b993fe09adf88c701f120c2d78f4833e0d7360c048cf573f93e5bb161f431071

Analysis

max time kernel
119s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 20:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

06cb59f0a8c85081f67a6ce034c18f40N.exe
Size

3.0MB
MD5

06cb59f0a8c85081f67a6ce034c18f40
SHA1

13c10d40c078772e5dec268ca31322234ae9ffd8
SHA256

b993fe09adf88c701f120c2d78f4833e0d7360c048cf573f93e5bb161f431071
SHA512

11fab86b6d5e63ee35388756f2f0399212c18babb3f723cfcfcf3ce4b479b45a3c73bd72ba8a8bc829e4f9430629d2dbdff595f344c93d96a61b39225dfa17b2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bSqz8:sxX7QnxrloE5dpUpMbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	06cb59f0a8c85081f67a6ce034c18f40N.exe

Executes dropped EXE 2 IoCs

pid	Process
2128	ecdevbod.exe
2836	devbodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1932	06cb59f0a8c85081f67a6ce034c18f40N.exe
1932	06cb59f0a8c85081f67a6ce034c18f40N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files3O\\devbodloc.exe"	06cb59f0a8c85081f67a6ce034c18f40N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid2B\\dobaec.exe"	06cb59f0a8c85081f67a6ce034c18f40N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1932	06cb59f0a8c85081f67a6ce034c18f40N.exe
1932	06cb59f0a8c85081f67a6ce034c18f40N.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe
2128	ecdevbod.exe
2836	devbodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2128	1932	06cb59f0a8c85081f67a6ce034c18f40N.exe	30
PID 1932 wrote to memory of 2128	1932	06cb59f0a8c85081f67a6ce034c18f40N.exe	30
PID 1932 wrote to memory of 2128	1932	06cb59f0a8c85081f67a6ce034c18f40N.exe	30
PID 1932 wrote to memory of 2128	1932	06cb59f0a8c85081f67a6ce034c18f40N.exe	30
PID 1932 wrote to memory of 2836	1932	06cb59f0a8c85081f67a6ce034c18f40N.exe	31
PID 1932 wrote to memory of 2836	1932	06cb59f0a8c85081f67a6ce034c18f40N.exe	31
PID 1932 wrote to memory of 2836	1932	06cb59f0a8c85081f67a6ce034c18f40N.exe	31
PID 1932 wrote to memory of 2836	1932	06cb59f0a8c85081f67a6ce034c18f40N.exe	31

C:\Users\Admin\AppData\Local\Temp\06cb59f0a8c85081f67a6ce034c18f40N.exe
"C:\Users\Admin\AppData\Local\Temp\06cb59f0a8c85081f67a6ce034c18f40N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2128
- C:\Files3O\devbodloc.exe
  C:\Files3O\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files3O\devbodloc.exe

Filesize
3.0MB

MD5
941b3ff78565d988b0ccc71e9e551f03

SHA1
8024adb1197a932b6498193198f740acffc21191

SHA256
6d2c775e48d9b4412ba3f4a8606bfaa4c056e4d12a115cf259d11643acbe4614

SHA512
9cec92aaf42e8329816a2340e51dafe3de9cb4b64afe74ab80b98fcf2155894d85d9c814236b4d91a5a7223e3da9def2a3b070259a26187390027c2c02361cf6

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
136f3cb327ea39841459cdfa3e9897f6

SHA1
c2a633354af2af0ed409835d39b26710b9b009cb

SHA256
a95c1d0453e43ae495b739452b529158c46268dfcc99ed2b326f105fa7069c0b

SHA512
969b277a85600e3d0318bf7a766b777608c9479c1613423ecdf0a8b37b8d3995acbd06691caaabc0ef1f527617242ee7d51df86ffeeeca620d0332c48c41ee3b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
9bb3aa484b39fc1b0bb98f19ca9cee4d

SHA1
be73ddba04fc2cca4f7f68a2f5dcb856a6e75f4c

SHA256
02470057314d8ff0927354aed711c6f83e50fba61b2e92ca3cb136f7c7d5cd38

SHA512
97dbf87e532883c1508abc865e77c621cb249cc6da6e38f8a2d2d9cff1a73635eec23e48510fe4e014ee1f8f1ab1de1d55faf8ef8f03ba2cafed6ef766bfb110

Download Submit
C:\Vid2B\dobaec.exe

Filesize
3.0MB

MD5
5c6cc1db52430b57236bb62054a650fa

SHA1
38eee3f72fdf357ad6cf54e342983a2660976e18

SHA256
022fe1591ae0090750db3cf0a8dc10dacd4cd79459ac96d2056deeb9ab5c3394

SHA512
7d73051ea47d00dad93769642ac88c4f50d8f936a1fb311136697d0bee4600cbe289d762eedf925b1cf03a6e4bb9988e85ceffd42ae46e58590a6db0a1961420

Download Submit
C:\Vid2B\dobaec.exe

Filesize
3.0MB

MD5
8d4d1ce7982b75d0439c0fb5ece78d72

SHA1
bcf43fcf62a12b602951ae6b0844a7072046b539

SHA256
54703195921d3fc542c0ea127595d47bdf2bba8c48b48f3b9ed56ca6f15ab9c9

SHA512
0dc59da21a15ddedb635dfd4674b2c38b2f44896bee4e6565a7523a5e8f68f00992923077042c4354b840ac0deadcbd5e7597a770e0196636bfe8b2c48b241e1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
3.0MB

MD5
70215c5eb6bcf54f2efa2cae9ece5836

SHA1
27bdf61829c949217b731e4777ce5629a61be7cc

SHA256
37c862f6d5ac563b8ff68a7bb4fec52c818526eb91caaf7295c04ffcf7d2284d

SHA512
12dc692806a99ddacc05260746f593e68092a95f3ee16576ac37a3df4ede7ea0de53d21a827158d337aad7d2886f396dc3f12ac3431ffc6a5472605db0f5998a

Download Submit