5e3dce80e6dc5248d2a57188423d6793e2f3bc992e61a39bc1ae5b912de15276

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9abac6f2975aa2d880c5ca4533c5a020N.exe
Size

2.6MB
MD5

9abac6f2975aa2d880c5ca4533c5a020
SHA1

99d28e199deeb09d6d55e8bedcd3f48255cd80d4
SHA256

5e3dce80e6dc5248d2a57188423d6793e2f3bc992e61a39bc1ae5b912de15276
SHA512

67ee16a97b7ef15745ef8084fb2b6060b07cef9b2b08667e836d43ed1ec176a954f98cbdf635acda262b462b742bcc05a1944bc5f98be177db25155c98108424
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bS:sxX7QnxrloE5dpUpwb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	9abac6f2975aa2d880c5ca4533c5a020N.exe

Executes dropped EXE 2 IoCs

pid	Process
2316	ecdevbod.exe
2840	devbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2484	9abac6f2975aa2d880c5ca4533c5a020N.exe
2484	9abac6f2975aa2d880c5ca4533c5a020N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocL1\\devbodsys.exe"	9abac6f2975aa2d880c5ca4533c5a020N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidQ8\\optialoc.exe"	9abac6f2975aa2d880c5ca4533c5a020N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9abac6f2975aa2d880c5ca4533c5a020N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2484	9abac6f2975aa2d880c5ca4533c5a020N.exe
2484	9abac6f2975aa2d880c5ca4533c5a020N.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe
2316	ecdevbod.exe
2840	devbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2316	2484	9abac6f2975aa2d880c5ca4533c5a020N.exe	30
PID 2484 wrote to memory of 2316	2484	9abac6f2975aa2d880c5ca4533c5a020N.exe	30
PID 2484 wrote to memory of 2316	2484	9abac6f2975aa2d880c5ca4533c5a020N.exe	30
PID 2484 wrote to memory of 2316	2484	9abac6f2975aa2d880c5ca4533c5a020N.exe	30
PID 2484 wrote to memory of 2840	2484	9abac6f2975aa2d880c5ca4533c5a020N.exe	31
PID 2484 wrote to memory of 2840	2484	9abac6f2975aa2d880c5ca4533c5a020N.exe	31
PID 2484 wrote to memory of 2840	2484	9abac6f2975aa2d880c5ca4533c5a020N.exe	31
PID 2484 wrote to memory of 2840	2484	9abac6f2975aa2d880c5ca4533c5a020N.exe	31

C:\Users\Admin\AppData\Local\Temp\9abac6f2975aa2d880c5ca4533c5a020N.exe
"C:\Users\Admin\AppData\Local\Temp\9abac6f2975aa2d880c5ca4533c5a020N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2316
- C:\IntelprocL1\devbodsys.exe
  C:\IntelprocL1\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocL1\devbodsys.exe

Filesize
16KB

MD5
22982414cd28f7bd963c7390fe332005

SHA1
b9780689fc2f225a5f207b3a0f2533dc5e381874

SHA256
b3c258b288b3f2ef33c6a362503e599b349febb9a0f7fab4311ba488dbb1b44a

SHA512
905aa5b5e80fa41f962d0a01ee4b2a54155d0ff7e92d1533813efa64cc4ff3ad1cdf63ac6a1e689b0a4b44c659ec4760631e0162fda9ab3741cdf0b0bfcd0cb2

Download Submit
C:\IntelprocL1\devbodsys.exe

Filesize
2.6MB

MD5
8d45570d3756fa28a7a5905b603f39ad

SHA1
bb951cb8c1d575aac32d29eb9fec63379e18b301

SHA256
2d7af4d5dd5db07689bfedbeb19431f94507986cbfd567da09d9fdb2d73f9c71

SHA512
d476961cd0d28cd754d08803d5f2dbd824dbd168b2732d4d99bdd21c51c4a95405829ead9b61b649e4c4fb9e6bb567c51118485870f00c87a96d1161bb2a5fe5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
508dc13c93ec72d037c7104e794c4659

SHA1
a8259f16d2075bffe21a99f15e8bea6e10782f32

SHA256
6e482bec60b65d606c4945fb9bc933ee9053ee630fb6c4f7f094b592a042dedf

SHA512
154995dfe09324492d2f3a4df5501abc00b92cb86076a1381e818808ce83503d6969d0edb9080123153688f1d42a4d3571368c68dab63b73917d4a819fff24f1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
3000dda675b3a5986f92e85d202be7e3

SHA1
af929edf8b345179a02ccca22ef249b7cb13654b

SHA256
00cdf94010f4edc03de0fa93ff5ef22927bb08d73161bc6c0f14e8f95b76ab8c

SHA512
45ef0c6765701c7b98c526d44accb4ca343e5979cd18fd0696a796f1299f324fc16792e54f2bd21fb7f04977afd861a31ae358638a946140f81b9ddca12e3ecb

Download Submit
C:\VidQ8\optialoc.exe

Filesize
28KB

MD5
b2c1da885985d7126ff7db091c16829e

SHA1
57db532c749a57aa968b1a36590d08090165448b

SHA256
d57eb32787d6841d7ed65183a1c8e1f3f343fd04383108086dc973f97b649076

SHA512
81ce05eb46346421e265eb6cef7b1c69fb3d8bb64f5c88bf5ba76cfad3aca9e95a6ce6cae81e14884bf072a6ede0b2134bb5a2061cf8d01ca7a87c760284b6ec

Download Submit
C:\VidQ8\optialoc.exe

Filesize
2.6MB

MD5
698a352aa9aef74d44f7d3ebc8a454a5

SHA1
5882fdd8142818750e26ec439444b554503ea0a5

SHA256
756295880680d605dd1115d0e29c1f9ceac48963d123399398139d3db51e7dc2

SHA512
98b6607ee32f2d50dc354058ec3ca82603843351a8bfbf876fc1badaa16abbf8ba77ac644f7d0ffff0f8e1f5b9790774c9a88ecaccbf283ae851adc8922b431b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
2.6MB

MD5
ead37353df7ad21a4664e71899980cc9

SHA1
cb8ed3de256c020a59bc75aaf8477241adb647f9

SHA256
0aa5972d5a36f07e332da1753e1f512ff66d43e21355aa21d71c4f1ff4548090

SHA512
855467df497a1982357003d15981883841717d2065c1a216a6c286e9317ad7c6e945ec171a9488349d9f65b80ab0ae1c34830aa09c34f7c2833916c958875ff5

Download Submit