4d9425f1d299292fa3bb48af8f8e24e0df5b9412683df7bb8ce372db6f9f9f99

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 18:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c49441f4f9c7593eec62001337f6c0a0N.exe
Size

2.6MB
MD5

c49441f4f9c7593eec62001337f6c0a0
SHA1

a1bd029957bec6e2481a66ca09147240fe3fd2a1
SHA256

4d9425f1d299292fa3bb48af8f8e24e0df5b9412683df7bb8ce372db6f9f9f99
SHA512

711658ac8908c6e15cc6bcf9b575e73ffa6ba2e050ca7da7e02479a7d6a6fb9a33228a06c314df9daa09d312791ca744db89107509ed7c7f1f90d74c39203377
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bS:sxX7QnxrloE5dpUpKb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	c49441f4f9c7593eec62001337f6c0a0N.exe

Executes dropped EXE 2 IoCs

pid	Process
1100	ecdevbod.exe
2028	devbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesB0\\devbodloc.exe"	c49441f4f9c7593eec62001337f6c0a0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB5E\\dobdevec.exe"	c49441f4f9c7593eec62001337f6c0a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c49441f4f9c7593eec62001337f6c0a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3456	c49441f4f9c7593eec62001337f6c0a0N.exe
3456	c49441f4f9c7593eec62001337f6c0a0N.exe
3456	c49441f4f9c7593eec62001337f6c0a0N.exe
3456	c49441f4f9c7593eec62001337f6c0a0N.exe
1100	ecdevbod.exe
1100	ecdevbod.exe
2028	devbodloc.exe
2028	devbodloc.exe
1100	ecdevbod.exe
1100	ecdevbod.exe
2028	devbodloc.exe
2028	devbodloc.exe
1100	ecdevbod.exe
1100	ecdevbod.exe
2028	devbodloc.exe
2028	devbodloc.exe
1100	ecdevbod.exe
1100	ecdevbod.exe
2028	devbodloc.exe
2028	devbodloc.exe
1100	ecdevbod.exe
1100	ecdevbod.exe
2028	devbodloc.exe
2028	devbodloc.exe
1100	ecdevbod.exe
1100	ecdevbod.exe
2028	devbodloc.exe
2028	devbodloc.exe
1100	ecdevbod.exe
1100	ecdevbod.exe
2028	devbodloc.exe
2028	devbodloc.exe
1100	ecdevbod.exe
1100	ecdevbod.exe
2028	devbodloc.exe
2028	devbodloc.exe
1100	ecdevbod.exe
1100	ecdevbod.exe
2028	devbodloc.exe
2028	devbodloc.exe
1100	ecdevbod.exe
1100	ecdevbod.exe
2028	devbodloc.exe
2028	devbodloc.exe
1100	ecdevbod.exe
1100	ecdevbod.exe
2028	devbodloc.exe
2028	devbodloc.exe
1100	ecdevbod.exe
1100	ecdevbod.exe
2028	devbodloc.exe
2028	devbodloc.exe
1100	ecdevbod.exe
1100	ecdevbod.exe
2028	devbodloc.exe
2028	devbodloc.exe
1100	ecdevbod.exe
1100	ecdevbod.exe
2028	devbodloc.exe
2028	devbodloc.exe
1100	ecdevbod.exe
1100	ecdevbod.exe
2028	devbodloc.exe
2028	devbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 1100	3456	c49441f4f9c7593eec62001337f6c0a0N.exe	84
PID 3456 wrote to memory of 1100	3456	c49441f4f9c7593eec62001337f6c0a0N.exe	84
PID 3456 wrote to memory of 1100	3456	c49441f4f9c7593eec62001337f6c0a0N.exe	84
PID 3456 wrote to memory of 2028	3456	c49441f4f9c7593eec62001337f6c0a0N.exe	85
PID 3456 wrote to memory of 2028	3456	c49441f4f9c7593eec62001337f6c0a0N.exe	85
PID 3456 wrote to memory of 2028	3456	c49441f4f9c7593eec62001337f6c0a0N.exe	85

C:\Users\Admin\AppData\Local\Temp\c49441f4f9c7593eec62001337f6c0a0N.exe
"C:\Users\Admin\AppData\Local\Temp\c49441f4f9c7593eec62001337f6c0a0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1100
- C:\FilesB0\devbodloc.exe
  C:\FilesB0\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesB0\devbodloc.exe

Filesize
1.3MB

MD5
4e3fc9fe17dcb54a67dd2015500e361e

SHA1
01745b7401164f6369fed10ccf58044993c92087

SHA256
6e93d02f946802fee947a42776b9d4b0a55053b411a3128f9501bdaac3e73b43

SHA512
05cb65a0ec4b2c3ee29fc1c1f6a69c12ca6582a46f5ce478105d5a8a584e32dd7339482b9c442ef7127f28f64e10e00b624feb7ed9ccf9cac74214899696bf27

Download Submit
C:\FilesB0\devbodloc.exe

Filesize
2.6MB

MD5
033637f78ebef15c38ab105e533a9482

SHA1
bedfb534fde7066929fa8c1131259f9813145b74

SHA256
e7e355d745fca30fd40f795757b40a633c3e38c48431f7331ac030ebc2765068

SHA512
6c82583e66e7cadaf00004be9b06e2cb44248c49063c7ff27d6529be9f867cd9d38082618ed8b0aa5abb4cfaa5c3f1653d6b10cb4b9a1b186c4e6e6f50719c85

Download Submit
C:\KaVB5E\dobdevec.exe

Filesize
798KB

MD5
0ab43520881a820d5fbf915e9d530480

SHA1
5e7886d10bd7a31f99854655a9b8db83ad29e3f1

SHA256
34978c375bdeb10c7276b9ed116e0b65697fba9bb60c665c4a265ede769ba7e5

SHA512
5fa426471049b1eadfa61df66f9040bdd15e94ccb10a4e9e4a05b9365d3fa5cea6970c17c9fc46d3fe91c0e58ef917ff964495c8c9402f6e536e1140012d9b09

Download Submit
C:\KaVB5E\dobdevec.exe

Filesize
2.6MB

MD5
d09c36d3050bbce976b73b751b06bc42

SHA1
5c0496111f0ac3b79170763654eaa64fa3ba0433

SHA256
5702fbc4e4e2a0a4f0dfaf24e18ee29f41380d625be7884b01a60728b5f46edc

SHA512
24d0cfa1063364290e3d3f8fa1c5df890862f30d43cd4bd30fb63ba4ff3834befc41b63b9e605a6c20b2f9d2cff90c5bf9106bc052bfbbadc372f2ccd7659e48

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
105430f1d687644f5bac9f8d9dd82b68

SHA1
fb58baa674e93d2957eb68d81a27934876ecf5f7

SHA256
39cc95af443689ece947b01d5913039fff5d1a3d21128f98ac438520c30ae1ea

SHA512
93f910e6f0976f7aaadcafcf9d59735784d2a41b0d1bcf99ca197b6924528c04682926bab5a1a6a33f2fc5a8dc1501c0a332f4b4d84dfb4182efa9b352adae51

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
94bb1323b29943bda77479eff04a5b62

SHA1
497fcb7bade5cc1e46f38f18ac8610f528e98288

SHA256
48d9fc5c844b0d78a7ba162f42ea10b2aaad12af4d75d95815a380b94a6fcb1d

SHA512
e6389869575b5752b57198048a5d84e19dff1d16e8e2a9b37ca18600960b9202a335b40b916c047acf58fd323599c8b4326c2b44a147246dbfdccf9da70aa763

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
2.6MB

MD5
6df799ee30f83aaae0b1a4d0ee305d51

SHA1
fb4e11587944674f4a06bf939fd3ef0e1d313593

SHA256
007af2495ebdb3a4f58662b64ee0a43e168c73dfbd59dc456f21fb6ad9edf7b3

SHA512
bb896fb3599311e65d4d6bab7e9eb694f42c11cb4668b175833ec824007afee800515bd874628338ca3000ba7907d4fadc0eaa7413bcc48c8f0ee930429c051e

Download Submit