990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb

Analysis

max time kernel
149s
max time network
127s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
03/08/2024, 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe
Size

2.6MB
MD5

ed7ebf0ab9eef68269b8c3fcb5eb842b
SHA1

89562f6119d27097025c0ab00df9572a2074dbd2
SHA256

990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb
SHA512

0408a369ef86aa954ce9686cc7192ac82bb7eba8a59c934d05183af414cd7392b1a8816a64ed1a1f334e386cc63e8863f8f95ed84446fb5dd159970b180eaf11
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bS:sxX7QnxrloE5dpUpeb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe

Executes dropped EXE 2 IoCs

pid	Process
1892	ecadob.exe
1308	devdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1624	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe
1624	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot1G\\devdobsys.exe"	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZE3\\dobdevloc.exe"	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1624	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe
1624	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe
1892	ecadob.exe
1308	devdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 1892	1624	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe	30
PID 1624 wrote to memory of 1892	1624	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe	30
PID 1624 wrote to memory of 1892	1624	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe	30
PID 1624 wrote to memory of 1892	1624	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe	30
PID 1624 wrote to memory of 1308	1624	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe	31
PID 1624 wrote to memory of 1308	1624	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe	31
PID 1624 wrote to memory of 1308	1624	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe	31
PID 1624 wrote to memory of 1308	1624	990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe	31

C:\Users\Admin\AppData\Local\Temp\990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe
"C:\Users\Admin\AppData\Local\Temp\990bdcf15e83a3178eba3f9cc1d22d3bd8d9b8361013cc2087cc960c81729bbb.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1892
- C:\UserDot1G\devdobsys.exe
  C:\UserDot1G\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZE3\dobdevloc.exe

Filesize
2.6MB

MD5
e692034f86f19164a61929f63a696072

SHA1
1f75921920eec1ad480002ac34b0a0405a4f6a27

SHA256
68d9ac80b45907647957cc9e368e724e6a92bd24366b7d2c98c9dd68ec558c62

SHA512
70bae4137d8d1e148c9ad1e792d92a63ae5f11199748a999df7eeadc54e687d4aa371dad9e4dffe4996f0e02eca191afafcc3b67ffa51818ec357cf32a1f129b

Download Submit
C:\LabZE3\dobdevloc.exe

Filesize
2.6MB

MD5
c48cce91f9e398dca097aad992f5e465

SHA1
f1e70402458c156de3ff150478fb0e4b326a6fff

SHA256
6cb31385c4034a81b128220a33830e77283d60681efb284426a8d63d408fa9d5

SHA512
963a3013a64585dbcbcfd6c3ef71ec8a0a0c1fababb348048aedd5bc9f807683fae9f615bdb55f72f2d43b5b2e29af1ebd476e3b24fdd7f8714b544ca165cfd6

Download Submit
C:\UserDot1G\devdobsys.exe

Filesize
2.6MB

MD5
ce89c724198c5df2025cbad3f5afe2fb

SHA1
ed5fbab188178ea6dd7bbe50b0761cee454a7cb2

SHA256
1c0f47bea6339e0071f04a65197f9bc8678632aee965a5938708b0f382228d0b

SHA512
b2f8238d6710cad4f8d37eb9bb29d3a6890c9653ffd080008eb35c2eab49fb549dee5503ff247a809029d6633c2c39af3d7af92aca0eb870929a717b5743a625

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
3a0916be8b3195f33931d06add54081a

SHA1
551ecacb2bca5912f8bf06a973e1104fd0e7acc8

SHA256
b2e7548f3f61a66b81f70964ada7331ec9c1fd8d5036e782d1d31ed67e26c842

SHA512
a7cc1af9183d4ba0110ac5fc294ea36d7e55ea528bd624bf50d03bc5ae22829be3e7392af28d892ac6d3fcb7830a051b0b05fda27c84d8c58ab54c8bc6e1089e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
ccdb1be179a6d03f13fcdd04bf061653

SHA1
533c85dea1416d0848f10f9efa45d34aedf2c1d9

SHA256
03113634511c94e7c387677b217b15b7e79a670dbe0abe9e9aaadbddf1fbc21f

SHA512
a803cdd53f1034f598b534504f8471582b80bd9c699396c11d8b4210f5d750409a3fdee4e6ca8361eb46d6fbb9f019801fa96b7e1408004b002e3bbfb447668a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
2.6MB

MD5
6c641a646711367fd8a10e34fb323dcb

SHA1
2e24e3a547f5f98bffc7c5ece7a093d6c917a59b

SHA256
05fcb682321268f494644530c4ce1bf3f2420cc568659d7c4db9f8638660cc95

SHA512
ba5897717624a637b75fabdf94c90e3f4d6964e9a7384ea4deeea1ca101085e9ab52f6ea3613785d5f07f5bd0cf7673809aab029a2780edde4e51c555232e0a2

Download Submit