70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe
Size

3.0MB
MD5

be2234c150990775e1c873e7e6616739
SHA1

83730d07f202de46c71210f23bab03b09a537179
SHA256

70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04
SHA512

b92fa0345044253e5cb9d8f8e2eeadd48a293a43343b8622258bd1efe9e700d15c764ea2fc4c55ea1230a9a58cc1273a9abbf94ea9fd83e6b1d989cd5c666279
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bSqz8b6LNX:sxX7QnxrloE5dpUpEbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe

Executes dropped EXE 2 IoCs

pid	Process
2880	ecdevopti.exe
4904	xbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotF0\\xbodec.exe"	70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintNL\\dobaloc.exe"	70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1464	70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe
1464	70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe
1464	70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe
1464	70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe
2880	ecdevopti.exe
2880	ecdevopti.exe
4904	xbodec.exe
4904	xbodec.exe
2880	ecdevopti.exe
2880	ecdevopti.exe
4904	xbodec.exe
4904	xbodec.exe
2880	ecdevopti.exe
2880	ecdevopti.exe
4904	xbodec.exe
4904	xbodec.exe
2880	ecdevopti.exe
2880	ecdevopti.exe
4904	xbodec.exe
4904	xbodec.exe
2880	ecdevopti.exe
2880	ecdevopti.exe
4904	xbodec.exe
4904	xbodec.exe
2880	ecdevopti.exe
2880	ecdevopti.exe
4904	xbodec.exe
4904	xbodec.exe
2880	ecdevopti.exe
2880	ecdevopti.exe
4904	xbodec.exe
4904	xbodec.exe
2880	ecdevopti.exe
2880	ecdevopti.exe
4904	xbodec.exe
4904	xbodec.exe
2880	ecdevopti.exe
2880	ecdevopti.exe
4904	xbodec.exe
4904	xbodec.exe
2880	ecdevopti.exe
2880	ecdevopti.exe
4904	xbodec.exe
4904	xbodec.exe
2880	ecdevopti.exe
2880	ecdevopti.exe
4904	xbodec.exe
4904	xbodec.exe
2880	ecdevopti.exe
2880	ecdevopti.exe
4904	xbodec.exe
4904	xbodec.exe
2880	ecdevopti.exe
2880	ecdevopti.exe
4904	xbodec.exe
4904	xbodec.exe
2880	ecdevopti.exe
2880	ecdevopti.exe
4904	xbodec.exe
4904	xbodec.exe
2880	ecdevopti.exe
2880	ecdevopti.exe
4904	xbodec.exe
4904	xbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 2880	1464	70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe	87
PID 1464 wrote to memory of 2880	1464	70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe	87
PID 1464 wrote to memory of 2880	1464	70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe	87
PID 1464 wrote to memory of 4904	1464	70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe	88
PID 1464 wrote to memory of 4904	1464	70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe	88
PID 1464 wrote to memory of 4904	1464	70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe	88

C:\Users\Admin\AppData\Local\Temp\70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe
"C:\Users\Admin\AppData\Local\Temp\70923a86d9482fc8ab640907e0d47af575c597925fdb599ac10cbc1075ce1d04.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2880
- C:\UserDotF0\xbodec.exe
  C:\UserDotF0\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintNL\dobaloc.exe

Filesize
1.9MB

MD5
1915fdd937da72ae64b0e4efabb29568

SHA1
e306db7d90fae6039909a04ae7e257fd803536a7

SHA256
fbcd6d33e24252269fd806045921bf489428be0ba8d67c853a2104e25ec156c9

SHA512
fe533c42e713f5f3e443a1b480d83c005acc09bf41b0eeb26bbb5ec1a1766acff272f58264d99d53c4a5a76f4309158c70f1859de80f94d71174b956dceee86c

Download Submit
C:\MintNL\dobaloc.exe

Filesize
3.0MB

MD5
69b9577d7e6db802d4fef44c1f72b7ca

SHA1
9180c837c5f0d6921a8c0f38d030fe78fa8f41c7

SHA256
eeed78ccd3292db175cb21f85ecc9bbbce2110f2e166fed96f3a9062a1b2963c

SHA512
62245e039e302912edbe46286240d1e8a3daac57f0333db52edac093c9303b50ad439d22882be22eed848add9c5b73aae72195fcb3ac491fe4fc22e97f0f9e19

Download Submit
C:\UserDotF0\xbodec.exe

Filesize
3.0MB

MD5
752adcdcb4b32891fed2b7b991adeb43

SHA1
37f292e243bec3d2e463e046cb4c28cb2024071f

SHA256
1cc986654c75f13ebaefdfea1a192c014753096cbff0464905bb5cbccf19da6e

SHA512
5de6c86cfffc41dace8c0e974f92c9a1861916feef8403fba39807ba431f56497295f72dcc2fdd1fd9d89892936bdb7ca4076df675b3d24d43b20b9152754c2a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
a2441b09b174236bba90ebde9109f5be

SHA1
53799204a7b78d758be418a3d6c9f9b46dbc5216

SHA256
d1a43fc50c8d49bb89ec672fe54ce7e72c9bfe7edb6a7ff1a5749e0dd10a2f36

SHA512
6add65a23ea1359092118562ca41dd5722c8de1fe9e642692c5b14fa41076f879e5cb21818adf23fa5cfddfacfede0de73f78a93d0f822e67264f874158490b9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
8044875fe40f24f4236f7dd9b9ce1bd7

SHA1
aa12ca0dce52fadc51f401b8b483dff11f8081e6

SHA256
5cd7447b49be9aea688837cb84b451b5c5cef984368fdf206f50b764ca08f87a

SHA512
f3f518b6c4b6174dbba15071707e3400a4a3500666586599595fa49fd6c9ce2e75e379a97b9acf34a28ba69267c318e418645c647fb35c9f071418507bbe5268

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
3.0MB

MD5
cae9c136f8752a8b5add9ab2c58b75f7

SHA1
ac7f606b554824fe9636fa7285f56aa031d01674

SHA256
69e2b610bc58a5349ae840275aad4c969b94465691acba65d0fefab37ed034cd

SHA512
52d3553d20498478490d5c2e2913aeb47affb263ac70802aa748df6b5a19f344da1344b1bbe7504d3b90aba05e6ccd78f19d6d50c005ddea38fa09515624c371

Download Submit