9e07639e1f063dc70b20af9bfb469658064915b0c814494f12cc28c1348613e8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89606ea9cc1e017b813d55868d8bd980.exe
Size

4.1MB
MD5

89606ea9cc1e017b813d55868d8bd980
SHA1

aff596ddbb9d76ad31411df9166ba17bea8c4ca3
SHA256

9e07639e1f063dc70b20af9bfb469658064915b0c814494f12cc28c1348613e8
SHA512

c95df2d0739539a6edaf8cf29477590be14183d7a910131d1cdceb3ad195dd11067ae69fe3be2a15db4e28af6ee0737a4c539730cbfbde5449ffeddf51605fde
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBTB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpcbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	89606ea9cc1e017b813d55868d8bd980.exe

Executes dropped EXE 2 IoCs

pid	Process
4780	ecabod.exe
4188	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe1R\\devoptisys.exe"	89606ea9cc1e017b813d55868d8bd980.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidRD\\dobasys.exe"	89606ea9cc1e017b813d55868d8bd980.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
392	89606ea9cc1e017b813d55868d8bd980.exe
392	89606ea9cc1e017b813d55868d8bd980.exe
392	89606ea9cc1e017b813d55868d8bd980.exe
392	89606ea9cc1e017b813d55868d8bd980.exe
4780	ecabod.exe
4780	ecabod.exe
4188	devoptisys.exe
4188	devoptisys.exe
4780	ecabod.exe
4780	ecabod.exe
4188	devoptisys.exe
4188	devoptisys.exe
4780	ecabod.exe
4780	ecabod.exe
4188	devoptisys.exe
4188	devoptisys.exe
4780	ecabod.exe
4780	ecabod.exe
4188	devoptisys.exe
4188	devoptisys.exe
4780	ecabod.exe
4780	ecabod.exe
4188	devoptisys.exe
4188	devoptisys.exe
4780	ecabod.exe
4780	ecabod.exe
4188	devoptisys.exe
4188	devoptisys.exe
4780	ecabod.exe
4780	ecabod.exe
4188	devoptisys.exe
4188	devoptisys.exe
4780	ecabod.exe
4780	ecabod.exe
4188	devoptisys.exe
4188	devoptisys.exe
4780	ecabod.exe
4780	ecabod.exe
4188	devoptisys.exe
4188	devoptisys.exe
4780	ecabod.exe
4780	ecabod.exe
4188	devoptisys.exe
4188	devoptisys.exe
4780	ecabod.exe
4780	ecabod.exe
4188	devoptisys.exe
4188	devoptisys.exe
4780	ecabod.exe
4780	ecabod.exe
4188	devoptisys.exe
4188	devoptisys.exe
4780	ecabod.exe
4780	ecabod.exe
4188	devoptisys.exe
4188	devoptisys.exe
4780	ecabod.exe
4780	ecabod.exe
4188	devoptisys.exe
4188	devoptisys.exe
4780	ecabod.exe
4780	ecabod.exe
4188	devoptisys.exe
4188	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 4780	392	89606ea9cc1e017b813d55868d8bd980.exe	93
PID 392 wrote to memory of 4780	392	89606ea9cc1e017b813d55868d8bd980.exe	93
PID 392 wrote to memory of 4780	392	89606ea9cc1e017b813d55868d8bd980.exe	93
PID 392 wrote to memory of 4188	392	89606ea9cc1e017b813d55868d8bd980.exe	94
PID 392 wrote to memory of 4188	392	89606ea9cc1e017b813d55868d8bd980.exe	94
PID 392 wrote to memory of 4188	392	89606ea9cc1e017b813d55868d8bd980.exe	94

C:\Users\Admin\AppData\Local\Temp\89606ea9cc1e017b813d55868d8bd980.exe
"C:\Users\Admin\AppData\Local\Temp\89606ea9cc1e017b813d55868d8bd980.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4780
- C:\Adobe1R\devoptisys.exe
  C:\Adobe1R\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4016,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4456 /prefetch:8
1⤵
PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe1R\devoptisys.exe

Filesize
474KB

MD5
ecab870b640fe1665f7405bd8a12c1ca

SHA1
79ac0a23b41d2c6dcfe3d23ede47d88569f315ed

SHA256
8665a23b9ad678774fe99948807e9251a824f4fa76635ba85f95577cc51b3471

SHA512
e28c492b79021ce1b98d2ee0e86b12c599ee93c8ef26fbd054370f67259f3cc8242589cce55ef57616e8f0b4a6b366fc848a6224bc8e6c03e73f360bd532027b

Download Submit
C:\Adobe1R\devoptisys.exe

Filesize
4.1MB

MD5
0200c3ec13d8ca750259e1f306fed331

SHA1
43321f631ae9fd022ffdf97b448ec2751cc4d00a

SHA256
b992c6242cf5c4db1e1bf5641d40870e8ef0f5deb9fe44e41c12f291b6d9169a

SHA512
24728c35cdd2ef6d043e14755d432497fd9326322906965940b5f13852f7ce1c6570b827744f7cd63a8c3f7bd9d7a5916ebfe6f64c1702ab7212dfeb28c70d5b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
2d95b9e0196477b727abe296e672ae46

SHA1
5c8015101f82740ce3318bbea57584e4b01803d3

SHA256
351d2a85f12784dcf151c6823613ef9c5d3c9ff59b90dfd739acf359091cdf0c

SHA512
38b5d4a9bb2c20c3b040256692516f7f65d41cc2b0dacfd347645837617dc9efcebe74a790deb9774d92a920c37f1b46753eb302bb4f16279b2dfa73462e18e4

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
df0d25aca8f7fe90dbd9f6db4fa87dd7

SHA1
c5fd0b5309000ced4ed6e2e4ea3ae93dfd3688f4

SHA256
1a309f90a8e38cadc8d9e211cccda582d944f5f9524a99388c8656a29914b0b4

SHA512
6e33fd0cf494dc3cb6d757702bb3f47a2c9e6e5e42e36d5f06ee6b2263aefa25b61b9f91c70b74dd8f4fffb91401b942b549f1d634203b8e6984f7f3050daed1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
4.1MB

MD5
a2c52bad27fdbf9b400c232942f9e764

SHA1
ff8a11be8c03237c970374d2eceb76123ac75cb4

SHA256
2c7850b7344a4834bb952af976ddb01dd90e38268ec019aa5ca6fa7952696798

SHA512
c138c9ccbaead83882d67a327a1e384bda8f6a4e16a552b973f0fe8f4595f10895b87fff2240f46dbfb3d6be2414a3f444c106bd1495c218965455e2c95adf2b

Download Submit
C:\VidRD\dobasys.exe

Filesize
3.5MB

MD5
0fcb7aa14d6b07303bd55ab39dbfb0f7

SHA1
a79174343482a67e077758beeb4c205765a52005

SHA256
5dd3b4220725f5e6f9247a382029540f513e649f5b81b359c1112cd8eb12eda2

SHA512
af5dad1ddd3ad64b8937d44dee480b7d0d46176f03bc72b03bbd9b72ec27bea38df5befb076db646b56a769de2fc308d3152a4b94de2ce65b472c6e1dc4595ec

Download Submit
C:\VidRD\dobasys.exe

Filesize
4.1MB

MD5
26d1cef9bbc9b2bcfaf2398e3e70a51c

SHA1
44c1b7ed670f6dcc1a2c6fa5b677ee1c4dad61a6

SHA256
64974c3a51d111c9bea119c7571c38b330086b639640394fb2e29bbf67a8c00f

SHA512
82622b8750c6ce7853f58f6df4141d9d6a7d102a8aa9cc90c8b7b2c85b4d24630e650484c0b2bfb4c3407ffb235ab873c2379292465d3a4b28576db2129fc6ad

Download Submit