55bb01f68cf5cdd5a10043cd18d36d78ccaee6f7dcc9f582f60fa911d123d907

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-09-2024 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf877cede4f8fda7b75fc2109a7bb330N.exe
Size

2.6MB
MD5

bf877cede4f8fda7b75fc2109a7bb330
SHA1

134201f461a697e8c1cc8966eab69b10e2e66918
SHA256

55bb01f68cf5cdd5a10043cd18d36d78ccaee6f7dcc9f582f60fa911d123d907
SHA512

2b807f698201148069857cadd821d088de0ba65ef8673b772e1cdd401a1e3a78966a8710f260150ccfcda1e6db0cd5596ceabaa53313e8865bfb02c5ecaa1e75
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bS:sxX7QnxrloE5dpUpsb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	bf877cede4f8fda7b75fc2109a7bb330N.exe

Executes dropped EXE 2 IoCs

pid	Process
2964	ecabod.exe
2768	devdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2292	bf877cede4f8fda7b75fc2109a7bb330N.exe
2292	bf877cede4f8fda7b75fc2109a7bb330N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocU7\\devdobec.exe"	bf877cede4f8fda7b75fc2109a7bb330N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB0J\\boddevsys.exe"	bf877cede4f8fda7b75fc2109a7bb330N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf877cede4f8fda7b75fc2109a7bb330N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2292	bf877cede4f8fda7b75fc2109a7bb330N.exe
2292	bf877cede4f8fda7b75fc2109a7bb330N.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe
2964	ecabod.exe
2768	devdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2964	2292	bf877cede4f8fda7b75fc2109a7bb330N.exe	29
PID 2292 wrote to memory of 2964	2292	bf877cede4f8fda7b75fc2109a7bb330N.exe	29
PID 2292 wrote to memory of 2964	2292	bf877cede4f8fda7b75fc2109a7bb330N.exe	29
PID 2292 wrote to memory of 2964	2292	bf877cede4f8fda7b75fc2109a7bb330N.exe	29
PID 2292 wrote to memory of 2768	2292	bf877cede4f8fda7b75fc2109a7bb330N.exe	30
PID 2292 wrote to memory of 2768	2292	bf877cede4f8fda7b75fc2109a7bb330N.exe	30
PID 2292 wrote to memory of 2768	2292	bf877cede4f8fda7b75fc2109a7bb330N.exe	30
PID 2292 wrote to memory of 2768	2292	bf877cede4f8fda7b75fc2109a7bb330N.exe	30

C:\Users\Admin\AppData\Local\Temp\bf877cede4f8fda7b75fc2109a7bb330N.exe
"C:\Users\Admin\AppData\Local\Temp\bf877cede4f8fda7b75fc2109a7bb330N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2964
- C:\IntelprocU7\devdobec.exe
  C:\IntelprocU7\devdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocU7\devdobec.exe

Filesize
2.6MB

MD5
c43fb890bb83124195b9b5d7bd35a535

SHA1
08314ba84f855891292fa8b169ecf8ddc2b5f540

SHA256
4f0a6c2cda538ff1d2e4a09f1a1b5e1aea4074047aa1e6ab2f8cd189eb0a77a4

SHA512
9e3157ffc4cd556e404a2844d79552efdca6d5a8dc62450dce041868a8e09f6edb79c7a652c394923231e93fc8079a5cc973ba4765c78cf1f0be1f1d853b2670

Download Submit
C:\KaVB0J\boddevsys.exe

Filesize
2.6MB

MD5
01d820ca8145e861236cdc931080b90d

SHA1
a1dd0550c03dfb4e46152539abc0dcd9df14e5e9

SHA256
75d71514ce737248849f0472c27aabdc111cf8672ac8a4022d5266f9b2fd1d64

SHA512
d5ffc52e700c68ec6b87630f10b9f1ae3950ea6efffc2fe6db8cb0641317f1a295d5c97b9a00841142fe62f58bc139bdf18b393ce4ea8ec929a03520e879731e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
eaf8e6e072cf4634f66ea2ba2acba3ac

SHA1
c6daa00a1311181f71817b83f78e6d95be562449

SHA256
f6b74ceee1d202982b037ad531cd8d118569b8cf2ff9cd70cdc1aa6f8b3f7131

SHA512
efbd67fcb6304404fa642aeb10632e647566def61e3fc8510e7c19c544d9d165169d666edcd28eef0bd60d38cbed8d2a97e683943f8a2801a2b8cc9fbf18cbf9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
4776bbb6eb363cb63753dc05f83d14e4

SHA1
796d8828e2ebec7f8c287a0e7d0130b5cab72c6e

SHA256
a651467706aac323e7183a3189eafcd084ad7785a90ce157f335133c7f2f7e25

SHA512
7caf14a76b670470825c74776faf8fa204eed9d24f0b071ceb2a68a55df4309d66f25f38f009032dd9472c852f725fca0e4eb77f7165d6aa89d4780be97fd803

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
2.6MB

MD5
5257e60b271f048fedb1a5e03c06f415

SHA1
7e70b75f1f22f3ecd3658bf39cad6a064dc0d2a2

SHA256
f8941978962961505dfdbbbfa108563af359a73273abde7ba61d9ad2bba088be

SHA512
7f077ce4b602672bb3e54f858631105e6cd93ab8d0790799c71584274e53f0aad3fbd057be3c43a6865d27c0eec77557dd08a7bcd9d392678d3bb3b366b60bec

Download Submit