f8ad2480ed76130ac8c96887ef4710f15433cd599d47898f86d8baa1e8a26e40

Analysis

max time kernel
148s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 08:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f8ad2480ed76130ac8c96887ef4710f15433cd599d47898f86d8baa1e8a26e40.exe
Size

3.1MB
MD5

7eeaff195118688004a0c33fb7d805f0
SHA1

6e85c3d1ee8de356b1702d1e0aebb4d17b489baf
SHA256

f8ad2480ed76130ac8c96887ef4710f15433cd599d47898f86d8baa1e8a26e40
SHA512

416b075dd45d192a53e6c956bf64b309d62a485987fd82d3ec47dcbf5561ad1a4952c47ee461893e63e2263e4401300573a3a431a872279a59e0b296bb203a96
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bSqz8b6LNXJqI:sxX7QnxrloE5dpUp6bVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe	f8ad2480ed76130ac8c96887ef4710f15433cd599d47898f86d8baa1e8a26e40.exe

Executes dropped EXE 2 IoCs

pid	Process
2672	ecxbod.exe
3060	devbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2524	f8ad2480ed76130ac8c96887ef4710f15433cd599d47898f86d8baa1e8a26e40.exe
2524	f8ad2480ed76130ac8c96887ef4710f15433cd599d47898f86d8baa1e8a26e40.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesH7\\devbodec.exe"	f8ad2480ed76130ac8c96887ef4710f15433cd599d47898f86d8baa1e8a26e40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint2L\\optiaec.exe"	f8ad2480ed76130ac8c96887ef4710f15433cd599d47898f86d8baa1e8a26e40.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2524	f8ad2480ed76130ac8c96887ef4710f15433cd599d47898f86d8baa1e8a26e40.exe
2524	f8ad2480ed76130ac8c96887ef4710f15433cd599d47898f86d8baa1e8a26e40.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe
2672	ecxbod.exe
3060	devbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2672	2524	f8ad2480ed76130ac8c96887ef4710f15433cd599d47898f86d8baa1e8a26e40.exe	30
PID 2524 wrote to memory of 2672	2524	f8ad2480ed76130ac8c96887ef4710f15433cd599d47898f86d8baa1e8a26e40.exe	30
PID 2524 wrote to memory of 2672	2524	f8ad2480ed76130ac8c96887ef4710f15433cd599d47898f86d8baa1e8a26e40.exe	30
PID 2524 wrote to memory of 2672	2524	f8ad2480ed76130ac8c96887ef4710f15433cd599d47898f86d8baa1e8a26e40.exe	30
PID 2524 wrote to memory of 3060	2524	f8ad2480ed76130ac8c96887ef4710f15433cd599d47898f86d8baa1e8a26e40.exe	32
PID 2524 wrote to memory of 3060	2524	f8ad2480ed76130ac8c96887ef4710f15433cd599d47898f86d8baa1e8a26e40.exe	32
PID 2524 wrote to memory of 3060	2524	f8ad2480ed76130ac8c96887ef4710f15433cd599d47898f86d8baa1e8a26e40.exe	32
PID 2524 wrote to memory of 3060	2524	f8ad2480ed76130ac8c96887ef4710f15433cd599d47898f86d8baa1e8a26e40.exe	32

C:\Users\Admin\AppData\Local\Temp\f8ad2480ed76130ac8c96887ef4710f15433cd599d47898f86d8baa1e8a26e40.exe
"C:\Users\Admin\AppData\Local\Temp\f8ad2480ed76130ac8c96887ef4710f15433cd599d47898f86d8baa1e8a26e40.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2672
- C:\FilesH7\devbodec.exe
  C:\FilesH7\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesH7\devbodec.exe

Filesize
1.6MB

MD5
9881c8bcc42f1720567a6c395a5e79da

SHA1
48eb12e643e41e32ad5a21540e97853552d06aa9

SHA256
f63cce180fb4b15675f94bbd4ce4a3604be0646944c3e58fe3a2f3a3af9e1fe4

SHA512
7905ed4081b27aed1cb878138ebefb3fa7f4f1a1a46c923fdf111e93c585fdebc5fba84684c6dea1ba620988034b17394d2f73082e791e098f4be0b35e4879fe

Download Submit
C:\Mint2L\optiaec.exe

Filesize
25KB

MD5
5762bac0acb51c17f2d50d3089e9a468

SHA1
0050c15f18fcfb7ccb580d1b978828a14dfe5548

SHA256
9ba88174226e3e60f0e21fe9ea512cc1b77c4e88e7cd924a32a5d3ca62dd78fe

SHA512
c653b3411dcef476e2330af4f8649c7cd0bee4d00aa083bcee7ee9e5fa618df1779ef8f2c1a39238cb514b17f7ef07ea5a11b68b1ada79e11743feca9cf8a93c

Download Submit
C:\Mint2L\optiaec.exe

Filesize
3.1MB

MD5
2f9b1b3b7178c72206e8c9248b2fc90d

SHA1
ff0426ee11b190677478c88106626de852a7ab69

SHA256
bd976205609dad8c6d6006f19d60dd65fa1ffe3f89332456cf521e0b2e75ea6c

SHA512
711ab2f9bee79d10f5abd285721faffd840ff37acdba174e6dd90b83d90643ca55aa9959d5aed1880d5772162a5b465ae844069eaeffdf360c26bc296392c894

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
a6dda8ddbde5800af72fd3c2e9d1b70c

SHA1
524f1c260d8516a1dd0bf621986f62d7a014a685

SHA256
4a726034dcf20785e264089578a1ee3cd5d4a99b53466bfffac45ec9403601be

SHA512
695473456ac2031b93cb8bd8dd9a76b27e8ff1fbffcf8d5d40c414e89f5480dc7a1f6c417b6417fe278c546a3fb575211d810e902a0590829e95f18629f5c275

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
d460c84653fe055de8e581fa27485733

SHA1
64a1c974958e4578458be9c887155070b6a6b5f6

SHA256
77a54ebc2db953cbe52736591f5f2948dbaafc718b1631d8eb943f3cf7d17d30

SHA512
64d7617178832e7984a1029e2b06e409aab4d9dc1c0d8e8e02b1c8cbf2f5a36b42b1df01915d219c9b2f4a0a031a9819bf2cbeba0ac5f3e32dfe205f39d49a32

Download Submit
\FilesH7\devbodec.exe

Filesize
3.1MB

MD5
f0ddb6784222c4d7dbf4b9e7bb9a960d

SHA1
2df32ad336510f55410ae5316902361a7584c79f

SHA256
b9e864f57835ad82a8cd696207493117297bca8017c6946a6caf63215cb4d6fa

SHA512
b36248cee9b4fb203b1a6170b0c4af44788dd75a015318ce3a21187542ce4ffdee50d0b7ad3ae07fbb6658f7b8ca0f17d476e8a432a9333bcebd749fe700f7c6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe

Filesize
3.1MB

MD5
fcdf1bebf8e2dc6e399322a64ce076c2

SHA1
0d19abc4dfb2e61226daf858a6ca4a290dd20de5

SHA256
32510d32a055a7273d7d35746dea282468075eb3098a35a533b89fca10107082

SHA512
c729641951193ab0e01b310df193290cb94af832254ef7b4e47ef3b65051f301f7fc3c758d1bce78623e8d29b955eb527ff6abaa6e45e0ca6e209f3e8903e094

Download Submit