34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d

General

Target

34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe
Size

4.1MB
MD5

03a7e9995d0a557460b5d7670ba7dc2d
SHA1

4db8d8d938cb1ecf01cabfad0ee37b4268c0f0a9
SHA256

34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d
SHA512

c3ad4bba75ae6ab4476ff5d164e72a0e6bb6b345679a8ebf03f9cec0298b24cbe9e2b3fe9cc2eb622a27ec6413ef7dab282e587105be799e5fdea8facf57009d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpGbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe

Executes dropped EXE 2 IoCs

Processes:

ecabod.exedevdobsys.exe

pid process

944 ecabod.exe
1848 devdobsys.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
944	ecabod.exe
1848	devdobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeS4\\devdobsys.exe"	34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxZ4\\optidevec.exe"	34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exeecabod.exedevdobsys.exe

pid	process
544	34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe
544	34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe
544	34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe
544	34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe
944	ecabod.exe
944	ecabod.exe
1848	devdobsys.exe
1848	devdobsys.exe
944	ecabod.exe
944	ecabod.exe
1848	devdobsys.exe
1848	devdobsys.exe
944	ecabod.exe
944	ecabod.exe
1848	devdobsys.exe
1848	devdobsys.exe
944	ecabod.exe
944	ecabod.exe
1848	devdobsys.exe
1848	devdobsys.exe
944	ecabod.exe
944	ecabod.exe
1848	devdobsys.exe
1848	devdobsys.exe
944	ecabod.exe
944	ecabod.exe
1848	devdobsys.exe
1848	devdobsys.exe
944	ecabod.exe
944	ecabod.exe
1848	devdobsys.exe
1848	devdobsys.exe
944	ecabod.exe
944	ecabod.exe
1848	devdobsys.exe
1848	devdobsys.exe
944	ecabod.exe
944	ecabod.exe
1848	devdobsys.exe
1848	devdobsys.exe
944	ecabod.exe
944	ecabod.exe
1848	devdobsys.exe
1848	devdobsys.exe
944	ecabod.exe
944	ecabod.exe
1848	devdobsys.exe
1848	devdobsys.exe
944	ecabod.exe
944	ecabod.exe
1848	devdobsys.exe
1848	devdobsys.exe
944	ecabod.exe
944	ecabod.exe
1848	devdobsys.exe
1848	devdobsys.exe
944	ecabod.exe
944	ecabod.exe
1848	devdobsys.exe
1848	devdobsys.exe
944	ecabod.exe
944	ecabod.exe
1848	devdobsys.exe
1848	devdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe

description	pid	process	target process
PID 544 wrote to memory of 944	544	34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe	ecabod.exe
PID 544 wrote to memory of 944	544	34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe	ecabod.exe
PID 544 wrote to memory of 944	544	34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe	ecabod.exe
PID 544 wrote to memory of 1848	544	34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe	devdobsys.exe
PID 544 wrote to memory of 1848	544	34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe	devdobsys.exe
PID 544 wrote to memory of 1848	544	34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe	devdobsys.exe

C:\Users\Admin\AppData\Local\Temp\34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe
"C:\Users\Admin\AppData\Local\Temp\34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:544

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:944

C:\AdobeS4\devdobsys.exe
C:\AdobeS4\devdobsys.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeS4\devdobsys.exe

Filesize
13KB

MD5
8c3627c138b69a29f1f3e7743c377ac9

SHA1
38d00db20d4ccba9fef285bc5b2c50eb73f352a7

SHA256
2d835e282b9a7e65559019000af2d36aea1151090066ff801f25da276c99e627

SHA512
0e81b2f188fef8742620e583da5a47aa6eae70cf24a798f64d916f01fad49d5ad6f3e883deed9cc6b3dbd7301c28e483ebcc324d83c8a63b41ef839432ef7a21

Download Submit
C:\AdobeS4\devdobsys.exe

Filesize
4.1MB

MD5
4375afc6733dbc0b90afa18085b022d8

SHA1
926bf548f6527f436dc5f041035b57e6710eed2b

SHA256
8c261cdfa4f7e1393331f26ea5c4988dd3a8346796afe94b765b75b66c3636b6

SHA512
b8c3074e3b25c73b0dfcc62a89d607940ddc700e4aae590b19452f3ae520fb1ab08ab28e55e30d388a7635edceba22d53261eacc5c53467e85b13b0eb0d03b3a

Download Submit
C:\GalaxZ4\optidevec.exe

Filesize
4.1MB

MD5
d9db0d2b7650975510da74005fbf1ecd

SHA1
8bab17113912855de84bb39025d06687474b33e9

SHA256
1c00e73ad1525f0cf1ef2e314f6ab82d5f140f8dfdf62f7808706047ac135e3d

SHA512
04b7c3119c04d9e2a7cd7779fd8ad1cc8e25404af4bcb7844832ba66ba907b19023148a3fe96dc83552879c58a8f547ecac9818be59f24059128fd3d8eb37801

Download Submit
C:\GalaxZ4\optidevec.exe

Filesize
887KB

MD5
82146fb03fd0e9fa9326939e41d7021f

SHA1
d38de66a7de6f4360cad2ab2bbc3f30043911e89

SHA256
99da567c8e8751cd3ab7444c635df7e8b15e8891e74333ba29ccbee629f59d52

SHA512
aca6c862cd359c4b615d583488584542a8601eec922b3bad65f6697f05a2cbe05c2172f50a378e8d14e929c95095fedf96accc4cdaa551b7d7742f6ac386c219

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
b9c4ad900ff4ba27ad0850b125ca7c24

SHA1
dff933f4585e54285ac0ca5fceb650e1d6f56d4e

SHA256
66bcf7c1bee825be5157855623b28d02752cc4f6168b98c0a41be27699906777

SHA512
d03a1558ab04c2fd57b76403b6298bd4ee84237879f4cbe14ab909d4208ea6c86a1d7b69a0b522e3e74a52462c5dc477a395c4a9306553baafc5b171c35dd7b5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
9733f12cb0c6a179527bf8a410b9fad1

SHA1
a9fb6f6a2cf41e5275f46115d54833f304e0ac53

SHA256
56e2f41cd01fc6374fd09c7877d7b69a1b9d3a331402db20f2258f5207214e2b

SHA512
b97e36d078fe2afdce76df01954c410f67c4bcaf8c91cb0cbad91687cdf61db6dcf383638c29dfff2aa65ce7a087cb9fda749a504f6e9fe496ecbf41dc08bef6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
4.1MB

MD5
77c43e4f36b0c70eeb20a322591cc226

SHA1
5819146467997e4ae9b7ec443debf1d58ac3b79d

SHA256
acc6c43f8ab31da673c9f3ba7925295a42a44fb6c56e17f00c4b0a1daab64c7e

SHA512
69175a3013056f03bcadf70f88eb42fed9ec642861e3f9c72c2a9b549c63cc26915af791ac3a1563527d7d0bd0b47f729ed7a3036f148b8be077b1abda25485a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads