f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe
Size

3.9MB
MD5

bd9d4a797a07d88b048aed6a4762e21a
SHA1

58c1b944fb8070862b40c4c0885a11c36ec89466
SHA256

f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da
SHA512

6735be72b2584d4c34bf4ea922a9acfa8dc992724b20f1332d8a465306d876bff49abe574e572f172671d8c0bcc1aef08eb58e9dd3ebf1e54c1566a062c0ee7f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBVB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpebVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe

Executes dropped EXE 2 IoCs

pid	Process
1436	ecdevopti.exe
3024	devdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2556	f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe
2556	f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot8T\\devdobec.exe"	f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidEF\\dobdevloc.exe"	f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2556	f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe
2556	f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe
1436	ecdevopti.exe
3024	devdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 1436	2556	f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe	30
PID 2556 wrote to memory of 1436	2556	f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe	30
PID 2556 wrote to memory of 1436	2556	f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe	30
PID 2556 wrote to memory of 1436	2556	f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe	30
PID 2556 wrote to memory of 3024	2556	f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe	31
PID 2556 wrote to memory of 3024	2556	f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe	31
PID 2556 wrote to memory of 3024	2556	f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe	31
PID 2556 wrote to memory of 3024	2556	f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe	31

C:\Users\Admin\AppData\Local\Temp\f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe
"C:\Users\Admin\AppData\Local\Temp\f4277c446561273e282bfb3e8710be0742c6f0c7cf5f46c325bc59cab309c7da.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1436
- C:\UserDot8T\devdobec.exe
  C:\UserDot8T\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDot8T\devdobec.exe

Filesize
3.9MB

MD5
7a3aa8523d3bcadfe785ffa3fc6271d5

SHA1
49dedc64add0eecdb0950a365ddb325157e2d918

SHA256
8f1726416191e74a192ad2d33344b853e4e172fe35369fe8a00512b477026302

SHA512
855e60b93b0cfc1b0c599025a74ea82756d704772c6611d06222db3fcbaa244c388332804e33c272b7c99f7cd8fc68947975498461b1cad8b9b89ce26b4537a6

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
34319b50873408a05ad6d8b2a91a61b6

SHA1
70a04f6c4a5f9d106d253492e98640a8d9ee475c

SHA256
0e2c60507b0e0b79066fd467c8211bf9242cf343cbf5106e78aa21eb86e9e04c

SHA512
303d233d6f6f433189011cb2aa129a3e5ea761c7c61fe326aa09566aed1a63b9bf0c5fd484a17c74760a446360add304e52f88c551cc21e727558148ae3a6a7c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
9ddbd6d902a1d825bf3c2c447c119140

SHA1
858cc842577f16c40e6f12110687c88232d98e03

SHA256
9bb77e8c0064a4c54a9168c4cbc543a74ea93aef8f75704990f3cb42ab7de408

SHA512
f36693355c04041c9386c77239ac534d2311e880bbff4b0cc35b132a41b9b80f5247a6f0635ce2e70477eeb196aec5cbf6349f8298efa5bda2b7d2c5bc7d9a52

Download Submit
C:\VidEF\dobdevloc.exe

Filesize
3.9MB

MD5
cbe238c947129a178d2b50240956fe40

SHA1
ab4736420d91fca222950b10b2e76c05adcff522

SHA256
7e44574f00616da2a1bb05ec9729bdbde1383c3bcc4a67b3879b3afc3328dd1e

SHA512
a8a8a11532d1b7b03e81f9e83dca41113e634e926b3a5e4e7cacf64460daa94fc51e3e0e8af1abff3f4aad039bdaf04df4a391199f22da78c0903802e3bdb579

Download Submit
C:\VidEF\dobdevloc.exe

Filesize
3.9MB

MD5
dfa8651d151c342b90233e6464bf38d1

SHA1
071e954e1d89b001f4bf6ba013ee300bfa55ae12

SHA256
83d8d7fbf842d044f84267270991ebaa93bf977d1936f5c4289d7cf8451e6484

SHA512
5451ce42249c5222a0c93a2eb3523c905e62b4102aa5f711591f5019b956767202baac267dd11d394d9a743b21a9152b9fbe2115d7a680441f2c0b8a9be98d9f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
3.9MB

MD5
61febdbfd7d23c6fcdcba79180f4d0d5

SHA1
bcc608da260f94172afa7131c21f21dba0f61b8d

SHA256
f55407bba3f45d8dfd775ce61c5abaf357c5255429a425fe0dc8ce55c2a62908

SHA512
b1a8fc221b4b267308e4530b9f7d3473eb028449fd53479e5fb4f809193041ed13b8f6f5676aaf48de670963cc5cea56c6af3491d5f76e14fe485a1f875bd8b1

Download Submit