e143dd8ec02f04422e6b2d0ad37954b21f6d3d27ae97ce1271c1751b7fe9e068

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e143dd8ec02f04422e6b2d0ad37954b21f6d3d27ae97ce1271c1751b7fe9e068.exe
Size

2.6MB
MD5

8a19d6c3bbf2d2d4509370f672b7ddca
SHA1

d839fb67f2b76afdaa4eac072f84acc8a77e07ab
SHA256

e143dd8ec02f04422e6b2d0ad37954b21f6d3d27ae97ce1271c1751b7fe9e068
SHA512

e5593948e98b03babde83086a1ba0f6f22c299df94ae06ed642fe5bf3f79eb1bd0c5730e87adf74dd62822180cc4b46e7f15267eeea6294f809de17525fa973c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBoB/bS:sxX7QnxrloE5dpUpbb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	e143dd8ec02f04422e6b2d0ad37954b21f6d3d27ae97ce1271c1751b7fe9e068.exe

Executes dropped EXE 2 IoCs

pid	Process
228	ecdevdob.exe
1552	devoptiec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvS3\\devoptiec.exe"	e143dd8ec02f04422e6b2d0ad37954b21f6d3d27ae97ce1271c1751b7fe9e068.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintER\\bodasys.exe"	e143dd8ec02f04422e6b2d0ad37954b21f6d3d27ae97ce1271c1751b7fe9e068.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e143dd8ec02f04422e6b2d0ad37954b21f6d3d27ae97ce1271c1751b7fe9e068.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
344	e143dd8ec02f04422e6b2d0ad37954b21f6d3d27ae97ce1271c1751b7fe9e068.exe
344	e143dd8ec02f04422e6b2d0ad37954b21f6d3d27ae97ce1271c1751b7fe9e068.exe
344	e143dd8ec02f04422e6b2d0ad37954b21f6d3d27ae97ce1271c1751b7fe9e068.exe
344	e143dd8ec02f04422e6b2d0ad37954b21f6d3d27ae97ce1271c1751b7fe9e068.exe
228	ecdevdob.exe
228	ecdevdob.exe
1552	devoptiec.exe
1552	devoptiec.exe
228	ecdevdob.exe
228	ecdevdob.exe
1552	devoptiec.exe
1552	devoptiec.exe
228	ecdevdob.exe
228	ecdevdob.exe
1552	devoptiec.exe
1552	devoptiec.exe
228	ecdevdob.exe
228	ecdevdob.exe
1552	devoptiec.exe
1552	devoptiec.exe
228	ecdevdob.exe
228	ecdevdob.exe
1552	devoptiec.exe
1552	devoptiec.exe
228	ecdevdob.exe
228	ecdevdob.exe
1552	devoptiec.exe
1552	devoptiec.exe
228	ecdevdob.exe
228	ecdevdob.exe
1552	devoptiec.exe
1552	devoptiec.exe
228	ecdevdob.exe
228	ecdevdob.exe
1552	devoptiec.exe
1552	devoptiec.exe
228	ecdevdob.exe
228	ecdevdob.exe
1552	devoptiec.exe
1552	devoptiec.exe
228	ecdevdob.exe
228	ecdevdob.exe
1552	devoptiec.exe
1552	devoptiec.exe
228	ecdevdob.exe
228	ecdevdob.exe
1552	devoptiec.exe
1552	devoptiec.exe
228	ecdevdob.exe
228	ecdevdob.exe
1552	devoptiec.exe
1552	devoptiec.exe
228	ecdevdob.exe
228	ecdevdob.exe
1552	devoptiec.exe
1552	devoptiec.exe
228	ecdevdob.exe
228	ecdevdob.exe
1552	devoptiec.exe
1552	devoptiec.exe
228	ecdevdob.exe
228	ecdevdob.exe
1552	devoptiec.exe
1552	devoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 344 wrote to memory of 228	344	e143dd8ec02f04422e6b2d0ad37954b21f6d3d27ae97ce1271c1751b7fe9e068.exe	86
PID 344 wrote to memory of 228	344	e143dd8ec02f04422e6b2d0ad37954b21f6d3d27ae97ce1271c1751b7fe9e068.exe	86
PID 344 wrote to memory of 228	344	e143dd8ec02f04422e6b2d0ad37954b21f6d3d27ae97ce1271c1751b7fe9e068.exe	86
PID 344 wrote to memory of 1552	344	e143dd8ec02f04422e6b2d0ad37954b21f6d3d27ae97ce1271c1751b7fe9e068.exe	87
PID 344 wrote to memory of 1552	344	e143dd8ec02f04422e6b2d0ad37954b21f6d3d27ae97ce1271c1751b7fe9e068.exe	87
PID 344 wrote to memory of 1552	344	e143dd8ec02f04422e6b2d0ad37954b21f6d3d27ae97ce1271c1751b7fe9e068.exe	87

C:\Users\Admin\AppData\Local\Temp\e143dd8ec02f04422e6b2d0ad37954b21f6d3d27ae97ce1271c1751b7fe9e068.exe
"C:\Users\Admin\AppData\Local\Temp\e143dd8ec02f04422e6b2d0ad37954b21f6d3d27ae97ce1271c1751b7fe9e068.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:344
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:228
- C:\SysDrvS3\devoptiec.exe
  C:\SysDrvS3\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintER\bodasys.exe

Filesize
2.3MB

MD5
c2fd17b37c6acad6cf833d2b41e854b2

SHA1
fd85219201ea7e92b9f33b20983d529f06f8a010

SHA256
4d1b18be7f717a59303f606dca72fe50274849b787f66152f4bd7f5c128fa210

SHA512
4528942622bd4de90902aa23a2596ad7ad2a4feb65bbc1e0f9c48574f72d90064c876d6189e1e493c96a68213ee815fe5c2cdd212a0d3dfde0b80dcea49fcbc0

Download Submit
C:\MintER\bodasys.exe

Filesize
12KB

MD5
5ce46de9d1c8ab23eeb8a98bb0b2232e

SHA1
eb2b026ffaf5a7802065fa5971c5c4495fa6763a

SHA256
0f99b7bc2b192971b8bed8dbf4f50389b59e62d5cae4d0fbbb58657c2730a6b0

SHA512
173969eb6ea4e493f9c0d1c1df5c1080fb72fc38f0fc13e5eaffdd7eeae658b9464603a66d0a918d3f86bca65b97dccfd201cd7d66c1758e452476026a290712

Download Submit
C:\SysDrvS3\devoptiec.exe

Filesize
296KB

MD5
63b2ed92e70b870f82936f5d56b00a23

SHA1
9d294286e9d09a7e2dc018e31534dba9a9203451

SHA256
6b8e163c4019ab82e2f24c7ab2e22923c8b4898f7f5f8e6e1ed4d69d6c0fcbbf

SHA512
2dea7e064e9636af0edd5ecea75a4d2edefcd25d2ab04f34c3ed969d675b8c8952fa66a29c972ce9e4fb8a3c61f6f10468ff727f6f8d6a07da243d5c84139373

Download Submit
C:\SysDrvS3\devoptiec.exe

Filesize
2.6MB

MD5
7349bfdb3e552f7524b68f6fd7758106

SHA1
9c54e8a97503235226f8c205cc36e4920f48f990

SHA256
9f4aa85765eb026e622f6ef0d61a2c047c584fe87af8719b303b5c2589c03f70

SHA512
45ed14110f7177497555d730cb600bfea267348bea0bc4c8a1c6cf56ef4459267bdce633275c4c9d41ba04ac744c2c7db955c11fb8941ec879ac220b4d53767d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
b5fe8fa9a36fec41f3b429e4a99499f2

SHA1
becd578a3a48bba7f4abdcf81447a0df15b12d5b

SHA256
3185037cebc5cda9c301d116094506e978326e412d6541a9dbecc9c6be95c0b2

SHA512
2b082810ff8e1f5f526a5fab49630055912974f025ee63db81e207ef275f38128f0452df3990a7b6d257f29c68d9616f6819756a6c11716a1c1345561d08de0c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
ce7de606de2d8aef388630737ff91f5f

SHA1
62ba3c9a9dfe227ac6249fe383eae514f4b4a64f

SHA256
2bda46ecb57397b430a310a7c258c95d34552d0f7e73622777b65c22651b4747

SHA512
0d72ea6bb47994c0571a412143548c2c0ca35390ac9bbcbb2308e6b0691ffdfe57c97acfd950f8b47db29a696ecd7860e44edbcec3883a9f992dca496e96dd3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
2.6MB

MD5
52e2580cbc4032052b1f73dfc06421c8

SHA1
485f99607a1c14b299929b546c09c8264ed4d509

SHA256
5ccaa15c93f284e79c0740ada0123cb04d5a522a5cddd4a8881add0bd3246f02

SHA512
1f1128e021c205743253cfa28f56fab96119a76e8a5c212edbb7e8bf5d9565b5b2c1688ec188ea44ea8c6b586944b969548c1a58c7a99716a88639a2231915bd

Download Submit