8ec953f250379d4f84e34c6e951fcfd60579b428a224cadea972e36b686be84f

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aeb904a84ccc233b8835bc58425a8a50N.exe
Size

2.6MB
MD5

aeb904a84ccc233b8835bc58425a8a50
SHA1

7eef71679d453e2744779642433f64bb8ccb867c
SHA256

8ec953f250379d4f84e34c6e951fcfd60579b428a224cadea972e36b686be84f
SHA512

8ee4c60ab4957f0d9df1c36a12ae0b4ab861757e820d71a8a635d06208877a6392b876cdaaf9ae2fc951e7a4ce0b5341865194e8347e158362f6a93f07126b97
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBBB/bS:sxX7QnxrloE5dpUp6b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	aeb904a84ccc233b8835bc58425a8a50N.exe

Executes dropped EXE 2 IoCs

pid	Process
228	ecdevopti.exe
768	devbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintW7\\boddevsys.exe"	aeb904a84ccc233b8835bc58425a8a50N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe2U\\devbodsys.exe"	aeb904a84ccc233b8835bc58425a8a50N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aeb904a84ccc233b8835bc58425a8a50N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4356	aeb904a84ccc233b8835bc58425a8a50N.exe
4356	aeb904a84ccc233b8835bc58425a8a50N.exe
4356	aeb904a84ccc233b8835bc58425a8a50N.exe
4356	aeb904a84ccc233b8835bc58425a8a50N.exe
228	ecdevopti.exe
228	ecdevopti.exe
768	devbodsys.exe
768	devbodsys.exe
228	ecdevopti.exe
228	ecdevopti.exe
768	devbodsys.exe
768	devbodsys.exe
228	ecdevopti.exe
228	ecdevopti.exe
768	devbodsys.exe
768	devbodsys.exe
228	ecdevopti.exe
228	ecdevopti.exe
768	devbodsys.exe
768	devbodsys.exe
228	ecdevopti.exe
228	ecdevopti.exe
768	devbodsys.exe
768	devbodsys.exe
228	ecdevopti.exe
228	ecdevopti.exe
768	devbodsys.exe
768	devbodsys.exe
228	ecdevopti.exe
228	ecdevopti.exe
768	devbodsys.exe
768	devbodsys.exe
228	ecdevopti.exe
228	ecdevopti.exe
768	devbodsys.exe
768	devbodsys.exe
228	ecdevopti.exe
228	ecdevopti.exe
768	devbodsys.exe
768	devbodsys.exe
228	ecdevopti.exe
228	ecdevopti.exe
768	devbodsys.exe
768	devbodsys.exe
228	ecdevopti.exe
228	ecdevopti.exe
768	devbodsys.exe
768	devbodsys.exe
228	ecdevopti.exe
228	ecdevopti.exe
768	devbodsys.exe
768	devbodsys.exe
228	ecdevopti.exe
228	ecdevopti.exe
768	devbodsys.exe
768	devbodsys.exe
228	ecdevopti.exe
228	ecdevopti.exe
768	devbodsys.exe
768	devbodsys.exe
228	ecdevopti.exe
228	ecdevopti.exe
768	devbodsys.exe
768	devbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 228	4356	aeb904a84ccc233b8835bc58425a8a50N.exe	87
PID 4356 wrote to memory of 228	4356	aeb904a84ccc233b8835bc58425a8a50N.exe	87
PID 4356 wrote to memory of 228	4356	aeb904a84ccc233b8835bc58425a8a50N.exe	87
PID 4356 wrote to memory of 768	4356	aeb904a84ccc233b8835bc58425a8a50N.exe	88
PID 4356 wrote to memory of 768	4356	aeb904a84ccc233b8835bc58425a8a50N.exe	88
PID 4356 wrote to memory of 768	4356	aeb904a84ccc233b8835bc58425a8a50N.exe	88

C:\Users\Admin\AppData\Local\Temp\aeb904a84ccc233b8835bc58425a8a50N.exe
"C:\Users\Admin\AppData\Local\Temp\aeb904a84ccc233b8835bc58425a8a50N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:228
- C:\Adobe2U\devbodsys.exe
  C:\Adobe2U\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe2U\devbodsys.exe

Filesize
2.6MB

MD5
0a72f75cec9cd79a6861bdfd80df1e16

SHA1
f228f51561e74cb6ba368d6ca0e92383c6f354ba

SHA256
3f2401c2ed5e420a6644090f33b4899aa2eb262f52e4b4cad62d84cf6bf87296

SHA512
59cc5f3b0a093206052c866dfcfba0b940ac13323749047a47e141e9967110f07d7d25fffc99cd904d7683f2d93f94ec8344c1cfdee800ed85c13d74b9bebba1

Download Submit
C:\MintW7\boddevsys.exe

Filesize
1.9MB

MD5
c29ca554b2d51bc91a74bba218cadf6b

SHA1
e54997d90f515d594c3ace31712ab3912d6f886a

SHA256
09c4c6926a63910b01f9272e813dd0c7f9a8643d777913d519aed25c24d7f5ab

SHA512
02ecf26a7b46843e90ee3041df614bc4b44477d763133efce0eef13095aa9a42f3094e933f5d24d0de1d3da4f468a7006e95d20701a3c9ba09f53b3959a17c96

Download Submit
C:\MintW7\boddevsys.exe

Filesize
2.6MB

MD5
bf636ca107d4b0dce378123aa2d45ac0

SHA1
0dc48d73acdb1bb986ca65085d845eae1ed7de02

SHA256
9e1cd2cf756f6767a8456d4fb33a34359994fdf971ccc4b8934ead06d6423f8f

SHA512
2eb86d3dbef6f81efb5615c164e42693f1cf39b60c78d65b76c66a487e68e9e629e95914fd1c9b8cb09be4a6d675564ce27740c62a1c78eb24af8f6ac566d821

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
b993c5fa9007678502bea5add6b878b9

SHA1
1e11458abca5b6d9e6e18d8865e0bca761103326

SHA256
138fa9c4b383fc49698bb5265321b20d303faa6bedbfa1aa0ea52910e920c09d

SHA512
3a25360a337e7ecc6f6e4e2393b1a3d6505b7d645ba9941530f9fc269920063d618ff2127520a8f0c28f2fa4696edc593cacba806be748b48e3671fd26c4cef9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
51b8807441a12ffece99540550f0fbf9

SHA1
f570ece88ed6003103674c24eda04e69b6acc8df

SHA256
4b49497028cea779817fe0948514702f636becfd23cd714dc0a63e693f551aa4

SHA512
5c5685c2bae194870197811a793f119a912215979d311717115ed0a76c58542a4787bd3915b8255493bf3ef522ef761481ad8ef3ddc11f15096be3ab5bf60683

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
2.6MB

MD5
8d357220d83f87f5c28cc41597fe182d

SHA1
c339b47450def2737160635b24098bfe50086357

SHA256
e2091a47024117ce3baae3f283040531b0ad97d617d0aa59523516ef0115e6c3

SHA512
38d1988db36535fb38d3457ed36a46e356109d2e37a57f18582dafa467b0f50ed09280d9a8a6333fba6a5f107da846c48b8b51d1102013126d0c187024d3df5f

Download Submit