16add27e9e1be232f2963ba58e79ca3b15e303a39375c5e23095d20b175cb07f

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16add27e9e1be232f2963ba58e79ca3b15e303a39375c5e23095d20b175cb07fN.exe
Size

2.6MB
MD5

ce52ec7b5db0fc4e6ff6613adabfb200
SHA1

1c48db05af5d17a34f5f8ae1fe32105c4a40c2b2
SHA256

16add27e9e1be232f2963ba58e79ca3b15e303a39375c5e23095d20b175cb07f
SHA512

38e3e2f96727e4d8d6b2e5a8b2d8fda11103accd72dee1894db949318deb3b5835836c022aeeda85e2e70b9bf5e916023f98a5461bee19f659af11846133b9ce
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bS:sxX7QnxrloE5dpUpHb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	16add27e9e1be232f2963ba58e79ca3b15e303a39375c5e23095d20b175cb07fN.exe

Executes dropped EXE 2 IoCs

pid	Process
4936	ecabod.exe
4056	devoptiec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvD1\\devoptiec.exe"	16add27e9e1be232f2963ba58e79ca3b15e303a39375c5e23095d20b175cb07fN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxT6\\dobdevsys.exe"	16add27e9e1be232f2963ba58e79ca3b15e303a39375c5e23095d20b175cb07fN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16add27e9e1be232f2963ba58e79ca3b15e303a39375c5e23095d20b175cb07fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2268	16add27e9e1be232f2963ba58e79ca3b15e303a39375c5e23095d20b175cb07fN.exe
2268	16add27e9e1be232f2963ba58e79ca3b15e303a39375c5e23095d20b175cb07fN.exe
2268	16add27e9e1be232f2963ba58e79ca3b15e303a39375c5e23095d20b175cb07fN.exe
2268	16add27e9e1be232f2963ba58e79ca3b15e303a39375c5e23095d20b175cb07fN.exe
4936	ecabod.exe
4936	ecabod.exe
4056	devoptiec.exe
4056	devoptiec.exe
4936	ecabod.exe
4936	ecabod.exe
4056	devoptiec.exe
4056	devoptiec.exe
4936	ecabod.exe
4936	ecabod.exe
4056	devoptiec.exe
4056	devoptiec.exe
4936	ecabod.exe
4936	ecabod.exe
4056	devoptiec.exe
4056	devoptiec.exe
4936	ecabod.exe
4936	ecabod.exe
4056	devoptiec.exe
4056	devoptiec.exe
4936	ecabod.exe
4936	ecabod.exe
4056	devoptiec.exe
4056	devoptiec.exe
4936	ecabod.exe
4936	ecabod.exe
4056	devoptiec.exe
4056	devoptiec.exe
4936	ecabod.exe
4936	ecabod.exe
4056	devoptiec.exe
4056	devoptiec.exe
4936	ecabod.exe
4936	ecabod.exe
4056	devoptiec.exe
4056	devoptiec.exe
4936	ecabod.exe
4936	ecabod.exe
4056	devoptiec.exe
4056	devoptiec.exe
4936	ecabod.exe
4936	ecabod.exe
4056	devoptiec.exe
4056	devoptiec.exe
4936	ecabod.exe
4936	ecabod.exe
4056	devoptiec.exe
4056	devoptiec.exe
4936	ecabod.exe
4936	ecabod.exe
4056	devoptiec.exe
4056	devoptiec.exe
4936	ecabod.exe
4936	ecabod.exe
4056	devoptiec.exe
4056	devoptiec.exe
4936	ecabod.exe
4936	ecabod.exe
4056	devoptiec.exe
4056	devoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 4936	2268	16add27e9e1be232f2963ba58e79ca3b15e303a39375c5e23095d20b175cb07fN.exe	87
PID 2268 wrote to memory of 4936	2268	16add27e9e1be232f2963ba58e79ca3b15e303a39375c5e23095d20b175cb07fN.exe	87
PID 2268 wrote to memory of 4936	2268	16add27e9e1be232f2963ba58e79ca3b15e303a39375c5e23095d20b175cb07fN.exe	87
PID 2268 wrote to memory of 4056	2268	16add27e9e1be232f2963ba58e79ca3b15e303a39375c5e23095d20b175cb07fN.exe	88
PID 2268 wrote to memory of 4056	2268	16add27e9e1be232f2963ba58e79ca3b15e303a39375c5e23095d20b175cb07fN.exe	88
PID 2268 wrote to memory of 4056	2268	16add27e9e1be232f2963ba58e79ca3b15e303a39375c5e23095d20b175cb07fN.exe	88

C:\Users\Admin\AppData\Local\Temp\16add27e9e1be232f2963ba58e79ca3b15e303a39375c5e23095d20b175cb07fN.exe
"C:\Users\Admin\AppData\Local\Temp\16add27e9e1be232f2963ba58e79ca3b15e303a39375c5e23095d20b175cb07fN.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4936
- C:\SysDrvD1\devoptiec.exe
  C:\SysDrvD1\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxT6\dobdevsys.exe

Filesize
2.6MB

MD5
b486c507549f0fbc09dee7b30b16e071

SHA1
ea188dbf79b491c4b5fb4e6b424b5ad5534258e0

SHA256
734194a58bf2ca19f0117fd6f154a77ca35cf6d8dfc06125aefe930dccd8e67d

SHA512
f79709e5004b86d7cfa1aa21f09ff1cc5ed926d41f45c7965a884637f1bf9963044c77f0a6d29ffda321aa10b1c3f26117791c5b5e6ca3a64fbe4c3b072251f5

Download Submit
C:\GalaxT6\dobdevsys.exe

Filesize
2.6MB

MD5
92b688963fed84fadf79f46ad365249e

SHA1
c430052bbebd482de178a5a099cedec96d0f98c9

SHA256
965541a133346ce5f14f7e20f27c07406c1bd14e1cef65d66984b87f0994313a

SHA512
11fa2682051a732a870920d6d5f1ae38552168545227978bad7268a4403a0dc77604dacc6681e99d08a9a20a0c385df03c7918a0834bdaa5c8bd1ace2a232592

Download Submit
C:\SysDrvD1\devoptiec.exe

Filesize
7KB

MD5
c5a11c20435bf167b7ef33a92d131f4b

SHA1
c88559847d49a4715d86999f6bdf7f3a710b55a8

SHA256
186493aa3c8ae67d8a6672ff6b522c91a36ab2b4a1859de6cd024fde6cca526f

SHA512
a9ab8a378a0eb79b224d30ae559dff6a73633c0f999b60e3331479037dc18e3d1bae1bc28941f4b94b6ac102190b5899adc9a706d3a4af95dd8c65e897f34335

Download Submit
C:\SysDrvD1\devoptiec.exe

Filesize
2.6MB

MD5
aa27f1a5017f1583ba764fb48233a59b

SHA1
8981563999efc7c6c07552ec471e06a285c87d91

SHA256
5e04770e9c40fc6d196d39874ca982588fb27eefa3de1c3c4f503172b8519547

SHA512
af015fc54a1f0e99c7ed30434aaa77c70259f9676ae52c37f428035c08205337f0476b1d845b74d8b141dedcb8bb3174bb82e78c0b3052a32fb7a99ed17db028

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
d08a515300ce0aa5f59e29f5e3818b42

SHA1
270b50e0bf08a7f13e84484fefac09f706bd9a2a

SHA256
0e7c5ff7f4ba9ab624540dfa28ee0d90287bf9c560ad8bb4a34f59d3232e0221

SHA512
a5bef8fc807582d8d4e615b2692299f8a2ff519b7da167ecea417d3cb69f4113e65c1dd52687a3a22cc7475e002875b3a82b6e7bbf6a5280f3a0aac8581228e0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
c5f870ec51ff100e3eca332ea39f8ca2

SHA1
6ca85724957e12d23f6781b937ca26757ab9df70

SHA256
3427b6b55f208e5cceb8055e31129b1f3c0c8ef9d1dc908789fd45445daaa554

SHA512
70174566226adc3fb0bb3cdf987d1433ad9e6427d13ad29de14e307bdd70324cf07939bbd92cad0a286e8ee91854ce4f1013cf7d3584a2f7c93251e6d00a4ee3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
2.6MB

MD5
4ef0aee7583aef69cd3bead393d95b53

SHA1
60d3e44e197ad7b40d0eae86aac2232cdd07d06a

SHA256
cbf4c9a16587abb18f7c966aa75783d00002332aec08025b7746ff9a23dd842d

SHA512
6897cd7ec635478551dfffd4f04a30b3da2c2e8673163fa23fac3c9968d3933e143681c70121274d71957b8e8fdaa09a6b6f01402dd6f1b33be980cdba8b173f

Download Submit