7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe
Size

2.6MB
MD5

a2e3c966cc08cce0c578426b140170dc
SHA1

c7ae35599b9ed0c25019ec290723157d73da53de
SHA256

7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180
SHA512

0c049584d0c595472c7a7ff4ad53cab168c86a083ff6aa72dcaa1cf10b35f3791e6eef439cfc285bd1a9445e7750312c3078f8a97c40c5b58e070262f591df9d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bSG:sxX7QnxrloE5dpUpIbH

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe

Executes dropped EXE 2 IoCs

pid	Process
2576	ecdevbod.exe
2816	devbodsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2404	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe
2404	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot7X\\devbodsys.exe"	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBYO\\dobaloc.exe"	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2404	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe
2404	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe
2576	ecdevbod.exe
2816	devbodsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2576	2404	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe	30
PID 2404 wrote to memory of 2576	2404	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe	30
PID 2404 wrote to memory of 2576	2404	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe	30
PID 2404 wrote to memory of 2576	2404	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe	30
PID 2404 wrote to memory of 2816	2404	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe	31
PID 2404 wrote to memory of 2816	2404	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe	31
PID 2404 wrote to memory of 2816	2404	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe	31
PID 2404 wrote to memory of 2816	2404	7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe	31

C:\Users\Admin\AppData\Local\Temp\7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe
"C:\Users\Admin\AppData\Local\Temp\7dfbba11451b29e5ec0a938d7152849e014ca31eefcf8b9c4851cd2aa66d7180.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2576
- C:\UserDot7X\devbodsys.exe
  C:\UserDot7X\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBYO\dobaloc.exe

Filesize
6KB

MD5
c8190a91500bb1d9caa61e3b11eaf128

SHA1
ab7eb6ce00d2fb8ec932dee7fe6f72551ada8684

SHA256
6396e1bd18ed0ea864d8f56b7885ef5813fe836854b68c3ebafb7d49b8580b1e

SHA512
bc143ae225ca8cceb9e90f7dc6f36a8608eafed2d7e67396657444f3a004832c0c51921fe8c0487de4ca21430686dbc62c6a304de00cbbfb8c0e8dc538f5492b

Download Submit
C:\KaVBYO\dobaloc.exe

Filesize
2.6MB

MD5
42b4863f39ae4044fba5de513c812b3a

SHA1
d73a2352b52edd503d92cd82ecba945933af8c76

SHA256
a8397d5cfd612914bfc1c0774986431de3739ff88d4484694500ce857887da51

SHA512
79fabf31b33f5767e3dbe46153f8d2ff62120a7402d93b77eb24d9f43a4b13d04fe3e17abe8da586950b1d221c5bc60679ba3606e3c58cab734c9ec1ecc840cf

Download Submit
C:\UserDot7X\devbodsys.exe

Filesize
2.6MB

MD5
e16715d7745865e3a8a2858d5c52a949

SHA1
82689507a28cced822188b344a0b1dfc21ee0910

SHA256
881b11cb337af7bc32eb74a7fdd1fe66094b8a0d52f86e0b3c98ac734677017f

SHA512
6fcd232f6536ad45285b3aa8c1700d1051aa07f5fe3f110e068d12acadaf9cb24fc11cfb4ae437e9e3f7bdf4527fe0f9b3f1401620a82cc2388896c32f96b985

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
03b5d073508f10997371cd83e76e98ca

SHA1
9992a5f9b6025a8aa5dc83e1ae133d2fdd289726

SHA256
7bc6a6896ce45242a3351a6232cbbc74de6ada499340c53e5a4892703c90a182

SHA512
c49070b2eb5b5407c27cdf91b31e7cd1024e33b78eab84b36b4c5e6a5ac110d4f1fafbe592f35bfb9301c453db51ad7fefc1b26d5a3f7305c6e5fe2aaa6f8cbf

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
abafc4854b399755fbd7639d81b24389

SHA1
48b175fe300b24c721ab83de2ffa8eda07c4b8fc

SHA256
d1cd9e28df6ffcb824a20d3d77727d8774c7595f88e57289dfec87730de970e5

SHA512
9e804f13f56d9527d546e446b9c138cefc987cebbbc2a47e64e32f61f1088e1c2b4a42041f128b53f05eaf2ebede347fbffb4dbb5b3b13420bbdd50a6fe7af6f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
2.6MB

MD5
b5ff35b502f8cfbff2dcb40c673db53e

SHA1
1b6b94fd7e00a5484d0dd16efa28423443e98b77

SHA256
64664be9de6f7eefd5f3eb629932f0bd5b5dc39f05a599a63f5a37e2e23ba4b2

SHA512
8d9f7344162333aa7fb8b8e148f762cd7391d729baac617f2adc6f4d43578175b7217345ed7430a44c5133329e9757b181d0a21b0dbd9cbbed1d863213d7dda9

Download Submit