2d567eedd61ea3c6ee37c5fc5b2bfeb3fbd4ded7c380de33bc7c99e07348db81

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06/08/2024, 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

300320dafac1d658c57ae1a24dd70c80N.exe
Size

2.6MB
MD5

300320dafac1d658c57ae1a24dd70c80
SHA1

5d82859bdca1e3faf2a06f727cce888f7ceac98d
SHA256

2d567eedd61ea3c6ee37c5fc5b2bfeb3fbd4ded7c380de33bc7c99e07348db81
SHA512

10ee32f58ca7b7a81428446d2b8a5d6d376e5fde9fc0490997bdf5fb0a292f67b83568749e1d0f3692d3ccc7ac882d796a8ba2fac123cbdb9afdbae62840fd43
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bS:sxX7QnxrloE5dpUpdb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	300320dafac1d658c57ae1a24dd70c80N.exe

Executes dropped EXE 2 IoCs

pid	Process
2680	ecdevopti.exe
2740	devdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2220	300320dafac1d658c57ae1a24dd70c80N.exe
2220	300320dafac1d658c57ae1a24dd70c80N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocUB\\devdobsys.exe"	300320dafac1d658c57ae1a24dd70c80N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid57\\boddevloc.exe"	300320dafac1d658c57ae1a24dd70c80N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	300320dafac1d658c57ae1a24dd70c80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2220	300320dafac1d658c57ae1a24dd70c80N.exe
2220	300320dafac1d658c57ae1a24dd70c80N.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe
2680	ecdevopti.exe
2740	devdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2680	2220	300320dafac1d658c57ae1a24dd70c80N.exe	30
PID 2220 wrote to memory of 2680	2220	300320dafac1d658c57ae1a24dd70c80N.exe	30
PID 2220 wrote to memory of 2680	2220	300320dafac1d658c57ae1a24dd70c80N.exe	30
PID 2220 wrote to memory of 2680	2220	300320dafac1d658c57ae1a24dd70c80N.exe	30
PID 2220 wrote to memory of 2740	2220	300320dafac1d658c57ae1a24dd70c80N.exe	31
PID 2220 wrote to memory of 2740	2220	300320dafac1d658c57ae1a24dd70c80N.exe	31
PID 2220 wrote to memory of 2740	2220	300320dafac1d658c57ae1a24dd70c80N.exe	31
PID 2220 wrote to memory of 2740	2220	300320dafac1d658c57ae1a24dd70c80N.exe	31

C:\Users\Admin\AppData\Local\Temp\300320dafac1d658c57ae1a24dd70c80N.exe
"C:\Users\Admin\AppData\Local\Temp\300320dafac1d658c57ae1a24dd70c80N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2680
- C:\IntelprocUB\devdobsys.exe
  C:\IntelprocUB\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocUB\devdobsys.exe

Filesize
2.6MB

MD5
07e783f018814c9a34688d69cca13fa7

SHA1
c20ec4aad98aa003050cde43dc5b7a4cd98fcf0b

SHA256
9a231b49348c468598c5f666810f1e1901d327f7d80d663af249c68f5f6a5bef

SHA512
16e804cb78836bdeb0311fa76d7d8973ff6fe13111624aabbe0aec72d80fef8e0317e882197446a161139b49f748b9a3ca8f9c0cd61f201e489ad430a42fa7f0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
177B

MD5
22b355d2a9d4b7b64c265bb7553e4d7c

SHA1
e09781d00cb4b255358a2b3d130f43d39cdaa664

SHA256
dbf7758a37b8cf2f06516543d32212b349f4c97927f99f80e01e6133ace578c5

SHA512
d8609946fff2d0535fa5f34a55ea55dd254cb08bc27994bbda4482d3f47f784efd63188ce85e4c375a01bda6473f738cf53b4aeea50ed452c1d454f9ec3bc2bd

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
209B

MD5
d67a5d72bbe982bab948f5d5a00d84bb

SHA1
416d258e46045dfdc01c27bf1ea8f1fb64ed497e

SHA256
c39aa812f77a5f13a7a50780064dc22e281da9bd98788651a10f09eb70f5c571

SHA512
9632493883614974a716ab2962d78a361cb5c9f90356817172dce32aa0e2deb0b29374a456fa02e48979cab11e89869a291f1719822ac3a9ccbc59caf8a36f3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
2.6MB

MD5
9ee8529d4d75667b20a6bf90ed42e3c8

SHA1
98930e6cd9db50d5c04d6aaa285d084694220d2e

SHA256
54d2bcee7bc6337930e8683a550776f3a091bcd38f88c5498d8128d9b0f20212

SHA512
670e5136ba6289a0d58d1d74e023b9e84a4dae00cf404a650c2ab795c518a26fb69f0e79ecd69823a28fc647a80db5e836f51408ed4286961797989708643858

Download Submit
C:\Vid57\boddevloc.exe

Filesize
2.6MB

MD5
8442201d3eb30c2cec318058cea2dd1a

SHA1
7fd928e657efd6db0a6ad86e16d5cccc9d4a8b31

SHA256
35fae17dc5061db5d635920fd51591afb808c177909f4e4900233301170f4286

SHA512
b2d21be372a254d891a4f104af9c245e43b4550662fb8924e06495f314ad6c01fc8bbacfdacd93f5fc6961291a7c2a4b5b1cd6220c74380a8006482f7c8799a8

Download Submit
C:\Vid57\boddevloc.exe

Filesize
55KB

MD5
b94320cd188882fbaf3b90789b048b1c

SHA1
d40c6e2fae1f37411d526a865adb0881f7b6ca13

SHA256
66d6c585db6b7ce283d472ad050fc57d51e2b7644e5a806f53077d7655cb4580

SHA512
0589756e742657a5b63f7fef78ff9591c629dde1cb7a37882b2700fd32df11d4e9beedd8586f94995a57a6c35b1a371f61498c66946256687afbba3b680ad7af

Download Submit