377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35

Analysis

max time kernel
149s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2024 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe
Size

2.6MB
MD5

c3b8b760c276b560a885226c2449a497
SHA1

a1fbb0ef2687b89887b5b3cb8bc9c59400b3acf7
SHA256

377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35
SHA512

973fac4ad7f0380fe7cc8d4b149d37c1f8fcfc32bfdf3b193b85fee6ea09bf3dea21cce0e370bd0c30f9a1468a8e0bb11ba36e35551d912962dca3e5c59d5f6f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bS:sxX7QnxrloE5dpUp5b

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe

Executes dropped EXE 2 IoCs

pid	Process
3700	ecadob.exe
1824	devbodec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocHW\\devbodec.exe"	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid3F\\bodxsys.exe"	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1716	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe
1716	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe
1716	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe
1716	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe
3700	ecadob.exe
3700	ecadob.exe
1824	devbodec.exe
1824	devbodec.exe
3700	ecadob.exe
3700	ecadob.exe
1824	devbodec.exe
1824	devbodec.exe
3700	ecadob.exe
3700	ecadob.exe
1824	devbodec.exe
1824	devbodec.exe
3700	ecadob.exe
3700	ecadob.exe
1824	devbodec.exe
1824	devbodec.exe
3700	ecadob.exe
3700	ecadob.exe
1824	devbodec.exe
1824	devbodec.exe
3700	ecadob.exe
3700	ecadob.exe
1824	devbodec.exe
1824	devbodec.exe
3700	ecadob.exe
3700	ecadob.exe
1824	devbodec.exe
1824	devbodec.exe
3700	ecadob.exe
3700	ecadob.exe
1824	devbodec.exe
1824	devbodec.exe
3700	ecadob.exe
3700	ecadob.exe
1824	devbodec.exe
1824	devbodec.exe
3700	ecadob.exe
3700	ecadob.exe
1824	devbodec.exe
1824	devbodec.exe
3700	ecadob.exe
3700	ecadob.exe
1824	devbodec.exe
1824	devbodec.exe
3700	ecadob.exe
3700	ecadob.exe
1824	devbodec.exe
1824	devbodec.exe
3700	ecadob.exe
3700	ecadob.exe
1824	devbodec.exe
1824	devbodec.exe
3700	ecadob.exe
3700	ecadob.exe
1824	devbodec.exe
1824	devbodec.exe
3700	ecadob.exe
3700	ecadob.exe
1824	devbodec.exe
1824	devbodec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 3700	1716	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe	85
PID 1716 wrote to memory of 3700	1716	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe	85
PID 1716 wrote to memory of 3700	1716	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe	85
PID 1716 wrote to memory of 1824	1716	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe	86
PID 1716 wrote to memory of 1824	1716	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe	86
PID 1716 wrote to memory of 1824	1716	377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe	86

C:\Users\Admin\AppData\Local\Temp\377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe
"C:\Users\Admin\AppData\Local\Temp\377743f45ed1cf610be9fd06acfc9aa0b61c25d2f4f828a2fe724eec1cf8ea35.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3700
- C:\IntelprocHW\devbodec.exe
  C:\IntelprocHW\devbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocHW\devbodec.exe

Filesize
969KB

MD5
ec992fd4f3ce787669a6c48d51320a6c

SHA1
11cb21513082940a3fb5c768b6e8311ac364a2c5

SHA256
d2c3b1cd665c8964e7f7c97efd92b9b39686eb621bf6d69afe0c974ec3974150

SHA512
b8cf096ab824ef3eab0529614010e5fb1442518d575fffb8e5e91f734219cb64e0cb171cc7b3c928bd16e800993cadd0c8aad8a154c181dcb266e30190b4774d

Download Submit
C:\IntelprocHW\devbodec.exe

Filesize
2.6MB

MD5
7bed8dc89339697ad6e5de3fde7f276d

SHA1
081d2904df93243ac833f57b5b9b257ddbaef2e0

SHA256
dd78271c196a6f5415678b47f0f83a6b48668ec3d931a9e71292aa6905b2535f

SHA512
b6cf8d6e4a6f0598a852b14962a20a4b1d440d5575ee3a20a668834917fe0a6b55f7118257685ca544acc40b2f06795dc95a7b1f0aa688025f5526356acb0830

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
db38157d02b71013a8f508a0ffd23510

SHA1
6fd7f7102d23b160a3c6122aca11b2a48ebe8867

SHA256
5b9be3390cca86164a73f53ee211a52edecb6caea55fd5a36200e786da54ac16

SHA512
db113bebb04b2f8ba5901c33fc17f067d09f5bcbb80a3ae0b1cd5ab4e051dea02fff64901e966f6a35eab5e2897701016a7b8013ca5c43db8830021088066204

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
7ddb95657aaaad84765c48b3245b406f

SHA1
548b8cd774ddb7173f6b5bd93fcc88b37a3b19a1

SHA256
e2af1ea92f6067c87aaf205a8ee4654c4e4839373271ef1b52ecfd492eb05757

SHA512
e7510f74f4e39df6a161b465c8d78ec1cb3aaeca5a3c9e6d1b6a96db9c8cccd03fcd22b0af7b4ce8e8d09963a6bfcb2f6e5b7c6f23547fe1191fbe4286b12268

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
2.6MB

MD5
b1ac9b67af83e70f9f57584e7782f61b

SHA1
06e838f03067420b35608d6f5569a5a2243411c9

SHA256
b0e33916956e708586c88148778ec277398f5e62e7e63b694d132d7f7468effa

SHA512
48534525d9f84abf4560fdaef29340df2dbdec157805010eb3d0cc6fc2a49c844b775450e54b5eb34cb10d935ec1f4223c8f6795360dc39c0d0459a7f13d90c6

Download Submit
C:\Vid3F\bodxsys.exe

Filesize
970KB

MD5
a2d3ac76141e5409383111947f7f7ad5

SHA1
5dde09461bcc7e60290fb928a6494468500c5223

SHA256
5587f3bb537a7425548464dc1e3cc3a39f2f01d5ef01eca724769983e19a14e2

SHA512
70c735bbfb1c1c65239308bb28b466f2640c6be5fc1bbd13d87faa4b852adbe3f44c0962acd1723a20efa878ed67760c31bfc8e28fafe3f89fe7ce77fa8165fa

Download Submit
C:\Vid3F\bodxsys.exe

Filesize
417KB

MD5
404a702bed83cfa4463b98c70ffe81fe

SHA1
c2c7f9efcaf995841fdc9d1dd7c85e4525eb7a63

SHA256
63286096c6fc76de1145203ffa0e357f9f59d4f04878104867d85cf109c8d155

SHA512
4feda93e934e1e9ac1ceccd6363fa751d7ca68fd7d172f7e9567d19d6a2952d946e5b101f290ce2ec4622811d32d8fe050a11a3d2d67f6fca5401afd57118b50

Download Submit