of 2900	3796	6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe	91
PID 3796 wrote to memory of 2900	3796	6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe	91
PID 3796 wrote to memory of 2900	3796	6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe	91

C:\Users\Admin\AppData\Local\Temp\6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe
"C:\Users\Admin\AppData\Local\Temp\6b5f0c014955ab4595fdb9ae4ac42711c2091a45e5187965a00bf7aad621ade4.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3576
- C:\UserDot8V\abodec.exe
  C:\UserDot8V\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintST\dobasys.exe

Filesize
217KB

MD5
2456630e5a76705cf994c8e3117f53f4

SHA1
b3fa80857b1010e8902a22467fd5e25fca883df3

SHA256
4b1d045722168ee7e892e7a492b86220160f6330106b20d1b91c1b3e4363581f

SHA512
01b81dcf390c1a4498655128522b727a274221fcdb47d2e2a3b97b567fc9ebef9d8aeb434b9079b223ac6a36864de6a7847ea6230a244a4e071ad269d00c53de

Download Submit
C:\MintST\dobasys.exe

Filesize
617KB

MD5
a76bfe7d63ab3c881c89d8e544ab54de

SHA1
121605a2fe4365454a4a4eff157890d252043c6c

SHA256
6dc604ee2018ec50ff5e9f4358aebfac4ab4425adb4d309b1d0b72158c15125a

SHA512
c89609a7833fa1bf18ad201954606ddc9248faceec8e8dc340bd3e89bef82b9a22cf7927d38caa4e4260b3404be33a0f4d3076dc9b16917a9a4bc7fbf6c7b4a5

Download Submit
C:\UserDot8V\abodec.exe

Filesize
3.6MB

MD5
3099b240d02f74a2de369af166d4001b

SHA1
b513a61293fbe93f2c9062a3bcd146aa6d2b7772

SHA256
5667097e0b930ac43b957806861c96ab0431ea0df3dac68155dac8e129f32773

SHA512
8108e8aae88bb7cd016bd05f3885903360e76781347b97a2bcd47562dcaca0a48a8b8e4bffd5453bfe6a4834a54d46bd8b2a2199ed51ba83db1dd7ed70ca2fe5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
a137dcbb364b5c4280d50874f2aec31a

SHA1
c117a952db66933403067d5edb18eb9e5bd83e6a

SHA256
3c2f1f23fd04465fd4efb8bd85ab17527e096ec1e5342376cb5b417ef2c155ab

SHA512
eb839d8f9801d8b1becd46a01220ab66f9fbe5b7f8f9487e77396ba591afe1a5230ef80eb3d3fe620556129b67aeccc343e2a100123034a146518e278c44386d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
613aa62b8c8ad86a6bebcbfa6233a335

SHA1
497dfb390cd0448f5b5f5a30542ceab3ba9cceef

SHA256
aaad453500f04c4915a2f3263c4534658d4bd0bac4a2d9406806bd42d6645638

SHA512
985013e5a05bfcda892f51fe1ea8403925355675b6ef20de6a909011a4fa35a235639b76b35ce2aa44cf016ae1e62afac24af11c410a52ad2f46c6a12d1120fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
3.6MB

MD5
f53fff39a5b9da76fa138dd621670cd5

SHA1
256ccbf0aeff13f619d5c6586dbb3bb43bba0e2f

SHA256
6b7f94df5d319006190e373318c54db36f845fa5228423a3c6f56dc2cdad1777

SHA512
f962c317a3d9f682d1ea8d54d37a8b545467c817fc322ba553b2b2a13bc38169e39f6e38859160937ef1fd1984ae6fc723495ae3b0cb051bd21da136673b859b

Download Submit