7015ec6a29c8f8fed1c7806bb2b9ef24a56f0b935a5175a809c6d2e754a944a8

Analysis

max time kernel
119s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5585e951255d9602322e48f40f8b3330N.exe
Size

2.6MB
MD5

5585e951255d9602322e48f40f8b3330
SHA1

fe97e6c37866e88ab046d516c2a552913eb707dc
SHA256

7015ec6a29c8f8fed1c7806bb2b9ef24a56f0b935a5175a809c6d2e754a944a8
SHA512

6ee178ed2cfc5a82893b20d0ac5d9dbf3c6fcf789e607739a19836272111ca2891554cdf458946c2dbcd55c1d06d7089ce22269aac11649f642987e1276a1013
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBBB/bS:sxX7QnxrloE5dpUpSb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	5585e951255d9602322e48f40f8b3330N.exe

Executes dropped EXE 2 IoCs

pid	Process
4284	ecabod.exe
2892	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot7Y\\devoptisys.exe"	5585e951255d9602322e48f40f8b3330N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintQL\\dobasys.exe"	5585e951255d9602322e48f40f8b3330N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5585e951255d9602322e48f40f8b3330N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
824	5585e951255d9602322e48f40f8b3330N.exe
824	5585e951255d9602322e48f40f8b3330N.exe
824	5585e951255d9602322e48f40f8b3330N.exe
824	5585e951255d9602322e48f40f8b3330N.exe
4284	ecabod.exe
4284	ecabod.exe
2892	devoptisys.exe
2892	devoptisys.exe
4284	ecabod.exe
4284	ecabod.exe
2892	devoptisys.exe
2892	devoptisys.exe
4284	ecabod.exe
4284	ecabod.exe
2892	devoptisys.exe
2892	devoptisys.exe
4284	ecabod.exe
4284	ecabod.exe
2892	devoptisys.exe
2892	devoptisys.exe
4284	ecabod.exe
4284	ecabod.exe
2892	devoptisys.exe
2892	devoptisys.exe
4284	ecabod.exe
4284	ecabod.exe
2892	devoptisys.exe
2892	devoptisys.exe
4284	ecabod.exe
4284	ecabod.exe
2892	devoptisys.exe
2892	devoptisys.exe
4284	ecabod.exe
4284	ecabod.exe
2892	devoptisys.exe
2892	devoptisys.exe
4284	ecabod.exe
4284	ecabod.exe
2892	devoptisys.exe
2892	devoptisys.exe
4284	ecabod.exe
4284	ecabod.exe
2892	devoptisys.exe
2892	devoptisys.exe
4284	ecabod.exe
4284	ecabod.exe
2892	devoptisys.exe
2892	devoptisys.exe
4284	ecabod.exe
4284	ecabod.exe
2892	devoptisys.exe
2892	devoptisys.exe
4284	ecabod.exe
4284	ecabod.exe
2892	devoptisys.exe
2892	devoptisys.exe
4284	ecabod.exe
4284	ecabod.exe
2892	devoptisys.exe
2892	devoptisys.exe
4284	ecabod.exe
4284	ecabod.exe
2892	devoptisys.exe
2892	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 4284	824	5585e951255d9602322e48f40f8b3330N.exe	87
PID 824 wrote to memory of 4284	824	5585e951255d9602322e48f40f8b3330N.exe	87
PID 824 wrote to memory of 4284	824	5585e951255d9602322e48f40f8b3330N.exe	87
PID 824 wrote to memory of 2892	824	5585e951255d9602322e48f40f8b3330N.exe	90
PID 824 wrote to memory of 2892	824	5585e951255d9602322e48f40f8b3330N.exe	90
PID 824 wrote to memory of 2892	824	5585e951255d9602322e48f40f8b3330N.exe	90

C:\Users\Admin\AppData\Local\Temp\5585e951255d9602322e48f40f8b3330N.exe
"C:\Users\Admin\AppData\Local\Temp\5585e951255d9602322e48f40f8b3330N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:824
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4284
- C:\UserDot7Y\devoptisys.exe
  C:\UserDot7Y\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintQL\dobasys.exe

Filesize
440KB

MD5
2d76ca3131e57e4d7c5356f9671e3a3c

SHA1
38090753b864d5724884366fc30c200496b29a69

SHA256
7ceeb54716b0a7bd0ff92c36fac07bea246e0a6e8f3357304a831f98f7ef7ff5

SHA512
0cd59864a5b69b9d768d9826e7c55dc3293235d33c79609f1bab93ae87752ef8a0a808a4988e71bfdf7e6dd6d6b4ea3b29eaa295041586b71f58de50197debed

Download Submit
C:\MintQL\dobasys.exe

Filesize
2.6MB

MD5
462dbcb3fb1804ed4b645eddfa228aaf

SHA1
ebfb42aeec755d61ca08b22d3ff35703effc3d8e

SHA256
79a09b2fd0eba2091d918727f4d9b6cefb16e02b00b375b3d66a0059605f0777

SHA512
7dcab221bc602f7bfa525e976202548c0711de4a8cb3c1dae3fc193b2a5b811bd946dfefcca4a1b5e1ce181c3d762e5e4092d078d838c4a2573d66bf4a6af353

Download Submit
C:\UserDot7Y\devoptisys.exe

Filesize
131KB

MD5
f262f3bbbff7f1b4894f8536822980c2

SHA1
4719d187a1b8c07e6c5858cd31d55a739eb473df

SHA256
20b48677bdca054ebebd4b7673c2817ccf902d9b6880708d48833877f7ffdb2d

SHA512
6f84eec47d39872fcf1da44c66f76a391f3826089a09a5ec27197bb20eaf7a2110407b8147bcaee5e6505f88132bb04672f55e322536f252c62731ff864d5f2d

Download Submit
C:\UserDot7Y\devoptisys.exe

Filesize
2.6MB

MD5
da69ff34622dc743be9064f7f733d43f

SHA1
a7481b6c94271bb9e2d110555c2a1b6edc47a958

SHA256
41072097363acf3cf321cbd616a471f83b4ff668380bf723824f03c606f37f38

SHA512
eb2f88aec91f88fb00bec371ca135b4e7aaaad151fef9509e886e4245c3c2c5913d0262f1f57a2e93e9e6bf10392c59952add89294484160dd72c94371a66b83

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
2f978ab78172161cfcfd62406c2e00b9

SHA1
40be35cb79953631020336baf50a0b2d54c198ad

SHA256
acc0e2f1a3d20cfefaeddff8f64644466905ca618b310e67c2ded09ca1b0988e

SHA512
ede343473b6a11e8cafd669b0fc1fa658ea0c028bed54435d26248c7cc9b5833a955a563bb042c72f0e5d77fd5ad6d0c2ee1a07526f26fc1d1fa6c96695aae5b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
367928d6d11135c9f817103762279199

SHA1
b7a53b71f840624a15d8ecc5d76c4879229fab02

SHA256
40bc32f3aacd60013cb4196ef781dfbde62f45ba9c6120bfa11b6b1bbb728a1f

SHA512
7e572f627bbcfc0fff110e4bfcc34791f0b099408c3a7733f1aa33bc2d19a3992431249b15b1303b12ddca578afa8821a2ea504ddf1c6b36c1f5544f264e86e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
2.6MB

MD5
4ae8f387653f29ae631e273c2697523b

SHA1
1608787d2c8117737f3e25af13b6c474cb8b7a47

SHA256
9b40666456e078db3b02f2d25d11183f2c9d2fd7ce9da9eb79fc8bcbc7a93151

SHA512
e2baa114eabf30112ee7a0873a522073222d3474bdf581dbe1a6b40b626a30dd23077a82609ce7ca70515e78732fc3f0a838316443295425a6f5ce9c507e0ecb

Download Submit