1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe
Size

3.1MB
MD5

0bd66a4871db12318da46f98b6124747
SHA1

a10871344d62ed3daad4cd38b6b2d82400bb8887
SHA256

1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c
SHA512

0fd97884ae4ab6c794ea0dd127eb53f0ed64ece1a2b861e088f047b34798b517c3f68029b13a628bbc98b8d5eda8ef43e65eae028f5e7421c7474af48f35aecf
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpnbVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe

Executes dropped EXE 2 IoCs

pid	Process
2936	ecdevbod.exe
3264	devbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocWN\\devbodec.exe"	1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidSI\\bodaec.exe"	1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
740	1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe
740	1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe
740	1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe
740	1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe
2936	ecdevbod.exe
2936	ecdevbod.exe
3264	devbodec.exe
3264	devbodec.exe
2936	ecdevbod.exe
2936	ecdevbod.exe
3264	devbodec.exe
3264	devbodec.exe
2936	ecdevbod.exe
2936	ecdevbod.exe
3264	devbodec.exe
3264	devbodec.exe
2936	ecdevbod.exe
2936	ecdevbod.exe
3264	devbodec.exe
3264	devbodec.exe
2936	ecdevbod.exe
2936	ecdevbod.exe
3264	devbodec.exe
3264	devbodec.exe
2936	ecdevbod.exe
2936	ecdevbod.exe
3264	devbodec.exe
3264	devbodec.exe
2936	ecdevbod.exe
2936	ecdevbod.exe
3264	devbodec.exe
3264	devbodec.exe
2936	ecdevbod.exe
2936	ecdevbod.exe
3264	devbodec.exe
3264	devbodec.exe
2936	ecdevbod.exe
2936	ecdevbod.exe
3264	devbodec.exe
3264	devbodec.exe
2936	ecdevbod.exe
2936	ecdevbod.exe
3264	devbodec.exe
3264	devbodec.exe
2936	ecdevbod.exe
2936	ecdevbod.exe
3264	devbodec.exe
3264	devbodec.exe
2936	ecdevbod.exe
2936	ecdevbod.exe
3264	devbodec.exe
3264	devbodec.exe
2936	ecdevbod.exe
2936	ecdevbod.exe
3264	devbodec.exe
3264	devbodec.exe
2936	ecdevbod.exe
2936	ecdevbod.exe
3264	devbodec.exe
3264	devbodec.exe
2936	ecdevbod.exe
2936	ecdevbod.exe
3264	devbodec.exe
3264	devbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 2936	740	1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe	85
PID 740 wrote to memory of 2936	740	1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe	85
PID 740 wrote to memory of 2936	740	1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe	85
PID 740 wrote to memory of 3264	740	1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe	86
PID 740 wrote to memory of 3264	740	1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe	86
PID 740 wrote to memory of 3264	740	1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe	86

C:\Users\Admin\AppData\Local\Temp\1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe
"C:\Users\Admin\AppData\Local\Temp\1f1695014bb1d0dd1f9f231452f0a1113fc632af1126e41861e5c5b417f8a16c.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:740
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2936
- C:\IntelprocWN\devbodec.exe
  C:\IntelprocWN\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocWN\devbodec.exe

Filesize
3.1MB

MD5
3d6e4a514517675a6a3c6d2bd4b91c5d

SHA1
4e0d92108edda58fcacde1f2ca0753b7203bfcc9

SHA256
dd4a90db7e48bbdb62407069b6d18283f72ca472f27ddf7aa30d1c46d9af6407

SHA512
5edaa3e383bc3d538393840d641b62072854f7f7cdb68322f28d0902fe477461bf7b1353920bbaa31fe772186664e67d0d5be8de7765019c9b3fd37367007dd4

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
d15e02565947bba4756516614adc6f9a

SHA1
e61dca8a457b52ebe990080402526c54d1f276a6

SHA256
78da03ee6a91b98b8003b02a3d58e0527aff6efa388785051683e817fbd75cbe

SHA512
3af52e841e5e36ed92bbdae129a8eb1f3da1591a3e922df19e6e769d98951737743915fc42f5cd1d68c45a58cd0bfdb2ccd25bb782220b35ef22d4d4da7b5b14

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
0833eee9c4bfc3acd1c04a1de21cfb39

SHA1
9d861154744dfe8766f3bfe05f50eba348924bc8

SHA256
9fe4be092923ce2a725faf601ab8e0c2a4b6e23d227fa27fedfb0e60ba523bd1

SHA512
ee3c1f22ceebde268ed194f0a78452c7baeb97ef402dba138ac1dac66cbb4ab597920637d889711b288cb7fb1301b5c49fbb38708e3f43036c6954c675ce705d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
3.1MB

MD5
c20aa86efcbdfe1805edd9e941515f3f

SHA1
0a5945cca2c87eb4496f38c8933941eaa4a8d6ec

SHA256
612045b44d0234335f4a5e336db0257fbee714a4d93fd04cc7f0cb6894f272d5

SHA512
98c9136ee46cb70f0b73b1827db7fda7ea64595d56039759e9573f1d597607fd53ee85d92631c045061dd58d1b9d743edd5556f603960107a4bafb5d086dbca3

Download Submit
C:\VidSI\bodaec.exe

Filesize
2.7MB

MD5
d3dcb611fa9e330974aacee73682f01d

SHA1
a8019ee0a241f2d9683665a1806623034b2c2038

SHA256
6bce6ae0aab576efbbd3cb55bbaaa424c91492900bae8d26dd7723d1161c5803

SHA512
51d442fbef89c55d1f518675784449263cbc25eadd9425ba6e8b6b2c9715c5c2bfc08630727bc7f828e642c344bf225d380a4f02e88893e7fae94140e2fb9747

Download Submit
C:\VidSI\bodaec.exe

Filesize
519KB

MD5
c8d3a18c8154e67e4da522062318a330

SHA1
089cf21469f293ac6a1b7f926e365f7c44568cad

SHA256
a5c597c2e7fb75f4e4e3b8cec40e866b81ca438ac829a932237ddc0fe1d00b7c

SHA512
7786d5eb96d1ee1f18d82615152e152279e01c6b3bcf8b8cbb93e1ad47a745d81915efd0a44773ba04f51bda30d2a0bbd23df3717f07958726d859acc6b1a516

Download Submit