39483dccedf6b9d8a49f6ed8979adea12f338d1199bfa906366ee9449cdab8a9

Analysis

max time kernel
119s
max time network
21s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39483dccedf6b9d8a49f6ed8979adea12f338d1199bfa906366ee9449cdab8a9N.exe
Size

3.4MB
MD5

db0b02629d030e233ca2aac36c1e6950
SHA1

d53bbd959df4c897b1783b733cf77b50a4312753
SHA256

39483dccedf6b9d8a49f6ed8979adea12f338d1199bfa906366ee9449cdab8a9
SHA512

a658640fc13a6b4597ce9bc9c4d1612cb2d71e258c7b9a6a4dce8577cc8d0481a5274114dcffff13e439610f21eaea3a4a740c1af8aa09501d85c6454ce4364e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBXB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp0bVz8eLFcz

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	39483dccedf6b9d8a49f6ed8979adea12f338d1199bfa906366ee9449cdab8a9N.exe

Executes dropped EXE 2 IoCs

pid	Process
588	ecabod.exe
1940	devbodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
780	39483dccedf6b9d8a49f6ed8979adea12f338d1199bfa906366ee9449cdab8a9N.exe
780	39483dccedf6b9d8a49f6ed8979adea12f338d1199bfa906366ee9449cdab8a9N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocRY\\devbodloc.exe"	39483dccedf6b9d8a49f6ed8979adea12f338d1199bfa906366ee9449cdab8a9N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZDW\\dobxloc.exe"	39483dccedf6b9d8a49f6ed8979adea12f338d1199bfa906366ee9449cdab8a9N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	39483dccedf6b9d8a49f6ed8979adea12f338d1199bfa906366ee9449cdab8a9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
780	39483dccedf6b9d8a49f6ed8979adea12f338d1199bfa906366ee9449cdab8a9N.exe
780	39483dccedf6b9d8a49f6ed8979adea12f338d1199bfa906366ee9449cdab8a9N.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe
588	ecabod.exe
1940	devbodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 588	780	39483dccedf6b9d8a49f6ed8979adea12f338d1199bfa906366ee9449cdab8a9N.exe	31
PID 780 wrote to memory of 588	780	39483dccedf6b9d8a49f6ed8979adea12f338d1199bfa906366ee9449cdab8a9N.exe	31
PID 780 wrote to memory of 588	780	39483dccedf6b9d8a49f6ed8979adea12f338d1199bfa906366ee9449cdab8a9N.exe	31
PID 780 wrote to memory of 588	780	39483dccedf6b9d8a49f6ed8979adea12f338d1199bfa906366ee9449cdab8a9N.exe	31
PID 780 wrote to memory of 1940	780	39483dccedf6b9d8a49f6ed8979adea12f338d1199bfa906366ee9449cdab8a9N.exe	32
PID 780 wrote to memory of 1940	780	39483dccedf6b9d8a49f6ed8979adea12f338d1199bfa906366ee9449cdab8a9N.exe	32
PID 780 wrote to memory of 1940	780	39483dccedf6b9d8a49f6ed8979adea12f338d1199bfa906366ee9449cdab8a9N.exe	32
PID 780 wrote to memory of 1940	780	39483dccedf6b9d8a49f6ed8979adea12f338d1199bfa906366ee9449cdab8a9N.exe	32

C:\Users\Admin\AppData\Local\Temp\39483dccedf6b9d8a49f6ed8979adea12f338d1199bfa906366ee9449cdab8a9N.exe
"C:\Users\Admin\AppData\Local\Temp\39483dccedf6b9d8a49f6ed8979adea12f338d1199bfa906366ee9449cdab8a9N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:588
- C:\IntelprocRY\devbodloc.exe
  C:\IntelprocRY\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocRY\devbodloc.exe

Filesize
3.4MB

MD5
c1a893b28bb5e8c783535870317fabce

SHA1
aeba15a55e294ff094d46911e46bc5e7126b7fc3

SHA256
54772e19349a512ca7e27581880136fe6498f18c6b9a1635e8f27559822744b3

SHA512
a1a4eb8629496574bb0c9929aefc67541b48e8f7db5ab2989da6cc960ee170a293763feaacec85bd8c89b286df9e8b4eeee2fff56a826c5588195dcdfe369d64

Download Submit
C:\LabZDW\dobxloc.exe

Filesize
421KB

MD5
f3f5e6735497801031cb07887f6e59a0

SHA1
4a5e3b6c0ae0b1ebfca3c2b32ae4a50a6f959cca

SHA256
e99c5f8518d0b171d5ba64bc7c851d61c732801388fda75e2f32d4b10a3ed976

SHA512
57f5b26454c5efde4e84b7a4d019666b62a8c5a4f3e09b3ec30988af21e2aabd8f904a1162ee160639cd5b87e71b9338385cdf14e70ddf1c464aaa480df6da74

Download Submit
C:\LabZDW\dobxloc.exe

Filesize
3.4MB

MD5
9bfcf2cd97d532616449ef3cd469407e

SHA1
ab560b797002c56a38dc4467ecfe069855d147c5

SHA256
f8e8b58ad2faf836b0ed2817b5fb54aa1da9b2bccd8f8d8f5ca189efd67b1ba1

SHA512
1f250898b1eae633801866e91d62ba6e54206cde5d5b2bc9c647ac9f32bb1ff9274e273c02dfdddbd04b45496aef01fa07048136c616b59dd32fd99a4363234e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
b94229b869bc0702df18b013dc175be9

SHA1
c3a01c20dfc4c735c37aa3cad4a676629a94f2ab

SHA256
702d9ee1c64ba6f0dc7d14d168908c974ecde2cff54a26088fc994fb0d5527b0

SHA512
5b74fe868a8da57a98024b80fdf1dd0dc6b693da3da50cb3b63156cb0c112851cc30278d84b7c13713891bae8a512ed6fdac06ad64a14addcc5e67a01b224bda

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
c2acb10adc8d88bd96b7460fe53085a7

SHA1
ba1f6e458b2f95c6ada34506436155c764ae0553

SHA256
41b2b97f2922868ae7ec0cf5817e06be5b7d6634fbdeee7df84643418568c51f

SHA512
f7738ebc84b10aa4af492a42b8b3dd4a5ea6e8cc7ddd1848c1bf29723cd9979b2a1b30fc86289d10f2e339ffa242724de5945f69b6ee1d2c0c1952b2f0ab4a2e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
3.4MB

MD5
2ee829be238c252e104dc9e91f23effa

SHA1
a2c523a31186abea1c467d97209a8dc9fcb7fb81

SHA256
65836cda4ad508112d138e824173ce89bb2ffcbc5a67c2b94e5ed777db2e7610

SHA512
07176f48e413f6c5146eabca9b687ad72bab3bec2eb11d5c0c6b8db19a6ef3110144c06affd4879d823e7e7afce2547c3ccbdb59cef6d501ab5b65c8ed2d12bb

Download Submit