cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec

Analysis

max time kernel
149s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe
Size

3.6MB
MD5

40dc544ba99243539f6d6be8a4bbd796
SHA1

c9fceb70dfdb1fb185c6d663e1d54d4a03979450
SHA256

cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec
SHA512

f6bd2492af9a6ef73998ed070a95c8d2f4476dc238f8d0c9ee690c95f3f957174b0635205dca45f43299cc01a8c07b2161b39bafd86d91a8f1928055d1658167
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bSqz8:sxX7QnxrloE5dpUpJbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe

Executes dropped EXE 2 IoCs

pid	Process
2000	ecabod.exe
3684	devdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeLI\\devdobec.exe"	cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2X\\optidevsys.exe"	cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3088	cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe
3088	cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe
3088	cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe
3088	cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe
2000	ecabod.exe
2000	ecabod.exe
3684	devdobec.exe
3684	devdobec.exe
2000	ecabod.exe
2000	ecabod.exe
3684	devdobec.exe
3684	devdobec.exe
2000	ecabod.exe
2000	ecabod.exe
3684	devdobec.exe
3684	devdobec.exe
2000	ecabod.exe
2000	ecabod.exe
3684	devdobec.exe
3684	devdobec.exe
2000	ecabod.exe
2000	ecabod.exe
3684	devdobec.exe
3684	devdobec.exe
2000	ecabod.exe
2000	ecabod.exe
3684	devdobec.exe
3684	devdobec.exe
2000	ecabod.exe
2000	ecabod.exe
3684	devdobec.exe
3684	devdobec.exe
2000	ecabod.exe
2000	ecabod.exe
3684	devdobec.exe
3684	devdobec.exe
2000	ecabod.exe
2000	ecabod.exe
3684	devdobec.exe
3684	devdobec.exe
2000	ecabod.exe
2000	ecabod.exe
3684	devdobec.exe
3684	devdobec.exe
2000	ecabod.exe
2000	ecabod.exe
3684	devdobec.exe
3684	devdobec.exe
2000	ecabod.exe
2000	ecabod.exe
3684	devdobec.exe
3684	devdobec.exe
2000	ecabod.exe
2000	ecabod.exe
3684	devdobec.exe
3684	devdobec.exe
2000	ecabod.exe
2000	ecabod.exe
3684	devdobec.exe
3684	devdobec.exe
2000	ecabod.exe
2000	ecabod.exe
3684	devdobec.exe
3684	devdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 2000	3088	cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe	91
PID 3088 wrote to memory of 2000	3088	cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe	91
PID 3088 wrote to memory of 2000	3088	cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe	91
PID 3088 wrote to memory of 3684	3088	cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe	94
PID 3088 wrote to memory of 3684	3088	cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe	94
PID 3088 wrote to memory of 3684	3088	cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe	94

C:\Users\Admin\AppData\Local\Temp\cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe
"C:\Users\Admin\AppData\Local\Temp\cd6667179b2ab587b458af97bae8027788a8fe179686d1c08aa924d7b5634eec.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2000
- C:\AdobeLI\devdobec.exe
  C:\AdobeLI\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeLI\devdobec.exe

Filesize
2.1MB

MD5
c21f36d19f9421bf4cee3a3d5f720eca

SHA1
9890265a15487347de3f8ee4aab48e2555f18e1e

SHA256
cf01c73de84900eb3622a755e39659e7a1e38d216aa6e44ae0117700e80b1863

SHA512
cfa79f510eb57d606e5939fa5f5663a844805f720a125e4095afec701c107c7cf1d54780cb601e09b983560871457cf938210bd418f75eef281a2fb12ee1bd6b

Download Submit
C:\AdobeLI\devdobec.exe

Filesize
3.6MB

MD5
9117d22475fe7eaf6bc63465d7b644e8

SHA1
7a19d618c3b4792eed17cbd6c3f7e759eecb3975

SHA256
d8fa6bf94ab0d9a1dfdae3e1b9eeae9cb7539d38dc321a361be6881156de3add

SHA512
4f919489b1b47035a0e37ad81ed00258c14e0328c5b499f72f8280491e0fc5ecc77786fce236eacd410f7a9185e72353b85c2caa724251818cba1f6dc70e5f49

Download Submit
C:\KaVB2X\optidevsys.exe

Filesize
3.4MB

MD5
af5abc08f5554ef5629d3c21915686bc

SHA1
4ba7472470e4861d39a2d2bb1952f937fa49cd5c

SHA256
dd5c51de3db9f20b1d06d29713c916bd61cf1e46e7932742124dd68538e99a33

SHA512
7a0f98366c5e9fea80034679676a6b7e97041f5440789a1367644a80a69351244de10d1c427e6b797f79c74c48fa8b2a0f942cddce1ce87a2c9242a0f7ddc786

Download Submit
C:\KaVB2X\optidevsys.exe

Filesize
28KB

MD5
d405a6e6ec1ee7e8bde0fa127d94f818

SHA1
3a4fc1b8659a42c0c87e2cb68df493ef10520626

SHA256
f7769493a434bb396a726643dfcddb3d418728f3d2de4d39bc5a2304e2078ec1

SHA512
0db30b1f330437d858e2a4f9ab32ec3ac5e2b5fdf0605b6a0bd6f7bd3b17f31a4967bac0fd7b59c07caf47c5cd0bc0b3e81597652c08a98bf5f1913674124529

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
18f2b012f8ff4c0d45d1edf9975c5305

SHA1
ae5af155f54b5843c2e70534d42fca0dc99dd3e7

SHA256
4315fac6c192a2aacdcdab7f5236a225d03cb7f537c9b3c001dee15ccb89646e

SHA512
cc2ecb06a60ccf495e862b3c8a05f184fc849806013b69e09762fb1b7d27fb65322c13f7fb1d80931c726d1c29b740b0d8238d01a736898417a1eabfa9b957f9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
62fb4dc8829041cea82bcfaef63b2906

SHA1
d637b8a368e541dd299874acba48cb09a204b21d

SHA256
7a7160fbb84b0fbe23d08862b9b8adff9ae06afe250d7052594626c5000d8f0c

SHA512
b0a841fa507a31a6ed487b8477b81526466785d9d077c6cbb0c17c203c708f3a5eb70d71d184ea6c4ae35dd8904816e0e57461006483ccf8227d4bf12017bbcd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
3.6MB

MD5
9378f2d92657663afb41149c0c48b760

SHA1
07eb4ce9f2e5c3ec6122f9f87999e336f3e7d7f2

SHA256
5f596415508a57bed68f43c57bba469a99f8071c0be50e2e777f230d3587fa11

SHA512
f51d3556b70e47fab6e0281632497397a78d6493e21ade4873f2c4ba118595d747d85d0a779aab39437a39ca7a0b261e4673a45882c82c0fda90965ea652518f

Download Submit