72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
22-04-2024 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe
Size

3.6MB
MD5

00b6b2878b67825d3d7c75fa07375ead
SHA1

5ecdc8ead0c9f7c8e47a3988c9f298c0a166219f
SHA256

72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b
SHA512

3e93ad4528c55344f8c070c17521adbf5c57642470ed4ce6bf1ef7074b56588e63e53f2707de81c86b45f9afc0fc4f4e06f8ff4056a720aaa4260ff6a427d11f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bSqz8:sxX7QnxrloE5dpUpobVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe

Executes dropped EXE 2 IoCs

pid	Process
2296	ecdevdob.exe
1056	devbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2276	72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe
2276	72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc0Y\\devbodec.exe"	72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax5S\\optixec.exe"	72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2276	72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe
2276	72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe
2296	ecdevdob.exe
1056	devbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2296	2276	72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe	28
PID 2276 wrote to memory of 2296	2276	72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe	28
PID 2276 wrote to memory of 2296	2276	72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe	28
PID 2276 wrote to memory of 2296	2276	72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe	28
PID 2276 wrote to memory of 1056	2276	72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe	29
PID 2276 wrote to memory of 1056	2276	72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe	29
PID 2276 wrote to memory of 1056	2276	72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe	29
PID 2276 wrote to memory of 1056	2276	72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe	29

C:\Users\Admin\AppData\Local\Temp\72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe
"C:\Users\Admin\AppData\Local\Temp\72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2296
- C:\Intelproc0Y\devbodec.exe
  C:\Intelproc0Y\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax5S\optixec.exe

Filesize
3.6MB

MD5
b4149462b84ff6c62397ea20e0aeb56a

SHA1
6b4f79fce062e53518ea835dd64297825bc55245

SHA256
0f25ab1d74c503222c260c8c55d68f2c4e63ab12f639ddc16716673606ae253c

SHA512
4e47eac72856f52243062190a5eec43e85d3119e6b59303311fc19449dede206eed1a7473f1140aea1cd555f56cb162a1b3b95132fe2e74ed1255e2ecec31966

Download Submit
C:\Intelproc0Y\devbodec.exe

Filesize
3.6MB

MD5
7897964228d186b94e622bc133308045

SHA1
872d998778709e28bea8cc6add28cd94a80395d3

SHA256
ef16bd79f65713e2d8b1506335dff5ea0049b405c1cd4727e3286b65c658ee76

SHA512
be9fab1d02e169154071055898365ad264a302364b8ffc40a3a7c5ef666c03d247c5b6f56938e4213665de8c22ad719b6f728bb01a5e376a303e7f3f2f7e0883

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
0b8bde66e10d19e957440bc44c6febe3

SHA1
919532dedc7f07a5826717459dad7a2f02864a2d

SHA256
0272ccc039fcf03ee3a796fc61f957ca6367762b84ec846fe54d2ba54a838ba1

SHA512
26d9742a36b3c1b5adcbc4091f8b466339057b177ad15a14f7ac348f43ec8ef7f9aa4a5ac21a563479112583c64bd66a9d4ce3f430189e1a6f841887f9fe8a17

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
7dade2b4da33fe6135a1fa4b43107129

SHA1
03054ca1bdea790a3b839aeb1d4006096327f0d7

SHA256
226356fc8e700597d9185c18e1406aea531983439fff50f313b2d7ab3b45547b

SHA512
5966f25317c1754eef9842effc6e9b5a28409e95f29451f355e405ff8d02a9c1f567b24c998f63a92c07d79accb5079d97726acd3114d4a89f47179701c2e2a6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
3.6MB

MD5
c7a57fcc19c7932dc0324591ef202bf1

SHA1
2e471d47db59b8f6522af1138fc2f8096dc854f7

SHA256
e679d8b06bc9b99f5e05afd6a29e21b71b4ce637722e8a3f585d2d171248341a

SHA512
59e05d06f87f0da25b9c9b0f425c3e9af9120575b5425fe0212bbecf01d4af34f82429a8204ddb3b3d7c0879050af347a18a90639b053a4f632cda4f86ae951d

Download Submit