9765466d847c00f0df13030fa48c264d6b9c8ea407f4edaffd10509379ca15ba

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a97cf5a29c1dae93040842ee19a64b0N.exe
Size

2.6MB
MD5

2a97cf5a29c1dae93040842ee19a64b0
SHA1

4c42666c4414bbdbde41e258f1c7351f64f22753
SHA256

9765466d847c00f0df13030fa48c264d6b9c8ea407f4edaffd10509379ca15ba
SHA512

e7c74b2729a54a5c8e31dbd1c8999edaf22749b614e02e9c6b89d02426455afeac309005cb1f66a597e472d90a8e5b69065beaacbf720712f3ff40404ffda68a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bS:sxX7QnxrloE5dpUpRb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	2a97cf5a29c1dae93040842ee19a64b0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2096	ecdevbod.exe
1880	devbodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1016	2a97cf5a29c1dae93040842ee19a64b0N.exe
1016	2a97cf5a29c1dae93040842ee19a64b0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvOS\\devbodloc.exe"	2a97cf5a29c1dae93040842ee19a64b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBVD\\dobaec.exe"	2a97cf5a29c1dae93040842ee19a64b0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1016	2a97cf5a29c1dae93040842ee19a64b0N.exe
1016	2a97cf5a29c1dae93040842ee19a64b0N.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe
2096	ecdevbod.exe
1880	devbodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 2096	1016	2a97cf5a29c1dae93040842ee19a64b0N.exe	31
PID 1016 wrote to memory of 2096	1016	2a97cf5a29c1dae93040842ee19a64b0N.exe	31
PID 1016 wrote to memory of 2096	1016	2a97cf5a29c1dae93040842ee19a64b0N.exe	31
PID 1016 wrote to memory of 2096	1016	2a97cf5a29c1dae93040842ee19a64b0N.exe	31
PID 1016 wrote to memory of 1880	1016	2a97cf5a29c1dae93040842ee19a64b0N.exe	32
PID 1016 wrote to memory of 1880	1016	2a97cf5a29c1dae93040842ee19a64b0N.exe	32
PID 1016 wrote to memory of 1880	1016	2a97cf5a29c1dae93040842ee19a64b0N.exe	32
PID 1016 wrote to memory of 1880	1016	2a97cf5a29c1dae93040842ee19a64b0N.exe	32

C:\Users\Admin\AppData\Local\Temp\2a97cf5a29c1dae93040842ee19a64b0N.exe
"C:\Users\Admin\AppData\Local\Temp\2a97cf5a29c1dae93040842ee19a64b0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2096
- C:\SysDrvOS\devbodloc.exe
  C:\SysDrvOS\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBVD\dobaec.exe

Filesize
2.6MB

MD5
369b3573008d706f63f60a7da2c08111

SHA1
d37cd258ee8782246acc4b3d155304e86e638e9b

SHA256
7c12bb7ce9a98a2e201993ef98d700f59c5913799cedfc7bd8a6ff9d70f2eb44

SHA512
d1a44f0f4c4f984276ed11a00bb050fe05bac1b5fed3bb0a4259f3dff3dd66d22c1d6be1d07e366538c1736555d28e774027b94a8eda373da611384bad387955

Download Submit
C:\KaVBVD\dobaec.exe

Filesize
2.6MB

MD5
9151c9131132a872916d7cadb048d28e

SHA1
51e0a77a064cc6e6c79fdd45a68392b342b12eec

SHA256
b3e07bd6c2c56b12d7df3277bc1cf51c1ff731870ecac7bb4fbfd880a45c8b69

SHA512
97b491fbb757e0ff485933ff3bfc5860ce3dba1a5ba00b5427a1a6c9efe78d13ec87f929b39ca9a8b6cafd972a30a0b2c1e5c91c6afa4382f298a7630d12ba08

Download Submit
C:\SysDrvOS\devbodloc.exe

Filesize
2.6MB

MD5
0d5257e2772c2593a0494a48738ace23

SHA1
862b16260a8339fb63faf7ebb1c08b4095c0d368

SHA256
b03f16b27848c3ba610cf0d1290b0598603ec500f724b0d67b1a90360ee026ed

SHA512
79d52d6d9cb01088046b4643417bbfd365dcc54d4af46cd56875f6de3d0461b6de1820066df28da379fa3108c10c59817dbe0217c3da16d9a4fe047e8f319605

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
a165e1d66761fcc5eedfc8d425cc9e34

SHA1
4abf7bedb42227aa444dfaad5934737390f469c8

SHA256
68d0b12acce65201a6f9995ef00f8b999c9bbd2ea28bfc8f92333281e59d8c58

SHA512
0fc94c794fb188002d185d0736dd2065874caacf3d393d52efd404b7d7c706187d95c3db0ac008786b21db2cee05001566ddea8a3751068084f17705b6587c38

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
e498ae228ee87485a789d1de9883353e

SHA1
44d9bb3cae7f63a7ac1a87b593bda26995b73c2c

SHA256
6216e2188729789b8a4ef9935b3ddf9ce054d5b903d6666daa9b33d52fefca9e

SHA512
57e590b7d0248dbcdea638be0ec47e72cded12b34ce9e394ba59f1bfb14fcad7317eef850658e8a75a6ea0435797fafae7a99ad005a28a93a5af21e101a64afc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
2.6MB

MD5
42fec8a4149e739410bd749c51e405e5

SHA1
08b64da9fa1aa393ab50d5c98c4184fd832e19b9

SHA256
4c1e90eabfa65f411ac3675d73fe95fcd8c314e8530ccbba906b93717ced9cf9

SHA512
59247efbfaeb9bc0f10b70a205092c48519ad3bd4eaecd7a447d5ed34865f64d18f400a3e30867f66d9f8e5a2f97d68d08be42315a5c6dfb4a0da2c9c3cf296b

Download Submit