c2f5e959899e38f4bf63437f359d2a79d86ee859f8f52f30a986170b8fc09af4

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 07:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5caaa30795d50da868ebb1b18f9571b0N.exe
Size

2.6MB
MD5

5caaa30795d50da868ebb1b18f9571b0
SHA1

01835e42b623e8760b1beba3d6d8137eba14ff98
SHA256

c2f5e959899e38f4bf63437f359d2a79d86ee859f8f52f30a986170b8fc09af4
SHA512

b6c6abdf06b62cccce2f86add7a0964efe6db23d4056d96d2b392762d64eefc109946dbc61339befd584f709eec6728bf3a0370754ed91c2060814023c3d866c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bSq:sxX7QnxrloE5dpUpmbV

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	5caaa30795d50da868ebb1b18f9571b0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2940	ecdevbod.exe
2536	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
2188	5caaa30795d50da868ebb1b18f9571b0N.exe
2188	5caaa30795d50da868ebb1b18f9571b0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc5E\\devoptiec.exe"	5caaa30795d50da868ebb1b18f9571b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintM9\\bodaec.exe"	5caaa30795d50da868ebb1b18f9571b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5caaa30795d50da868ebb1b18f9571b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2188	5caaa30795d50da868ebb1b18f9571b0N.exe
2188	5caaa30795d50da868ebb1b18f9571b0N.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe
2940	ecdevbod.exe
2536	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2940	2188	5caaa30795d50da868ebb1b18f9571b0N.exe	30
PID 2188 wrote to memory of 2940	2188	5caaa30795d50da868ebb1b18f9571b0N.exe	30
PID 2188 wrote to memory of 2940	2188	5caaa30795d50da868ebb1b18f9571b0N.exe	30
PID 2188 wrote to memory of 2940	2188	5caaa30795d50da868ebb1b18f9571b0N.exe	30
PID 2188 wrote to memory of 2536	2188	5caaa30795d50da868ebb1b18f9571b0N.exe	31
PID 2188 wrote to memory of 2536	2188	5caaa30795d50da868ebb1b18f9571b0N.exe	31
PID 2188 wrote to memory of 2536	2188	5caaa30795d50da868ebb1b18f9571b0N.exe	31
PID 2188 wrote to memory of 2536	2188	5caaa30795d50da868ebb1b18f9571b0N.exe	31

C:\Users\Admin\AppData\Local\Temp\5caaa30795d50da868ebb1b18f9571b0N.exe
"C:\Users\Admin\AppData\Local\Temp\5caaa30795d50da868ebb1b18f9571b0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2940
- C:\Intelproc5E\devoptiec.exe
  C:\Intelproc5E\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc5E\devoptiec.exe

Filesize
2.6MB

MD5
d470462b595977a135a78b2566223a5a

SHA1
3eb7fef293dad1f00c7d11b4b043f143b974ccbc

SHA256
0cdc825c9ddd6eb7663534f5ae45a41434e4ae37f30e0c63c15171e8912680d3

SHA512
548bdfbf699be361d5ee44c6ee1720bcd74bbc687d9eaa84367aaea820debd8a6a41a67a6d0a5e6f3e3c7c0dd17033fae59dbe2a898608c65d241071abb4b0a2

Download Submit
C:\MintM9\bodaec.exe

Filesize
1.2MB

MD5
211f25780a949ecc47fe103d46655355

SHA1
9e61828760283cbf311ef63c6da4b54bc8e38bf4

SHA256
03491075aed567421202b9da1912d5f0684570b8bfcfac389e16ecab234affe3

SHA512
425b07a8bcade19beb7d3eb2c68a5c38fac85217de4e8894bab479305438f7596b76f74008bde826ec59080a7a764188687505f6ff96e044ff9027820a3b495c

Download Submit
C:\MintM9\bodaec.exe

Filesize
2.6MB

MD5
ba5ccec89bbacc4140ec0c9e84f22a9d

SHA1
a995c337725ea6c71651de8d3ad3ec94d067df11

SHA256
8439e0bcadf3cb29a4a2c0e15c8f3ca1cf47d60bf0fd377d5c829b6860de7add

SHA512
cbdede2e4f12c4447e2c8c4d3f4d1fa0485114f2b82be35ef4781b01a40bf385c70ac34025998c790bc2928ba8a128958b4ecb51e10d8dfca7a0ae73994a9343

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
7f71626a3b0a9dded3313834e8df591c

SHA1
af7f7c78c53b0014e83aabf5811ed35b53059d72

SHA256
5cd9ea61f6638311593960582e84a4fbc3612c0a3e46f9fc3aec84ce93445f30

SHA512
859f0d92a0908cf102a86219adc7a0bd41f907136fc8e3c64f594f63eb4d2e8ab5d1a066189d59f02a29ef21b34ee24856a054297ebc4d5b11667626aef531f0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
82ce4f466e69f41222711cb043684d72

SHA1
9429e95ad6e8c6cf4f153d1eb7f006cd46414974

SHA256
a2b93375462fefa1cb209cccb26a079b009011c60eadf0672369d008d659afdd

SHA512
67d2c312577b08ff8510980cb62107ac65c2a2b65f1e4aec9ba8d7a90b94b039b1508b7f7274d392b7e271242ff79d5b13f8efdcb5c4326c8c8e56e9e7845e18

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
2.6MB

MD5
9ec8867b49972cb1a39ba2d9f4fee005

SHA1
ce8e40545b83879fcc57ad70a5ff9baa476f515f

SHA256
7d7baaf4fc53a2220a56ccc42169815748eaccc9d6a02efffbdfe15c619de3bd

SHA512
632e590bcc1b64956a637b5ad58f64c0a68cfc0a805b04d177f754bd651e577e932e4ba9a6ab7856df3339b5a4ad6fae94cb650109c3b99200d0316122f94acd

Download Submit