5da9a62041ccee01094e9f6aae9ed6fefeded85e14e17ae83c6c436479fe9748

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 03:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6d13a078ed03f7435f1e79b66e6b6120N.exe
Size

2.6MB
MD5

6d13a078ed03f7435f1e79b66e6b6120
SHA1

f66e6f1aea762eea1db7107f947dbda57956d9cf
SHA256

5da9a62041ccee01094e9f6aae9ed6fefeded85e14e17ae83c6c436479fe9748
SHA512

e2bf72f5e9810ac77703526e80592eae1f378465bcfa30335c99eb1d8d5844d5efd716ba0f7a41a18fe7e3f8aa37f38395e5329ce4f266b9ea8f6ac93e0d5b9d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bS:sxX7QnxrloE5dpUpOb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	6d13a078ed03f7435f1e79b66e6b6120N.exe

Executes dropped EXE 2 IoCs

pid	Process
4244	ecdevbod.exe
1320	xdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvPX\\xdobec.exe"	6d13a078ed03f7435f1e79b66e6b6120N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZN1\\boddevsys.exe"	6d13a078ed03f7435f1e79b66e6b6120N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d13a078ed03f7435f1e79b66e6b6120N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2396	6d13a078ed03f7435f1e79b66e6b6120N.exe
2396	6d13a078ed03f7435f1e79b66e6b6120N.exe
2396	6d13a078ed03f7435f1e79b66e6b6120N.exe
2396	6d13a078ed03f7435f1e79b66e6b6120N.exe
4244	ecdevbod.exe
4244	ecdevbod.exe
1320	xdobec.exe
1320	xdobec.exe
4244	ecdevbod.exe
4244	ecdevbod.exe
1320	xdobec.exe
1320	xdobec.exe
4244	ecdevbod.exe
4244	ecdevbod.exe
1320	xdobec.exe
1320	xdobec.exe
4244	ecdevbod.exe
4244	ecdevbod.exe
1320	xdobec.exe
1320	xdobec.exe
4244	ecdevbod.exe
4244	ecdevbod.exe
1320	xdobec.exe
1320	xdobec.exe
4244	ecdevbod.exe
4244	ecdevbod.exe
1320	xdobec.exe
1320	xdobec.exe
4244	ecdevbod.exe
4244	ecdevbod.exe
1320	xdobec.exe
1320	xdobec.exe
4244	ecdevbod.exe
4244	ecdevbod.exe
1320	xdobec.exe
1320	xdobec.exe
4244	ecdevbod.exe
4244	ecdevbod.exe
1320	xdobec.exe
1320	xdobec.exe
4244	ecdevbod.exe
4244	ecdevbod.exe
1320	xdobec.exe
1320	xdobec.exe
4244	ecdevbod.exe
4244	ecdevbod.exe
1320	xdobec.exe
1320	xdobec.exe
4244	ecdevbod.exe
4244	ecdevbod.exe
1320	xdobec.exe
1320	xdobec.exe
4244	ecdevbod.exe
4244	ecdevbod.exe
1320	xdobec.exe
1320	xdobec.exe
4244	ecdevbod.exe
4244	ecdevbod.exe
1320	xdobec.exe
1320	xdobec.exe
4244	ecdevbod.exe
4244	ecdevbod.exe
1320	xdobec.exe
1320	xdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 4244	2396	6d13a078ed03f7435f1e79b66e6b6120N.exe	89
PID 2396 wrote to memory of 4244	2396	6d13a078ed03f7435f1e79b66e6b6120N.exe	89
PID 2396 wrote to memory of 4244	2396	6d13a078ed03f7435f1e79b66e6b6120N.exe	89
PID 2396 wrote to memory of 1320	2396	6d13a078ed03f7435f1e79b66e6b6120N.exe	92
PID 2396 wrote to memory of 1320	2396	6d13a078ed03f7435f1e79b66e6b6120N.exe	92
PID 2396 wrote to memory of 1320	2396	6d13a078ed03f7435f1e79b66e6b6120N.exe	92

C:\Users\Admin\AppData\Local\Temp\6d13a078ed03f7435f1e79b66e6b6120N.exe
"C:\Users\Admin\AppData\Local\Temp\6d13a078ed03f7435f1e79b66e6b6120N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4244
- C:\SysDrvPX\xdobec.exe
  C:\SysDrvPX\xdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZN1\boddevsys.exe

Filesize
2.6MB

MD5
423aceec7f6ee992deac960a2a6d33e8

SHA1
703c17303a38854158561959efdffe18b66c97f8

SHA256
2ca697473e8b8d8b98bec178c9daa625bde8a34f8cabd4323958df13eab16d1e

SHA512
ea259596b8287e2705b0433389aa577fb631a3d9ce5321c9ae9e77663d858b4cefaec41e0c3ade53e3e3988988754d4798ac28407ae0f98d97b922712fecc79c

Download Submit
C:\LabZN1\boddevsys.exe

Filesize
2.6MB

MD5
d774e92e428e0cc35bf7e9158843ac70

SHA1
675181b08f10e8a5be120a21373dfc04424e778b

SHA256
d47215eae972877e74ad9577723149940abf785b7448e85b205b285ae4f3d4fd

SHA512
efbcfd6df6cab1671c787007caff4ac78d2d90df6e2f85edbd263a3e627ecc68d9bf5721c7a9b5fe671171b6a4caef59f10ac00bec47dbcb38f516df274b352e

Download Submit
C:\SysDrvPX\xdobec.exe

Filesize
232KB

MD5
252c9b52cfcf5ffac40958d5bb74d70e

SHA1
103b5f1125e05372f919cefa7e35b204bc46cbed

SHA256
4e2a19d4bfb430667240a69c5f9e175f3547590223aec8fcb2147bb475167b16

SHA512
18d8e8a9653f816b8985cc7815f629437f67f49cd5fe9b3e532eec23aefe44576dcf929fc6a2521aa2338375af12a288d49fa1eb68ed755b30f7d9073493094e

Download Submit
C:\SysDrvPX\xdobec.exe

Filesize
2.6MB

MD5
f1ef1aa5a6e2095daa4e467c68591311

SHA1
a15b09c2503583bc3c87c9282d1db1fdfbcbce46

SHA256
0a18212b4ce11258ea840a7f4d0ff59f1ed8f801b0cd77e5cb52a1e306af42a9

SHA512
7a06a77775fdfef631e729587c9cb9cd93b1cfcb8ab1b90ab7862387ccc3f515dcc143689858bb83cc2e28ee15427132f192e56fb2e2ddc70e58e435381f224b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
9db5feb30482519bf45ef4cf3c5f4254

SHA1
a95cce5150370dc5333dedeae26413670a20640c

SHA256
326a139ada008faabb9db8a4e4a0ddb1e18f0c3b7e97cb805f2cc42d62ee6d79

SHA512
7e5ebf9069611dab2b8836ac68a0de7091cf5e2228a604d150ed02611c79a54e2df7b2b5722d64ca3482efb5666868386cd0d7d0abc108ef207290be5b493c78

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
5aead4e93a75b222447f1da63689ffa1

SHA1
5209c651424741d53213066316ba83590ead11b7

SHA256
609f5b5ca2eaef9e0caf537919f470d1ebf8460952605c525d7d5cd910f6ee95

SHA512
50a61940a1156b00151f5119364f473a17572c71a24a932fcef7e6ed8ded9878fd5368d0157fe8fde21f8aa3d2561df1142b0e65197821042444d1bc8b91c1cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
2.6MB

MD5
1d6bcddc61b17e4b5200a3adea853260

SHA1
39b3017a869c5dd731c64b7350d4229fce45b170

SHA256
3cef003a9b564e0f9e13b9c6fb259be1594ec1493ac40bdf7679418f2492b01b

SHA512
74c5091394826c9e6c54bf594570b1be0e12f6a5b233fafea516a3f1c570afb536a1834863d77123e7513dd4c05b5a0dd2f2da6cde508fd936b0551a8467133a

Download Submit