d3466137e0217a6a722469f241f8b75540c9239665bf31404cc3c41fb4f989ca

Analysis

max time kernel
119s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af6cf529b58b24e3ffb4fea5dccc8c50N.exe
Size

3.0MB
MD5

af6cf529b58b24e3ffb4fea5dccc8c50
SHA1

df69c48d5927c343d2f16117057f14431a34a01c
SHA256

d3466137e0217a6a722469f241f8b75540c9239665bf31404cc3c41fb4f989ca
SHA512

14db2ea9f7cab422b9eef482d260e5f3e90ad093c45c148131acc73a8100a154554b6114b74140c751fcda11edd3c1ccaf34d7629bd2704c42924c548cd37025
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bSqz8b6LNX:sxX7QnxrloE5dpUp1bVz8eLF

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	af6cf529b58b24e3ffb4fea5dccc8c50N.exe

Executes dropped EXE 2 IoCs

pid	Process
2900	ecdevbod.exe
2708	devbodec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ2X\\dobxsys.exe"	af6cf529b58b24e3ffb4fea5dccc8c50N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotJ0\\devbodec.exe"	af6cf529b58b24e3ffb4fea5dccc8c50N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af6cf529b58b24e3ffb4fea5dccc8c50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2636	af6cf529b58b24e3ffb4fea5dccc8c50N.exe
2636	af6cf529b58b24e3ffb4fea5dccc8c50N.exe
2636	af6cf529b58b24e3ffb4fea5dccc8c50N.exe
2636	af6cf529b58b24e3ffb4fea5dccc8c50N.exe
2900	ecdevbod.exe
2900	ecdevbod.exe
2708	devbodec.exe
2708	devbodec.exe
2900	ecdevbod.exe
2900	ecdevbod.exe
2708	devbodec.exe
2708	devbodec.exe
2900	ecdevbod.exe
2900	ecdevbod.exe
2708	devbodec.exe
2708	devbodec.exe
2900	ecdevbod.exe
2900	ecdevbod.exe
2708	devbodec.exe
2708	devbodec.exe
2900	ecdevbod.exe
2900	ecdevbod.exe
2708	devbodec.exe
2708	devbodec.exe
2900	ecdevbod.exe
2900	ecdevbod.exe
2708	devbodec.exe
2708	devbodec.exe
2900	ecdevbod.exe
2900	ecdevbod.exe
2708	devbodec.exe
2708	devbodec.exe
2900	ecdevbod.exe
2900	ecdevbod.exe
2708	devbodec.exe
2708	devbodec.exe
2900	ecdevbod.exe
2900	ecdevbod.exe
2708	devbodec.exe
2708	devbodec.exe
2900	ecdevbod.exe
2900	ecdevbod.exe
2708	devbodec.exe
2708	devbodec.exe
2900	ecdevbod.exe
2900	ecdevbod.exe
2708	devbodec.exe
2708	devbodec.exe
2900	ecdevbod.exe
2900	ecdevbod.exe
2708	devbodec.exe
2708	devbodec.exe
2900	ecdevbod.exe
2900	ecdevbod.exe
2708	devbodec.exe
2708	devbodec.exe
2900	ecdevbod.exe
2900	ecdevbod.exe
2708	devbodec.exe
2708	devbodec.exe
2900	ecdevbod.exe
2900	ecdevbod.exe
2708	devbodec.exe
2708	devbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2900	2636	af6cf529b58b24e3ffb4fea5dccc8c50N.exe	91
PID 2636 wrote to memory of 2900	2636	af6cf529b58b24e3ffb4fea5dccc8c50N.exe	91
PID 2636 wrote to memory of 2900	2636	af6cf529b58b24e3ffb4fea5dccc8c50N.exe	91
PID 2636 wrote to memory of 2708	2636	af6cf529b58b24e3ffb4fea5dccc8c50N.exe	93
PID 2636 wrote to memory of 2708	2636	af6cf529b58b24e3ffb4fea5dccc8c50N.exe	93
PID 2636 wrote to memory of 2708	2636	af6cf529b58b24e3ffb4fea5dccc8c50N.exe	93

C:\Users\Admin\AppData\Local\Temp\af6cf529b58b24e3ffb4fea5dccc8c50N.exe
"C:\Users\Admin\AppData\Local\Temp\af6cf529b58b24e3ffb4fea5dccc8c50N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2900
- C:\UserDotJ0\devbodec.exe
  C:\UserDotJ0\devbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ2X\dobxsys.exe

Filesize
712KB

MD5
f2cf19231c05701b63f91e4d59326c25

SHA1
270c933bbc8c79018f07650389641b98b61f84af

SHA256
3612122bdb571d1da4daabfe35eb6200d1ec7a37058955d7a8a368256c16ff9a

SHA512
5f1de4f1048efcc70644a12d980acc024865774660d0491a3d469cee8ff731160d3401db0a2040ffd38d421bdb86cb697627dcd7c377a870a1c55776e2bbcdf7

Download Submit
C:\LabZ2X\dobxsys.exe

Filesize
3.0MB

MD5
7a637b2905bffc3183f8df138b64afb7

SHA1
8df01e42d9c4b5c500edc6c999b4fec02ffc39ad

SHA256
eeb22202e91e289d63f26971abccdcac45c47b413a2d42cbffcdfd2915bd6e9a

SHA512
0bff087901c0390ee1967ac6a2fd626221acc61353b35b64743e36c237910fa9b06fd44bc3887271010bb506bc5dd130c8b3db92ce54529745d1fb16f98cc041

Download Submit
C:\UserDotJ0\devbodec.exe

Filesize
1.6MB

MD5
fb8cb713170f82d1ba0d178d058ae9f7

SHA1
5fe00c71eacbea18965daf87ed31ceb5175e70fc

SHA256
e8e6831070ece8d53127127370449420aeda45f3a16d1b3dbf0c2a991f4541b7

SHA512
85c9ede97275f440989239f2c2f84015b56150660c63f65dd4a4438bd5b602c31831df66746485d0fcb79951a405498861f63f4627155f852dd4866bd26c4cf1

Download Submit
C:\UserDotJ0\devbodec.exe

Filesize
3.0MB

MD5
f48af59fc74f1e8b1cc9de5a135c6841

SHA1
f73ccfa2d2cb727bfc408b28f3f1e43e4e084adf

SHA256
5c4b6618f3c0408c12b2e122a0a3daefdef73bd74e69a61927c621644bbf2450

SHA512
0f358678d4f826bda9cacce8bb806095e7857f50ece311d84c1d87ec5fda9bf15db170414fb295d18cb6e1070ac2be45c0e9b84d8c2ef75482354652b9976a33

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
5b170c3cc4c976b852d4ea8252ba9324

SHA1
c55763f961348a024398ac932e1ab63a7814d43e

SHA256
7fc890d14638de9e416af19fbc5d8c95db2082d8fcd6649e58e8e44bbd92f8d5

SHA512
c8009253bd6a94436f27fc3d05ca5399e9cf06ae08af1ea8f249b87bb4f43275de4bfb2a8f4190ed35d3aabbafd68213920c19db651303db0c8837b5525cc03e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
a860ccc81d469d9e49dff53af30b91b6

SHA1
99ffc4d680f2475b8e011233e57c82ba1457aa22

SHA256
1867235cfa6de059490531b8cf3439d4af02cfa2a5576fe25bb8b945aa8b7877

SHA512
edde4d26d0d1eb3a4b5313e912beff28d2374b10575dc6dd8af1d79f7f0c1da540ad1a05ef39b828a553b538027cea155c419457e7b217b42e67456075f3ab74

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
3.0MB

MD5
97db302f06eda310f4bbc75d2d0aae7e

SHA1
b2a0d2541e198aabc7f3d9b633e12b340012585b

SHA256
f7dd405da97dfb8e6f400227fbb5669b4dabd939268fce5798db101972f5c20f

SHA512
9289e1b8c3260c60346d3c67af98b93a2d21f0684c89f738605922c046d6003104f943e10c232bd24b320f8300441dcaa87ace9a496e68c66254a10998ada4dd

Download Submit