c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30-05-2024 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe
Size

2.6MB
MD5

a013d3646ec49c2bbe5a80b79f92a757
SHA1

57920795b5684ebcf7120fd419f3e15fa545213c
SHA256

c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d
SHA512

67781659dae4885724aeac07c44ab1e10f0e78e6378867b7dadddc59601c23395ba62eaed21d273b7a3c13fa21fbebabdc91e3c58c40e8faf2cf154d323e3146
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCB/bS:sxX7QnxrloE5dpUpNb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe

Executes dropped EXE 2 IoCs

pid	Process
1068	ecdevopti.exe
2524	devdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2060	c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe
2060	c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvF5\\devdobec.exe"	c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax82\\bodasys.exe"	c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2060	c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe
2060	c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe
1068	ecdevopti.exe
2524	devdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1068	2060	c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe	28
PID 2060 wrote to memory of 1068	2060	c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe	28
PID 2060 wrote to memory of 1068	2060	c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe	28
PID 2060 wrote to memory of 1068	2060	c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe	28
PID 2060 wrote to memory of 2524	2060	c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe	29
PID 2060 wrote to memory of 2524	2060	c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe	29
PID 2060 wrote to memory of 2524	2060	c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe	29
PID 2060 wrote to memory of 2524	2060	c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe	29

C:\Users\Admin\AppData\Local\Temp\c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe
"C:\Users\Admin\AppData\Local\Temp\c041d927c3ed87b2cdcb25ee7230656bbcec49031c288be54774c505b64f9e7d.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1068
- C:\SysDrvF5\devdobec.exe
  C:\SysDrvF5\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax82\bodasys.exe

Filesize
2.6MB

MD5
44d6211f56d8cec665fd505a2e5a7b00

SHA1
c94e0494ca5294abe5092c0600763a1bb5c83c53

SHA256
568a7d68089a999d6b5b98287bceee46982dc4d73be4ea5547f1608a9aff12a6

SHA512
7a78284517fb46dd29117e8cb6d7efc284bfc807dcd2e428331e56546513589aed417c557bf5f4b7d602f6bd4c6f3c16dbaccd3b15fa629430b20f5eec818698

Download Submit
C:\Galax82\bodasys.exe

Filesize
2.6MB

MD5
b08fc54bb9d1858e1405244b02f89115

SHA1
28f9a4033ef7196815cb5d9821e5e19b6f3282f4

SHA256
128237613a113204e6982cdd88387c5607dca0afa16889c84fb34c83f2903d79

SHA512
180adc2595171ef8844826245ad312cadb0ac7671248e8ea79e855490da009527b16161ed2119592cfc2fd322ecc899ccec1b5099a4e1fbd9a933ac20c9f5317

Download Submit
C:\SysDrvF5\devdobec.exe

Filesize
2.6MB

MD5
70754e0d64ed70971c4868de9e143688

SHA1
c5d636caef2badfc586e2eaa5ea3c47d7e70f853

SHA256
e0c7868d549badd2355500fc92a55bccd933af0aea07b33175e3d1ac65cf86ce

SHA512
eebef8d43f264b1527414a6df5d69c88c14f2d780f16b982d2ca3064b2eaf3025dc2e21aa3ef08d69c99a66d69c2e73c05db0046018483d29245e573c8b0c6fc

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
364f5dacde94262334a101dbb733da0e

SHA1
01b0d82d4221d42c7dcc984c2209c598dc4d79b9

SHA256
24150455794df992449cc78e116d9abd8b8772ced448116ef22ccf9e38a55c80

SHA512
8b6d7aff6b2c0ab4337b4cf9a66b482726d559365fc7c98c3c739da1fc184d934c82a7fea71fbf14452f70965b697762cbbf94a5f721efc30198943dd2b1eff8

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
8ebfe5f1ad9b9833646fcab7698d14c8

SHA1
204b0f4e9ec89725c2519f05311886ac875824ee

SHA256
199e535441c850563004360ba6ccfc599d49cb359568d81bb3e71faed9ac795a

SHA512
2c95d825a4218343f13ec9dc4c89de55e613d0ef2f96480501bcaba05e06791040d8bc8b8ce43ac970613f4e1e5585a3bd60557adc39681adcba6b5f58b3683e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
2.6MB

MD5
70b7910948996e9dae4035aaea24029b

SHA1
60e0f17414435ca3218e657124cfd678fd5754e3

SHA256
1eca29adb8be2ef28e6af8d20caf0fcb3bc2898effee51b68ea62a4193248ec5

SHA512
05bf576bfd0fe19836b485e3dc590032baa1499d2cad93cc547acad0f44d80ff92246159bc2f20817cd4d232478e4f83b191f4b9f77e96a2b344dd59e0c2918b

Download Submit