5f3bc6a4c502ea931e28ba0de51d3e7c3c57c8ea5a07e6055c4269d36cb635af

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f3bc6a4c502ea931e28ba0de51d3e7c3c57c8ea5a07e6055c4269d36cb635af.exe
Size

3.0MB
MD5

ec177b2e60072c63b4ca3d703ccab3d0
SHA1

f35ad8806c38a65a669e5e8f708d8ffb36e6a84d
SHA256

5f3bc6a4c502ea931e28ba0de51d3e7c3c57c8ea5a07e6055c4269d36cb635af
SHA512

819573139a09ae42efe06b08f2f9b81ce6e3225aa1797a9a60aa3068b2f7104c99117d8abb5528966d8327acec01251feaf84b8343fb75f19f9685b29108fa7d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bSqz8b6LNX:sxX7QnxrloE5dpUp8bVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	5f3bc6a4c502ea931e28ba0de51d3e7c3c57c8ea5a07e6055c4269d36cb635af.exe

Executes dropped EXE 2 IoCs

pid	Process
624	ecdevopti.exe
2792	devdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1344	5f3bc6a4c502ea931e28ba0de51d3e7c3c57c8ea5a07e6055c4269d36cb635af.exe
1344	5f3bc6a4c502ea931e28ba0de51d3e7c3c57c8ea5a07e6055c4269d36cb635af.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotLZ\\devdobloc.exe"	5f3bc6a4c502ea931e28ba0de51d3e7c3c57c8ea5a07e6055c4269d36cb635af.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidS2\\dobasys.exe"	5f3bc6a4c502ea931e28ba0de51d3e7c3c57c8ea5a07e6055c4269d36cb635af.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1344	5f3bc6a4c502ea931e28ba0de51d3e7c3c57c8ea5a07e6055c4269d36cb635af.exe
1344	5f3bc6a4c502ea931e28ba0de51d3e7c3c57c8ea5a07e6055c4269d36cb635af.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe
624	ecdevopti.exe
2792	devdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 624	1344	5f3bc6a4c502ea931e28ba0de51d3e7c3c57c8ea5a07e6055c4269d36cb635af.exe	30
PID 1344 wrote to memory of 624	1344	5f3bc6a4c502ea931e28ba0de51d3e7c3c57c8ea5a07e6055c4269d36cb635af.exe	30
PID 1344 wrote to memory of 624	1344	5f3bc6a4c502ea931e28ba0de51d3e7c3c57c8ea5a07e6055c4269d36cb635af.exe	30
PID 1344 wrote to memory of 624	1344	5f3bc6a4c502ea931e28ba0de51d3e7c3c57c8ea5a07e6055c4269d36cb635af.exe	30
PID 1344 wrote to memory of 2792	1344	5f3bc6a4c502ea931e28ba0de51d3e7c3c57c8ea5a07e6055c4269d36cb635af.exe	31
PID 1344 wrote to memory of 2792	1344	5f3bc6a4c502ea931e28ba0de51d3e7c3c57c8ea5a07e6055c4269d36cb635af.exe	31
PID 1344 wrote to memory of 2792	1344	5f3bc6a4c502ea931e28ba0de51d3e7c3c57c8ea5a07e6055c4269d36cb635af.exe	31
PID 1344 wrote to memory of 2792	1344	5f3bc6a4c502ea931e28ba0de51d3e7c3c57c8ea5a07e6055c4269d36cb635af.exe	31

C:\Users\Admin\AppData\Local\Temp\5f3bc6a4c502ea931e28ba0de51d3e7c3c57c8ea5a07e6055c4269d36cb635af.exe
"C:\Users\Admin\AppData\Local\Temp\5f3bc6a4c502ea931e28ba0de51d3e7c3c57c8ea5a07e6055c4269d36cb635af.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:624
- C:\UserDotLZ\devdobloc.exe
  C:\UserDotLZ\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotLZ\devdobloc.exe

Filesize
20KB

MD5
2873fb57ea06e0913c9b5dde7bd73c2d

SHA1
c2794b886d0f3c44e805ffe343756fd81b5c87ec

SHA256
08bfacea5ca3a11f935a3a68ac2abceac42a731bd3c8bbb834bb6471d43f4587

SHA512
9db7ab2c48ad7fd8125df8c24bb1613169cdf1b762ad2552a31ad27ecfb1c9fca9350c4a31f167fa663450d181ba96804fc03f9938c7eea125d4b5efde338d76

Download Submit
C:\UserDotLZ\devdobloc.exe

Filesize
3.0MB

MD5
6e819691445920cf77079db7de10685c

SHA1
1c7b0469164f8783b3130118fed427db79dd4637

SHA256
c25be351f4e0fd36b6cf3e208624fada0d4540311241e8d78ac8bd2231f8844d

SHA512
1fcea053ca663c23c4b89768be3066bddb3565d37953c1035f06ba28f5bc96adf66ddf61e3f36451f685bfe4afaf23ee7f345204df9345b7769bec65aee690a9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
efe0a1aceabb9e1a55ea6d4209f5a242

SHA1
433363faf4763ce5dd3e912cb6955779b40d8181

SHA256
d1fb70519f6340cd52b16cf9afaf3fe22aaa3d885d60c1ceeb11f9ddee6fe357

SHA512
1cc60bd6e364c3a1fd0c9fbd6583e9e791224214ca73b2bb2b47c62d1c75dcdeab463cf8d49910d2a1af056263c81e788e728f466bfdeac4f1a4b33c92cfee30

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
2f908216fadc4eaae4cec6896826c224

SHA1
fb2270483b12151657d3a799bee0b951af455f01

SHA256
8f08d6e9323198cdc998ab8ecd24f3ffcf47cb230751523011c350e3d27a3172

SHA512
3f8715f448905ee20232d7514cf3bd8ae1bd5d840985f09ef1a798091e4e0ed805a175c1116ab4475c446aea81f0a690748a8ffdf0b0ea36d2cc2d094edf66ee

Download Submit
C:\VidS2\dobasys.exe

Filesize
34KB

MD5
d2b9a25a756d72f6bbbf28b551a99921

SHA1
1d175064f1676e37561dca062e42594bd45c07d0

SHA256
1cf6affc6cf38984ac8605a8b696bf05067aa1c06b22a3b41b8277c2f89ccf9b

SHA512
7a8baa3966ec67a3b030815e7ccf52800e04b87325b079af1352df4f1013626ee42bb288dc19ef3830354d66d1a42f14419df17fdbcb410cf8cd778f0f8187cb

Download Submit
C:\VidS2\dobasys.exe

Filesize
3.0MB

MD5
6c85493948e9e8096b608f8764c0ac81

SHA1
5072b66aa0859ac8ddf97e98e56d01b085fe4a41

SHA256
134ce16f613880523ec9f22d953b8c750221b2ef6f946e95ff26de987dd4db0c

SHA512
0d058a1584c024c31ab93a4a16a330f2f7f7ae4555e75cc37ccf63bdded5f2e8548170ab16db6de139f7e70c4fa1ac3158fa489fee5a142ae7d24e54a42e8fbe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
3.0MB

MD5
4a8fe30fc3b26b737640699455efb6f7

SHA1
02e0416637a55ca1fb6a049c1f566c3886e60243

SHA256
0cf48c6ff2a4d1b1d0143700f648d059b953bca65ffff4d6980de53181b73699

SHA512
641b215bdd9aa4e7adfe7c1df277bf28e949c301350ca41e7f0b903efc06a4df853f50205418972c96259d38f883e0ac5046370c3ee3154a15ffef66f3dac32b

Download Submit