b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe
Size

3.1MB
MD5

8de8acc6200012a1460fb562cf972223
SHA1

c07ced7fe4c0e3471fac9e2ab4cff7b8d72ac05c
SHA256

b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382
SHA512

d48078ca20d303bf84c0115c9a63872a7aae22a40b8fcf5ae88da54cd7f2889f281635cac757e386b00b8b2c0de617d4520670d336e1c681c0e23b93d4eb89f5
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bSqz8b6LNXJqI20:sxX7QnxrloE5dpUp5bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe	b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe

Executes dropped EXE 2 IoCs

pid	Process
904	ecxopti.exe
3728	devdobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesST\\devdobloc.exe"	b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBHA\\boddevsys.exe"	b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3144	b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe
3144	b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe
3144	b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe
3144	b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe
904	ecxopti.exe
904	ecxopti.exe
3728	devdobloc.exe
3728	devdobloc.exe
904	ecxopti.exe
904	ecxopti.exe
3728	devdobloc.exe
3728	devdobloc.exe
904	ecxopti.exe
904	ecxopti.exe
3728	devdobloc.exe
3728	devdobloc.exe
904	ecxopti.exe
904	ecxopti.exe
3728	devdobloc.exe
3728	devdobloc.exe
904	ecxopti.exe
904	ecxopti.exe
3728	devdobloc.exe
3728	devdobloc.exe
904	ecxopti.exe
904	ecxopti.exe
3728	devdobloc.exe
3728	devdobloc.exe
904	ecxopti.exe
904	ecxopti.exe
3728	devdobloc.exe
3728	devdobloc.exe
904	ecxopti.exe
904	ecxopti.exe
3728	devdobloc.exe
3728	devdobloc.exe
904	ecxopti.exe
904	ecxopti.exe
3728	devdobloc.exe
3728	devdobloc.exe
904	ecxopti.exe
904	ecxopti.exe
3728	devdobloc.exe
3728	devdobloc.exe
904	ecxopti.exe
904	ecxopti.exe
3728	devdobloc.exe
3728	devdobloc.exe
904	ecxopti.exe
904	ecxopti.exe
3728	devdobloc.exe
3728	devdobloc.exe
904	ecxopti.exe
904	ecxopti.exe
3728	devdobloc.exe
3728	devdobloc.exe
904	ecxopti.exe
904	ecxopti.exe
3728	devdobloc.exe
3728	devdobloc.exe
904	ecxopti.exe
904	ecxopti.exe
3728	devdobloc.exe
3728	devdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 904	3144	b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe	88
PID 3144 wrote to memory of 904	3144	b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe	88
PID 3144 wrote to memory of 904	3144	b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe	88
PID 3144 wrote to memory of 3728	3144	b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe	89
PID 3144 wrote to memory of 3728	3144	b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe	89
PID 3144 wrote to memory of 3728	3144	b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe	89

C:\Users\Admin\AppData\Local\Temp\b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe
"C:\Users\Admin\AppData\Local\Temp\b9510d6d27656986d151b7f4e3e1de3c4749d0527766bb40c9dc28ec1b5f1382.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:904
- C:\FilesST\devdobloc.exe
  C:\FilesST\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesST\devdobloc.exe

Filesize
134KB

MD5
9fc09241eda4b480a49223098c5de6e5

SHA1
efd56f30671cbf9576d7a0906c427037efb80b7a

SHA256
78b5807d0d61c70a5b9210f5756a4263bb36449ec8d89c9684192d8b9a4d33a1

SHA512
9a2b342605f7871bbb47ca08ee0b439b72b59cbe3d294c9c024f06fcd544a74aecd0f1611bfa2e061046e09b611fc6a216412c394425402e86a3ea192806c3ae

Download Submit
C:\FilesST\devdobloc.exe

Filesize
3.1MB

MD5
e65d51a8e804c9505511f7bbd63f27ea

SHA1
88272edc0be9e7abbc92e66b7ceaded52a84e9a9

SHA256
a6cdc9825490014a5e047f3edd3fa18a5728c5b74c505b4d0809dfdde670a7dc

SHA512
35eeb0e3ec92c3cabeec3091db0414c03902f46943c03dece7395fa26b098122605aa61d7e0e3b0123e3035b30fdbb27ec7da69863d2464179eb5b6679ca8896

Download Submit
C:\KaVBHA\boddevsys.exe

Filesize
547KB

MD5
2ac6059da1172645b91c079497848bee

SHA1
37ae746c537eeba215fe43b517aebdb6c39cf093

SHA256
79b5ccdeda87684b2bdf728867b4277cbd4ff6c436a3a0115ffa2a7746a80c24

SHA512
43c13d3b275e0b7ad1552e42a5bf7b454ccad4a29a4a7ccf8f2dc1d8ae607a7adfc283b4f1ed9523fe7196831a787144d970141849a0196d77177ff279942407

Download Submit
C:\KaVBHA\boddevsys.exe

Filesize
34KB

MD5
4cffe9dd8bbd3da88030f4da1f6ba873

SHA1
826833e760f12db0bafbbb60d5d1873bfb062c1a

SHA256
ceb6cb640c178e21cf623359bf8c327d17182d4a805736bf547899403d40ae56

SHA512
9d20318f4f687cc8f1c81fff1531eae68c39301144ce242017cfd5b2c7c3ad3254d7c725c7778a048d0d9b37c813e101d567735ad24770f1919af06e6a27a1a2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
542f0f0deb92305b6d0d3823f34472d8

SHA1
f66a9c9665dafe1890b93e1575d46ba64b6c4524

SHA256
b3c0cd3db28b25b1a28ad547eb3a233c5d66d28d718d06a2c7f5e0fb36bffec7

SHA512
19ffebd80cbefd0b0eddf6857dbe424e7f1113fc2ab62fecf3bde4774110c6f7f1e0f0f76ee0c063b107493cad162b1a83bc3efa894574214f11f0e9e817a6a5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
709dc3fd780ad83364886885cfca6573

SHA1
683481ac34d7a16b4554b2ba8e1bc858fde73a63

SHA256
82e4309f3bc3a63be855c89bead050650bd4349ea0c78a546df4ec4f2291a9b6

SHA512
737a8183f8199511d5f406f01de0d18b03566eb7177c4d7e313751ca42cc17aaca6fd1ce58afa88ea1d152088ec32e11bfeb72a310d218501d14037288da9fb4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe

Filesize
3.1MB

MD5
3214cd66b21b066dec8a5c35ccbbea3e

SHA1
0b1c825a98b706a583f5b9679c808854836e6d48

SHA256
7b6375f5f525858c4fcff8db0644b9064c53716239971fe28a520ab9c0223a44

SHA512
b5091f3f1dc071146900ae5a89da4cb48803dd20b7e2ee708dbd25997b65be2c4a3596b4cdd3757c36b0204e61f5b41a68fa895d34b9e1f1427d96cca994d71b

Download Submit