9cd7c7530c351cf69271745aa5adf9a93415a8f9850e17bebbfdcffbdab1b28a

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a721f621909b3f6a4066a844274857c0N.exe
Size

3.2MB
MD5

a721f621909b3f6a4066a844274857c0
SHA1

477052e21fd599dad2b3806f554988c3262816ce
SHA256

9cd7c7530c351cf69271745aa5adf9a93415a8f9850e17bebbfdcffbdab1b28a
SHA512

622f8c765b08f07426b2eb48ff0e500796b84335966dba16bbf8f29115f3e3c785423be73a25b1a1091ebbe324d07e799bc131defe275e22dbb4bdc5e8016610
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBAB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpLbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	a721f621909b3f6a4066a844274857c0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2888	ecdevdob.exe
2992	devbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
3032	a721f621909b3f6a4066a844274857c0N.exe
3032	a721f621909b3f6a4066a844274857c0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeLF\\devbodec.exe"	a721f621909b3f6a4066a844274857c0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZIR\\bodxloc.exe"	a721f621909b3f6a4066a844274857c0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3032	a721f621909b3f6a4066a844274857c0N.exe
3032	a721f621909b3f6a4066a844274857c0N.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe
2888	ecdevdob.exe
2992	devbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2888	3032	a721f621909b3f6a4066a844274857c0N.exe	30
PID 3032 wrote to memory of 2888	3032	a721f621909b3f6a4066a844274857c0N.exe	30
PID 3032 wrote to memory of 2888	3032	a721f621909b3f6a4066a844274857c0N.exe	30
PID 3032 wrote to memory of 2888	3032	a721f621909b3f6a4066a844274857c0N.exe	30
PID 3032 wrote to memory of 2992	3032	a721f621909b3f6a4066a844274857c0N.exe	31
PID 3032 wrote to memory of 2992	3032	a721f621909b3f6a4066a844274857c0N.exe	31
PID 3032 wrote to memory of 2992	3032	a721f621909b3f6a4066a844274857c0N.exe	31
PID 3032 wrote to memory of 2992	3032	a721f621909b3f6a4066a844274857c0N.exe	31

C:\Users\Admin\AppData\Local\Temp\a721f621909b3f6a4066a844274857c0N.exe
"C:\Users\Admin\AppData\Local\Temp\a721f621909b3f6a4066a844274857c0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2888
- C:\AdobeLF\devbodec.exe
  C:\AdobeLF\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeLF\devbodec.exe

Filesize
3.2MB

MD5
57abff2150b66e13aeed90abd6292c95

SHA1
02818bb644328591d1026a9ab7b13013472ba84d

SHA256
d33592af14cfec450eba19046c7e2cd758f084f92ed07581c3deadacf251661b

SHA512
22ed9ad4d3a1b752b3f355c50f86f20a626c6c03ce72819d7dd54775833c810414518c18dd19f27b403ecf0573ab36094c4b4f6865dcab71f13b1a428986e49e

Download Submit
C:\LabZIR\bodxloc.exe

Filesize
3.2MB

MD5
e12d6c95ab69f70f7faaf0a637e90330

SHA1
1ad6eef01008a93d21436474493d0a90defcb13f

SHA256
803637e17522d13c8caee667a1dcf3644865eab8b5796a49bcb8d858d7581485

SHA512
387247b369b1c479d9da1087452d5a97d47317c0a3d00ac999cc88cc76aec0a1574d3c799a8ff2e3f9737bd7382700526c7ea6560b641558e964a710a50bb41c

Download Submit
C:\LabZIR\bodxloc.exe

Filesize
64KB

MD5
1fe0d14acbae1f4503fe3c851d715a39

SHA1
6e9ecb695f2b07b82aa67f8a0c7c244f7baada13

SHA256
61af4ae2b9190d39219d4ea312628eb2db34adbac0aa2bc5b6af808cc0035574

SHA512
5bf6fdd03a8c739369ddb3db15ef0efd1fb0d8b899aa9ae205bd5ba9ad2806e27164a613b06c9193fa7bbcb331ac03f2295da8a1a6ffab78db5acc631d95b583

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
31f9fcf641877bf4a29eb0521fc8fd49

SHA1
78de43f35f227e5bc446942ae0aba5f6ca69685a

SHA256
419b0e349956ffe389993365b6c6601b1e88580fea47639fc3a7baaba8e52ab8

SHA512
94a0cbeb7f7663f3628c6711fef79e207e7597963a053a3bdf037c652c8fd52d592c07a5b9d90904679e90d6671c7644a19c346fb63fe4eaa669a2bd761280c1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
15d72ce7be29c183d1026e1be4bdbf72

SHA1
a53a4a06d63e974eecd2cb9f34530659404f0c31

SHA256
798b08d13835b4c612138b0b7ce30b7acd1b74e9215241a0b6f87cc020d53fdc

SHA512
dd1d9cbd684e69725046cb160d9ee2247b00aa21b8e2fc7cf03e69a2fd4b66a5f59d401240d19778d239209047750e92e7c2e5f8ed8e33c37c5266d5749cc78e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
3.2MB

MD5
48d91431ac8a331840f2e6368497e419

SHA1
cd3f8c55ee676b64046fd345a84550e20dbfb90a

SHA256
eba67554732525109ada9104ac51c1d22f7da7e3446532d1e1c238a477e2c1c7

SHA512
ca6b8645b79b37a79e13a4d710ff422eecdf0c79a41a88adb74edba6820ed78a11127e1c7de1aad87aab23831e1a94ad0fcac28001a611337a31c97a874075f9

Download Submit