c4c5f2edda1f0a81e0ef79c15d061363155407ec754c747d047bfa095c5ffd93

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4c5f2edda1f0a81e0ef79c15d061363155407ec754c747d047bfa095c5ffd93.exe
Size

2.6MB
MD5

abf4b40a44bbd6529fff548774ab4bfd
SHA1

05300254c2ba5feebe2bf89e255bf3a958b0793b
SHA256

c4c5f2edda1f0a81e0ef79c15d061363155407ec754c747d047bfa095c5ffd93
SHA512

37babd45e20b2bf8bef24023837414d90c4114a3010244c67161361781378505e5c6726e4120272da1e60f54299bc594bf3aac003b320e8e3618fb3157526c9a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bS:sxX7QnxrloE5dpUpjb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	c4c5f2edda1f0a81e0ef79c15d061363155407ec754c747d047bfa095c5ffd93.exe

Executes dropped EXE 2 IoCs

pid	Process
4492	ecdevopti.exe
4400	devbodsys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotIC\\devbodsys.exe"	c4c5f2edda1f0a81e0ef79c15d061363155407ec754c747d047bfa095c5ffd93.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ1Q\\dobxloc.exe"	c4c5f2edda1f0a81e0ef79c15d061363155407ec754c747d047bfa095c5ffd93.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c4c5f2edda1f0a81e0ef79c15d061363155407ec754c747d047bfa095c5ffd93.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
448	c4c5f2edda1f0a81e0ef79c15d061363155407ec754c747d047bfa095c5ffd93.exe
448	c4c5f2edda1f0a81e0ef79c15d061363155407ec754c747d047bfa095c5ffd93.exe
448	c4c5f2edda1f0a81e0ef79c15d061363155407ec754c747d047bfa095c5ffd93.exe
448	c4c5f2edda1f0a81e0ef79c15d061363155407ec754c747d047bfa095c5ffd93.exe
4492	ecdevopti.exe
4492	ecdevopti.exe
4400	devbodsys.exe
4400	devbodsys.exe
4492	ecdevopti.exe
4492	ecdevopti.exe
4400	devbodsys.exe
4400	devbodsys.exe
4492	ecdevopti.exe
4492	ecdevopti.exe
4400	devbodsys.exe
4400	devbodsys.exe
4492	ecdevopti.exe
4492	ecdevopti.exe
4400	devbodsys.exe
4400	devbodsys.exe
4492	ecdevopti.exe
4492	ecdevopti.exe
4400	devbodsys.exe
4400	devbodsys.exe
4492	ecdevopti.exe
4492	ecdevopti.exe
4400	devbodsys.exe
4400	devbodsys.exe
4492	ecdevopti.exe
4492	ecdevopti.exe
4400	devbodsys.exe
4400	devbodsys.exe
4492	ecdevopti.exe
4492	ecdevopti.exe
4400	devbodsys.exe
4400	devbodsys.exe
4492	ecdevopti.exe
4492	ecdevopti.exe
4400	devbodsys.exe
4400	devbodsys.exe
4492	ecdevopti.exe
4492	ecdevopti.exe
4400	devbodsys.exe
4400	devbodsys.exe
4492	ecdevopti.exe
4492	ecdevopti.exe
4400	devbodsys.exe
4400	devbodsys.exe
4492	ecdevopti.exe
4492	ecdevopti.exe
4400	devbodsys.exe
4400	devbodsys.exe
4492	ecdevopti.exe
4492	ecdevopti.exe
4400	devbodsys.exe
4400	devbodsys.exe
4492	ecdevopti.exe
4492	ecdevopti.exe
4400	devbodsys.exe
4400	devbodsys.exe
4492	ecdevopti.exe
4492	ecdevopti.exe
4400	devbodsys.exe
4400	devbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 4492	448	c4c5f2edda1f0a81e0ef79c15d061363155407ec754c747d047bfa095c5ffd93.exe	86
PID 448 wrote to memory of 4492	448	c4c5f2edda1f0a81e0ef79c15d061363155407ec754c747d047bfa095c5ffd93.exe	86
PID 448 wrote to memory of 4492	448	c4c5f2edda1f0a81e0ef79c15d061363155407ec754c747d047bfa095c5ffd93.exe	86
PID 448 wrote to memory of 4400	448	c4c5f2edda1f0a81e0ef79c15d061363155407ec754c747d047bfa095c5ffd93.exe	87
PID 448 wrote to memory of 4400	448	c4c5f2edda1f0a81e0ef79c15d061363155407ec754c747d047bfa095c5ffd93.exe	87
PID 448 wrote to memory of 4400	448	c4c5f2edda1f0a81e0ef79c15d061363155407ec754c747d047bfa095c5ffd93.exe	87

C:\Users\Admin\AppData\Local\Temp\c4c5f2edda1f0a81e0ef79c15d061363155407ec754c747d047bfa095c5ffd93.exe
"C:\Users\Admin\AppData\Local\Temp\c4c5f2edda1f0a81e0ef79c15d061363155407ec754c747d047bfa095c5ffd93.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:448
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4492
- C:\UserDotIC\devbodsys.exe
  C:\UserDotIC\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ1Q\dobxloc.exe

Filesize
2.6MB

MD5
dc5c57dd11b8fe80650637b8ddaf0ad9

SHA1
7dc0fc3dfcd697eeeb59f39e5a5bee68d5ffb40a

SHA256
9534332366bac49ee56707a6f97c736239bb7692db11879fdb8992ec17213c20

SHA512
745d80b85d0d35492defe6feb7e89f1c3c74146861a002a7dc975508d3752648dd3c18a72aa81d2f761dcfca2054eb9fcd2973285172ccfaf42f157358997a99

Download Submit
C:\LabZ1Q\dobxloc.exe

Filesize
20KB

MD5
586dc09d5804dc54d44fbabe2f70a2f5

SHA1
1b5a9a763950331479ac1c498b03264cda1e5e0e

SHA256
33712f6263ec98ae8ff353abc33c5a663b2c766cbe5c8a49229dad2fbfb8f079

SHA512
54a9d8562e63f9b26ca5680b6e9a17abb896ba1d76fd279957335198bab32efc42361d0585349bd615b1859a022b024d4629234b578a41c99310d0b00c64998a

Download Submit
C:\UserDotIC\devbodsys.exe

Filesize
11KB

MD5
091ce6baaf2d0916f9dfa1461237e421

SHA1
5902212ceeb2154045b0a0da553e70d84839836b

SHA256
62d82aa88273576dc8bc487628badc080e5707046f846d8d591f81d64b06476e

SHA512
ce78e389b4871826f4ffc3f9d7319e0544025e916a576000b55e8cc09db59464fd1819ff9a6b3243546dfabdc5b47e99c70c6c95d09481db9e6d6a2621320e05

Download Submit
C:\UserDotIC\devbodsys.exe

Filesize
2.6MB

MD5
301f8a661ba76d612b6d1fbf9ef57ff7

SHA1
7b02db2984ed2681173fb4507fefc224857f13dd

SHA256
197cf6522c8879d8cc8bd39cddd99922940c6b439f0bcebf9cdf216dc79b982e

SHA512
aa44a0f6d1c8101479372a1d39f87d1d903b850cdc9800293c18c8a742cdee168d6063defc3795506a6773ddf8e38b500b0d5473ff8db28e396eaa0458008068

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
22b858eda86c9e44fde41e3e07abf442

SHA1
7f336fec97e24c2b9129124f9a86baacae74b9eb

SHA256
1db07f44d4bfb7e5aa051ef660a254b78038f56aa16d2c239adc402130599c64

SHA512
d2ab7f43f9ae98a52067bedee076d16d74e984eb74cc5de8a1304883aa5708edd3081c3d80ffac51d1bb079716a0f2eabd96e1e187239ece54697ba385361eaa

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
b4e2493c16f5457f28c9e068177b46bc

SHA1
b95abf29e2c8cb22a4846eebf805f3550ed3edad

SHA256
fb872db0aeab36c8f7f153c9842f345baa3848442a91c765059d11b5becadd1a

SHA512
0c744cd7dd23e22fbf84e40b8a1ad8527a5e6f40aa94bc5453da71479f36ba18f8fb8814cd5c51782d2817a23a2917f9682761c822586b822c1c22e84d90b9d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
2.6MB

MD5
e3e80ec3af9c7ea92184ee5d1d5d220b

SHA1
38589730971a0e0121013b15b72d6e82f6191931

SHA256
bf75a9725721f329bbb4dae137fc5b68cc265df6e66c0d041e09925ba0d3bc6e

SHA512
ba9708817251dadcb6edd93c6de40e07dc0818033018981e49fd9c7ca61736faeb16055785f85e09a63cd61dfb51573172f76b907122430806edf0ccd964846b

Download Submit