557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe
Size

2.6MB
MD5

c8aa68ef14a248bfbe28f8df2a7bc02f
SHA1

d243c92aa51c757faefd6b71b6801b225c0c696c
SHA256

557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9
SHA512

eef992a2559f1c2a576c96e6368e2db9c8d3e3cb66a4f21eec4bb9927755b6ba4586bbd9a8c0ff5b3c6c78f7d510615ff0c8b924196eaa85a9295f70ef2f74f2
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bSW:sxX7QnxrloE5dpUpDbn

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe

Executes dropped EXE 2 IoCs

pid	Process
592	ecdevdob.exe
952	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
1724	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe
1724	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxY0\\bodxec.exe"	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvNR\\devoptiec.exe"	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1724	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe
1724	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe
592	ecdevdob.exe
952	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 592	1724	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe	30
PID 1724 wrote to memory of 592	1724	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe	30
PID 1724 wrote to memory of 592	1724	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe	30
PID 1724 wrote to memory of 592	1724	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe	30
PID 1724 wrote to memory of 952	1724	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe	31
PID 1724 wrote to memory of 952	1724	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe	31
PID 1724 wrote to memory of 952	1724	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe	31
PID 1724 wrote to memory of 952	1724	557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe	31

C:\Users\Admin\AppData\Local\Temp\557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe
"C:\Users\Admin\AppData\Local\Temp\557bf85ed49b6bb62036fcc24593f83e895df5f1fbd6e4d288477a878ea062d9.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:592
- C:\SysDrvNR\devoptiec.exe
  C:\SysDrvNR\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxY0\bodxec.exe

Filesize
295KB

MD5
3551b6b551b9b9bc1014ea1dfa296285

SHA1
64ebe411b2b1de00108733c2dad0f41cbd9b05e7

SHA256
dab6a9b6bd6abe2cb8250361a641f14dd7eb69d1624857569633e7b81871f301

SHA512
b026585963c88918adfff20029ca57063b9efdae441e00aa8ac4f508c48a2e09d9b1df6bb048cb5fdffde4c15e070b2289393003a75f7f9728afb8a1a0bbb5d0

Download Submit
C:\GalaxY0\bodxec.exe

Filesize
2.6MB

MD5
81f746586a1b88bbc6562648882927cb

SHA1
c6e0ffdb646edd4583ed12965c72331d74649941

SHA256
3870981c22d5271572bd450bd3d6cf71899200816c42e2850641e4a2694a2965

SHA512
61687e7b86656c1b99120cfa0bc223a15c79fd457b8c987a29cbc47490e4c1ebf74cdb5825a46b7cfe1074f5831ae4cc34be15cc33ecffe6dd648620033bef8b

Download Submit
C:\SysDrvNR\devoptiec.exe

Filesize
30KB

MD5
4321f16afd85a3882969acdfb8fbf7ac

SHA1
d9165c929539416385855955a35a713bf46ced88

SHA256
c9062b226b05a5938853bef8f7312d21760c9b984c749732c7d1a1549adb3b97

SHA512
57d3c08ceb68e0bc67b5ab3a77d88e59f9cc1b265e16f331646b2b7f1be8d0bbef7a5b4dee0083c00f1c95d045995786bf772d1a5edbdc510fa21d7991b7797c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
9b9e01ed726fc898202b8d00c805e7bb

SHA1
083b48d92329dee12b06dab713047ebeb2986b82

SHA256
353812d8ffa782d3992ef852e771811d140bb683ef91c98326bd99737eec9a66

SHA512
90a3df8786c57c602676676433aeca6ce8f1295ff4c87e6541f387cbcd04fec31a380a808554adee095a11c4d30582c720a1747768f91ec28f46d38e13a14b48

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
b13d3a4eb37a0b5690191b186f86183c

SHA1
e17ad49c63063a801bcfadfceba2e4cde0a5def2

SHA256
ba5c09fa577f469cab5855a1c038a3629d7d1ba3bd892d7694307569e0042bce

SHA512
93a7e26a56d1363ba44c66a5e084d1811c6f38e197ea1e19bb6eb90d34c95b260dd82b95a97f8eac250145abf1d1ab94be309ec9233b68b75a0035d0726a7c63

Download Submit
\SysDrvNR\devoptiec.exe

Filesize
2.6MB

MD5
2c077c61b4c86aaa9093616e1402b0f6

SHA1
c3a958524ca169f45b750fb6206b4171864ab0e2

SHA256
06c60c04f7533700a384ce49f45381e43b84e7f79e2e78c0894c5ef9bb4ce3ee

SHA512
e35027f739c8ef9c5797f26392699558d70a2e597f85d69495080ee24f3cf769d60177dd06723a6051fa003d2e05ad1de67210f6e654ecde3e10bda3ed4f45bd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
2.6MB

MD5
73e5968532419c7f03e52864f686995e

SHA1
9e36e154ead8fbc1f9a2092e53edcbcddf7f56f1

SHA256
14dbd6ad706792d6137186b980702957130520eaf36e4cd3275556e4d59e24e8

SHA512
4ef5ad37f3c73e15675fc55dfd1473019b7e483031f74efdad1011bf20928995f1aaa0403c3649dba8698844f9c719a29e2f4b364495b4447213330b3fd4f83c

Download Submit