c17814ec64023dd3d25acc69f81f518b99cdc644d17f05c79cf45af29a9a76b3

Analysis

max time kernel
150s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/08/2024, 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c17814ec64023dd3d25acc69f81f518b99cdc644d17f05c79cf45af29a9a76b3.exe
Size

2.6MB
MD5

19d6260268e294f65e8a56aa563ee63c
SHA1

e1d80ecb9644d4b8986b9eeb63fb62e007980e76
SHA256

c17814ec64023dd3d25acc69f81f518b99cdc644d17f05c79cf45af29a9a76b3
SHA512

e8734da0d512ff9daa21c6019aae3be52f69fd1a73323daee2eb465e302fa89b5ed2d5ee3219bdd2caaa52476aa07564281850ab5263b97e08a22442dec6cbeb
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bS:sxX7QnxrloE5dpUpob

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	c17814ec64023dd3d25acc69f81f518b99cdc644d17f05c79cf45af29a9a76b3.exe

Executes dropped EXE 2 IoCs

pid	Process
2304	ecdevopti.exe
4824	xbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvO6\\xbodloc.exe"	c17814ec64023dd3d25acc69f81f518b99cdc644d17f05c79cf45af29a9a76b3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZB9\\dobdevloc.exe"	c17814ec64023dd3d25acc69f81f518b99cdc644d17f05c79cf45af29a9a76b3.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c17814ec64023dd3d25acc69f81f518b99cdc644d17f05c79cf45af29a9a76b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4656	c17814ec64023dd3d25acc69f81f518b99cdc644d17f05c79cf45af29a9a76b3.exe
4656	c17814ec64023dd3d25acc69f81f518b99cdc644d17f05c79cf45af29a9a76b3.exe
4656	c17814ec64023dd3d25acc69f81f518b99cdc644d17f05c79cf45af29a9a76b3.exe
4656	c17814ec64023dd3d25acc69f81f518b99cdc644d17f05c79cf45af29a9a76b3.exe
2304	ecdevopti.exe
2304	ecdevopti.exe
4824	xbodloc.exe
4824	xbodloc.exe
2304	ecdevopti.exe
2304	ecdevopti.exe
4824	xbodloc.exe
4824	xbodloc.exe
2304	ecdevopti.exe
2304	ecdevopti.exe
4824	xbodloc.exe
4824	xbodloc.exe
2304	ecdevopti.exe
2304	ecdevopti.exe
4824	xbodloc.exe
4824	xbodloc.exe
2304	ecdevopti.exe
2304	ecdevopti.exe
4824	xbodloc.exe
4824	xbodloc.exe
2304	ecdevopti.exe
2304	ecdevopti.exe
4824	xbodloc.exe
4824	xbodloc.exe
2304	ecdevopti.exe
2304	ecdevopti.exe
4824	xbodloc.exe
4824	xbodloc.exe
2304	ecdevopti.exe
2304	ecdevopti.exe
4824	xbodloc.exe
4824	xbodloc.exe
2304	ecdevopti.exe
2304	ecdevopti.exe
4824	xbodloc.exe
4824	xbodloc.exe
2304	ecdevopti.exe
2304	ecdevopti.exe
4824	xbodloc.exe
4824	xbodloc.exe
2304	ecdevopti.exe
2304	ecdevopti.exe
4824	xbodloc.exe
4824	xbodloc.exe
2304	ecdevopti.exe
2304	ecdevopti.exe
4824	xbodloc.exe
4824	xbodloc.exe
2304	ecdevopti.exe
2304	ecdevopti.exe
4824	xbodloc.exe
4824	xbodloc.exe
2304	ecdevopti.exe
2304	ecdevopti.exe
4824	xbodloc.exe
4824	xbodloc.exe
2304	ecdevopti.exe
2304	ecdevopti.exe
4824	xbodloc.exe
4824	xbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 2304	4656	c17814ec64023dd3d25acc69f81f518b99cdc644d17f05c79cf45af29a9a76b3.exe	86
PID 4656 wrote to memory of 2304	4656	c17814ec64023dd3d25acc69f81f518b99cdc644d17f05c79cf45af29a9a76b3.exe	86
PID 4656 wrote to memory of 2304	4656	c17814ec64023dd3d25acc69f81f518b99cdc644d17f05c79cf45af29a9a76b3.exe	86
PID 4656 wrote to memory of 4824	4656	c17814ec64023dd3d25acc69f81f518b99cdc644d17f05c79cf45af29a9a76b3.exe	87
PID 4656 wrote to memory of 4824	4656	c17814ec64023dd3d25acc69f81f518b99cdc644d17f05c79cf45af29a9a76b3.exe	87
PID 4656 wrote to memory of 4824	4656	c17814ec64023dd3d25acc69f81f518b99cdc644d17f05c79cf45af29a9a76b3.exe	87

C:\Users\Admin\AppData\Local\Temp\c17814ec64023dd3d25acc69f81f518b99cdc644d17f05c79cf45af29a9a76b3.exe
"C:\Users\Admin\AppData\Local\Temp\c17814ec64023dd3d25acc69f81f518b99cdc644d17f05c79cf45af29a9a76b3.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2304
- C:\SysDrvO6\xbodloc.exe
  C:\SysDrvO6\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZB9\dobdevloc.exe

Filesize
2.6MB

MD5
73586b855960717313dbaf3420ae571c

SHA1
aea6654bd8a4025e6e4e22d47f459f74b1144cb2

SHA256
29c6ee5690e38f117fd3466c82538cea7c17beded85d7d43b475d5f190fb0adb

SHA512
f334418bf2ed0c850941417e09b63544db1304e093fc1904c94078843f5a504fa9b4bf71773f66f22b3fc0d41798ef586c00bbae6a6e2c6869384aedb3becfc3

Download Submit
C:\LabZB9\dobdevloc.exe

Filesize
2.6MB

MD5
67a764afef3cdcc51ad033c6cb586413

SHA1
06ad5ded8ec2e800de4ce1f74d8466554e5dc6fb

SHA256
463d1464512a915d8e3a1a56339d4f34b35a6a9e4f69b8a433139f3470c93937

SHA512
de28b87ea39372daf9588b8262983d67cfd3356ea7823bf3f518e0127c0a56fa43fff3b82c16f2f2fa4ce870c9b893faa7d874c9e080c0b498b5b800c6987c83

Download Submit
C:\SysDrvO6\xbodloc.exe

Filesize
2.6MB

MD5
ddcd7f429bb5982d00b43c2c24556ef3

SHA1
b660d92631a31625e06ecd35d887fc50f29dbe5f

SHA256
02a40c7274f3965f61f13a3fcf4c005477eddaf9f7c1a33ce5a7c67b5ec4c499

SHA512
d29746d09a93b7d3a57243a318e99685274fee906e0fd572a7130427303b219c740f34af5dadacf4ee6a1b8acbefbf6d607086486149f3ff9b86bfe0e82918dc

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
4a0c637db59da7bb6500e59567a0180f

SHA1
44c754f20c653555667b554c3932285f8ad063fa

SHA256
78c0472db8e07c02a46ce0c83834c34ec274fe373355ae633e1d827a48872974

SHA512
4d97914f2739025f61578df4302e7a184ff6e9b63ae24ea72a85aa54f4e44652965d6425c3d0d3f614299f21f44c8151b6dc5978a6a1fe598afae535c38e7de4

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
b12f9eba11428f6ded70f7016d6f4316

SHA1
84457fbfcccf7213315dba48751e3f94360fd714

SHA256
6c258d13576f48ef92c883e0f4ef09187cc936db3b3513440064b5b9e140372a

SHA512
3a9e4de48a523443a5df0ef48edda36c0b12e89331ec152a7aaf7b937a9e5d55d0f118d80bfdcc56c18fb7f5876fa80eb9c7fb5e2a252a2b1231aaa0c79e6cfd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
2.6MB

MD5
3804868fb66f15978cdaa2b6aa8d594c

SHA1
a7425f24eb0355c4cb1f24283c6a8f345b46bc7a

SHA256
bbaa91c8d8bfddf18342b1048c8084d80ecc6bd190fa04981afaa1ef4e4aa722

SHA512
a9f7e487c4e1e576b55ee3d29578560366c4d5b718a02e75d8b9b0af1fbaf04e188640d7f4d75c154ff2b45f18868e6617d620718cbaf14ef560ac55ee8e4951

Download Submit