1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2024, 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe
Size

2.6MB
MD5

0f313eb860c87f6747ffb89aaef74c64
SHA1

4aee1be53cf5853337445a419d65b13621bf25a1
SHA256

1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747
SHA512

b35da1b690d99b4ae944a024b7755039dfef3ecff2c60bd594cb1dab06e58fd34105e8795318069ebd0f36b72ae51ed1d95a7da881f5ac0169306ab32359c673
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBnB/bS:sxX7QnxrloE5dpUpYb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe

Executes dropped EXE 2 IoCs

pid	Process
1184	ecdevdob.exe
3688	xbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeW8\\xbodec.exe"	1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidHM\\dobdevec.exe"	1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1844	1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe
1844	1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe
1844	1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe
1844	1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe
1184	ecdevdob.exe
1184	ecdevdob.exe
3688	xbodec.exe
3688	xbodec.exe
1184	ecdevdob.exe
1184	ecdevdob.exe
3688	xbodec.exe
3688	xbodec.exe
1184	ecdevdob.exe
1184	ecdevdob.exe
3688	xbodec.exe
3688	xbodec.exe
1184	ecdevdob.exe
1184	ecdevdob.exe
3688	xbodec.exe
3688	xbodec.exe
1184	ecdevdob.exe
1184	ecdevdob.exe
3688	xbodec.exe
3688	xbodec.exe
1184	ecdevdob.exe
1184	ecdevdob.exe
3688	xbodec.exe
3688	xbodec.exe
1184	ecdevdob.exe
1184	ecdevdob.exe
3688	xbodec.exe
3688	xbodec.exe
1184	ecdevdob.exe
1184	ecdevdob.exe
3688	xbodec.exe
3688	xbodec.exe
1184	ecdevdob.exe
1184	ecdevdob.exe
3688	xbodec.exe
3688	xbodec.exe
1184	ecdevdob.exe
1184	ecdevdob.exe
3688	xbodec.exe
3688	xbodec.exe
1184	ecdevdob.exe
1184	ecdevdob.exe
3688	xbodec.exe
3688	xbodec.exe
1184	ecdevdob.exe
1184	ecdevdob.exe
3688	xbodec.exe
3688	xbodec.exe
1184	ecdevdob.exe
1184	ecdevdob.exe
3688	xbodec.exe
3688	xbodec.exe
1184	ecdevdob.exe
1184	ecdevdob.exe
3688	xbodec.exe
3688	xbodec.exe
1184	ecdevdob.exe
1184	ecdevdob.exe
3688	xbodec.exe
3688	xbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 1184	1844	1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe	86
PID 1844 wrote to memory of 1184	1844	1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe	86
PID 1844 wrote to memory of 1184	1844	1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe	86
PID 1844 wrote to memory of 3688	1844	1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe	89
PID 1844 wrote to memory of 3688	1844	1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe	89
PID 1844 wrote to memory of 3688	1844	1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe	89

C:\Users\Admin\AppData\Local\Temp\1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe
"C:\Users\Admin\AppData\Local\Temp\1145114b78b49fa074d1c593ea16c7c049fa005a9fa9bfe15c29bc35b758a747.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1184
- C:\AdobeW8\xbodec.exe
  C:\AdobeW8\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeW8\xbodec.exe

Filesize
2.6MB

MD5
d8728d6f8e024ab728cd38808ee24058

SHA1
48cda8ea46be5748d409a8e305d45d9ecc37ad61

SHA256
9b73b7b1997081dd2afc2e252c4c9dbc060e3c4e2218e3fe6829276e9e2d1b83

SHA512
10ce44785e8a0328f16eadad8ac70f88aff80264eadc559b99951781c4e3bfe591ed02d0bcbe95e8fed878983217c5d6a7c29be71ef89abf155d6c31e805ddc1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
0740b0c2b0c3d9f98231e949b28efd5c

SHA1
8d746827579afb6d7ddd5e78700b8c089bb97770

SHA256
2d18b32719e2a871e5baff85312cdd7fb063c07a72caa919b95ba65786b6e2bf

SHA512
f7b5dce437d1f5beae5540c94b31ff1c911c2f1b86f45bf4042b3587e946fbd3a87a76c597fed9a60d450ef58139bf6ddda2b35a1b8d1d0665177c4592a7a42c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
f8258b0e80b8d34b649b09e5cff172b0

SHA1
1807ba777903176b2d6565d10318cab25ac826e7

SHA256
ca5fa9c9c6e732246d7315806356fe0e9e5303e4ea5aece6c1a2e257b7ee2816

SHA512
bc3345e723c6c96e79211809fff9bf9fc2e96f4ce8912cf17d83730c9f74e4e364973c4e2391faaf83d9cb9cc4142a130d24080c4971eb181ac71a92ffc503f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
2.6MB

MD5
2c9eb9f0a3aaf2b1e16edee8dddbe0f2

SHA1
c5d011b37d21778734250cafa5aa757905405bfb

SHA256
2a7deaab9f7b087de710a6f3721ed57b9f37ca052eacc689f88c5a035410d8bd

SHA512
2a36a8b9391a51095b74778d56d82f08cee5870d61e4b4020c5a971c7ce01d7063eaf43f8e1eb881d6174d8d6144785a4876223576546b2293d0e3f9febba95f

Download Submit
C:\VidHM\dobdevec.exe

Filesize
2.6MB

MD5
ce6443f85384e44847c7e3d326ebb3f3

SHA1
bd56fc05a96f74cb0236da934549e8201d480d88

SHA256
c93d329d4221672ed4934b99db4ce32c6373b7e85f181b979dcdf473bfedd850

SHA512
9964a59868b5f7e12c465cfe2066762f548503ba52c4350d29c210d1f078b75f8701b4a912b57fc2fce089a5b326d074149004f5db903cafa19c5de11e6764cc

Download Submit
C:\VidHM\dobdevec.exe

Filesize
973KB

MD5
9f31003fddf65b850968ac1e9e8f5bc8

SHA1
a00af3854436c93cdc028a26e355356c847ef063

SHA256
136058570e51a87551dc67d0bc155c814f5b5d026cfaa1600114af1fb897690b

SHA512
6d82bd39da8c77a6ccb6bc5ebf218d4e6a76eece97a21503c3d705af8501c1b8a23ab0e2b366a4992d555d7d736645fbcd8f1d031300308ba352fc606acb2829

Download Submit