55bb01f68cf5cdd5a10043cd18d36d78ccaee6f7dcc9f582f60fa911d123d907

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf877cede4f8fda7b75fc2109a7bb330N.exe
Size

2.6MB
MD5

bf877cede4f8fda7b75fc2109a7bb330
SHA1

134201f461a697e8c1cc8966eab69b10e2e66918
SHA256

55bb01f68cf5cdd5a10043cd18d36d78ccaee6f7dcc9f582f60fa911d123d907
SHA512

2b807f698201148069857cadd821d088de0ba65ef8673b772e1cdd401a1e3a78966a8710f260150ccfcda1e6db0cd5596ceabaa53313e8865bfb02c5ecaa1e75
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bS:sxX7QnxrloE5dpUpsb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	bf877cede4f8fda7b75fc2109a7bb330N.exe

Executes dropped EXE 2 IoCs

pid	Process
2528	ecabod.exe
212	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot34\\devoptisys.exe"	bf877cede4f8fda7b75fc2109a7bb330N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintX3\\dobdevec.exe"	bf877cede4f8fda7b75fc2109a7bb330N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptisys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf877cede4f8fda7b75fc2109a7bb330N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecabod.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
764	bf877cede4f8fda7b75fc2109a7bb330N.exe
764	bf877cede4f8fda7b75fc2109a7bb330N.exe
764	bf877cede4f8fda7b75fc2109a7bb330N.exe
764	bf877cede4f8fda7b75fc2109a7bb330N.exe
2528	ecabod.exe
2528	ecabod.exe
212	devoptisys.exe
212	devoptisys.exe
2528	ecabod.exe
2528	ecabod.exe
212	devoptisys.exe
212	devoptisys.exe
2528	ecabod.exe
2528	ecabod.exe
212	devoptisys.exe
212	devoptisys.exe
2528	ecabod.exe
2528	ecabod.exe
212	devoptisys.exe
212	devoptisys.exe
2528	ecabod.exe
2528	ecabod.exe
212	devoptisys.exe
212	devoptisys.exe
2528	ecabod.exe
2528	ecabod.exe
212	devoptisys.exe
212	devoptisys.exe
2528	ecabod.exe
2528	ecabod.exe
212	devoptisys.exe
212	devoptisys.exe
2528	ecabod.exe
2528	ecabod.exe
212	devoptisys.exe
212	devoptisys.exe
2528	ecabod.exe
2528	ecabod.exe
212	devoptisys.exe
212	devoptisys.exe
2528	ecabod.exe
2528	ecabod.exe
212	devoptisys.exe
212	devoptisys.exe
2528	ecabod.exe
2528	ecabod.exe
212	devoptisys.exe
212	devoptisys.exe
2528	ecabod.exe
2528	ecabod.exe
212	devoptisys.exe
212	devoptisys.exe
2528	ecabod.exe
2528	ecabod.exe
212	devoptisys.exe
212	devoptisys.exe
2528	ecabod.exe
2528	ecabod.exe
212	devoptisys.exe
212	devoptisys.exe
2528	ecabod.exe
2528	ecabod.exe
212	devoptisys.exe
212	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 2528	764	bf877cede4f8fda7b75fc2109a7bb330N.exe	87
PID 764 wrote to memory of 2528	764	bf877cede4f8fda7b75fc2109a7bb330N.exe	87
PID 764 wrote to memory of 2528	764	bf877cede4f8fda7b75fc2109a7bb330N.exe	87
PID 764 wrote to memory of 212	764	bf877cede4f8fda7b75fc2109a7bb330N.exe	88
PID 764 wrote to memory of 212	764	bf877cede4f8fda7b75fc2109a7bb330N.exe	88
PID 764 wrote to memory of 212	764	bf877cede4f8fda7b75fc2109a7bb330N.exe	88

C:\Users\Admin\AppData\Local\Temp\bf877cede4f8fda7b75fc2109a7bb330N.exe
"C:\Users\Admin\AppData\Local\Temp\bf877cede4f8fda7b75fc2109a7bb330N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:764
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2528
- C:\UserDot34\devoptisys.exe
  C:\UserDot34\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintX3\dobdevec.exe

Filesize
16KB

MD5
7194af4ca8b5784e038c373119d798e5

SHA1
9c114add88126c1358d7020ca7697c5b0528ea2d

SHA256
f49a5b25906bde4ad4744acd2ddf6b578eb40dcaee1e76a6cce91e836ac9e050

SHA512
dea51aa435f72ea947472a3d1ccdf8ab4c514fe964d86c9fdfb0484772ee56ab728d2b0ca997da1d392b38e9abbc4526ec702dbc83c527a01e04264766012992

Download Submit
C:\MintX3\dobdevec.exe

Filesize
2.6MB

MD5
70b4c3c897259c23701c6128c6f2d0d6

SHA1
8d410f5182be9a197f401f22037d63bfb5a61aca

SHA256
980d634ad6f71461012e25a802ddcaaef81c3b05ead941366b5d1a84e09db376

SHA512
589a9e1ef248fd2384f41750ba33f7228524cd21bf1503d6be16e466fbb2af9ff8de10451f84464c89014d74e608acdcff62ea215f42677ce70d0762bf897d5d

Download Submit
C:\UserDot34\devoptisys.exe

Filesize
1.5MB

MD5
e7a99338e2909a7e6888a8b7efaca591

SHA1
f754fdba8d60d12f43cdeee82818bdd093b3bf34

SHA256
09439f1a95482ed86bd7351ce38db2374fbc911f1dfe5b1cba30f3e069eab4b9

SHA512
6bd44e1bd3ac989a7adad48c88f63c3a0dbd175dc7fd3614b4543557e1515ac78c256b51b54d8ef3fae656052ec26793b3dbcdd72d2d371cbbbb4dc5ed7cbe44

Download Submit
C:\UserDot34\devoptisys.exe

Filesize
2.6MB

MD5
1e85f05b4fc402515db3b288fb4cb69b

SHA1
770dda4fcde9f66afca5e39034a54b3128c40977

SHA256
db91027ab18b534ab7c9b203284fa49761cd1845583b3ac5dca992f1beca0201

SHA512
8b02a5aecb31b66fff5eb70c198ad574eb5955c09c5f23ffee0e20e2bc792a932509e92d115d7f32ecd6e7a5bbceb098562bd184695d4347f0db20cb79482395

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
c43ec6b84a2f6b78dac2f1b2a2197254

SHA1
1688b28bc385d020aaedd4274c890e4c878fedbf

SHA256
9b00bfb3614c7b1f38371e373970b1802481998e9fee3c2d486df921202506a2

SHA512
d8e565c72955002a9b0cc4fa051bb35b3f6def6377439d1a34f98b69bf8ee3a8988a0a17206c5621ec074d0f8148eb7637305453026b1a24f2252f3211d640d1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
2a6f9f6cf19490374b4084c0cfa2055b

SHA1
420d786ab54c6ed84f09e8b371f4e3ef4f8b1ee6

SHA256
c87cd684f596294517134461eeb436b2e09a0ae42462d39a64e178c7c5f5470e

SHA512
0c7323fc8205c8b84722bf0a0da570fdba8af57a96d7f86e7db4ec45ef0031053179a6d52b0221dc589a940754140ce7ceb599c4b08ca13338e1be0bebcabefe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
2.6MB

MD5
758d5c5e3b8f4ddfdb83ec6ec6c05747

SHA1
d0dbbd5ee6f37d3c87ff72adc4add3e0f79ba17f

SHA256
06f007f9ad560889df99de3c35c0febbb5748dd16a688f207e9a864fbcd9ca31

SHA512
be89769db99a2e0da7e34cf87a9352bbeb1799a51661d182b2a093d14b9980b2e5e6185ff64d8a9192cb83b495a9c5204da8139e5c98c319b4fe4c3b687a5f78

Download Submit