75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe
Size

3.9MB
MD5

19595d1c2d71ff44594665db0d33c91a
SHA1

cf09952199be72ca3a85ce1de09ae30de6f37ef7
SHA256

75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979
SHA512

a4d1a4717aca33a621a1e9f693e02bb68361d042bb47757428a6f9faa4f2db78b169dc916f92c958141fa0f105f83ecb039085f3580adeda4beee7184b16575a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSqz8:sxX7QnxrloE5dpUpmbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe

Executes dropped EXE 2 IoCs

pid	Process
2548	ecdevdob.exe
4112	abodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot8V\\abodec.exe"	75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintST\\dobasys.exe"	75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1672	75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe
1672	75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe
1672	75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe
1672	75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe
2548	ecdevdob.exe
2548	ecdevdob.exe
4112	abodec.exe
4112	abodec.exe
2548	ecdevdob.exe
2548	ecdevdob.exe
4112	abodec.exe
4112	abodec.exe
2548	ecdevdob.exe
2548	ecdevdob.exe
4112	abodec.exe
4112	abodec.exe
2548	ecdevdob.exe
2548	ecdevdob.exe
4112	abodec.exe
4112	abodec.exe
2548	ecdevdob.exe
2548	ecdevdob.exe
4112	abodec.exe
4112	abodec.exe
2548	ecdevdob.exe
2548	ecdevdob.exe
4112	abodec.exe
4112	abodec.exe
2548	ecdevdob.exe
2548	ecdevdob.exe
4112	abodec.exe
4112	abodec.exe
2548	ecdevdob.exe
2548	ecdevdob.exe
4112	abodec.exe
4112	abodec.exe
2548	ecdevdob.exe
2548	ecdevdob.exe
4112	abodec.exe
4112	abodec.exe
2548	ecdevdob.exe
2548	ecdevdob.exe
4112	abodec.exe
4112	abodec.exe
2548	ecdevdob.exe
2548	ecdevdob.exe
4112	abodec.exe
4112	abodec.exe
2548	ecdevdob.exe
2548	ecdevdob.exe
4112	abodec.exe
4112	abodec.exe
2548	ecdevdob.exe
2548	ecdevdob.exe
4112	abodec.exe
4112	abodec.exe
2548	ecdevdob.exe
2548	ecdevdob.exe
4112	abodec.exe
4112	abodec.exe
2548	ecdevdob.exe
2548	ecdevdob.exe
4112	abodec.exe
4112	abodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2548	1672	75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe	90
PID 1672 wrote to memory of 2548	1672	75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe	90
PID 1672 wrote to memory of 2548	1672	75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe	90
PID 1672 wrote to memory of 4112	1672	75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe	91
PID 1672 wrote to memory of 4112	1672	75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe	91
PID 1672 wrote to memory of 4112	1672	75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe	91

C:\Users\Admin\AppData\Local\Temp\75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe
"C:\Users\Admin\AppData\Local\Temp\75ea276d03e8fee94630f75a68d0a562573d023eee655f89ab8833d2da2db979.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2548
- C:\UserDot8V\abodec.exe
  C:\UserDot8V\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintST\dobasys.exe

Filesize
1.0MB

MD5
9959d2006644baa915691b2742390abe

SHA1
53323cc0c0186e5c3692931a1a41f3a5754aceec

SHA256
23ca683b3a0493398a9c4cf6bf67c50d6f2215007ed0dd56dc3991c48d0f7e77

SHA512
c06aa993ab1a02b517d6f03a17b9314a3c935c11eb6184cb5920865cffc8331dfd77d7371720f7434a0c613500aa262af99d2ce8b0a828955d09e57bd995558d

Download Submit
C:\MintST\dobasys.exe

Filesize
3.9MB

MD5
c2aaece45543352b961fbdad71efa383

SHA1
f32a518b1ce414e9cb71c05972456e922fc3a728

SHA256
236603b8041f537add37f1db2691b29b3b099bb77846e608a5ab269f421acf30

SHA512
d744010b3fad70cff82a1345f0d84822791e10fac14ca2fa604bd9b3e318a8e763d69761e398ef9ab477efb1515853c7a5e6308faf99a1fdc83a182fdef0033d

Download Submit
C:\UserDot8V\abodec.exe

Filesize
3.9MB

MD5
4ecdf6250406a1a7ba2716a2f1a9290f

SHA1
7e427462d9452bb5e4fa5562b641e07594fd6d59

SHA256
d4ece8c75e2275681bf638d3272da25e098e3a258d6f6d3d611e6ec1965cdd70

SHA512
839fb019f4fa4a87c39766aa51ea40965b1561b1eb7cf8843682d22235e4e9fbc2d69b0af018a8fe117505de398eae449076021978aad87b476c48cad17a33de

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
a137dcbb364b5c4280d50874f2aec31a

SHA1
c117a952db66933403067d5edb18eb9e5bd83e6a

SHA256
3c2f1f23fd04465fd4efb8bd85ab17527e096ec1e5342376cb5b417ef2c155ab

SHA512
eb839d8f9801d8b1becd46a01220ab66f9fbe5b7f8f9487e77396ba591afe1a5230ef80eb3d3fe620556129b67aeccc343e2a100123034a146518e278c44386d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
613aa62b8c8ad86a6bebcbfa6233a335

SHA1
497dfb390cd0448f5b5f5a30542ceab3ba9cceef

SHA256
aaad453500f04c4915a2f3263c4534658d4bd0bac4a2d9406806bd42d6645638

SHA512
985013e5a05bfcda892f51fe1ea8403925355675b6ef20de6a909011a4fa35a235639b76b35ce2aa44cf016ae1e62afac24af11c410a52ad2f46c6a12d1120fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
3.9MB

MD5
10e621d2f401474bb072f53b3530d8f9

SHA1
f7e66b474a3993f0d5ec8ac2a8cd7f7f12c40744

SHA256
e8636315babe55cbc18b9af797d7c1e137e9e8b668b5fc9ba3bb331ab5e8cc25

SHA512
08f8d6467347a7a899217e16f2d4480b900750e4c71abe3dea0110dec2cdbe7d681a99e7c600971fe7a2f5dd71168960ec6a86c80fbb44e17389f225fe3b777d

Download Submit