c6bd9b3d4e67988b468bb3d3af355710a9324791fbdfdcb540ed6c9254e57701

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6bd9b3d4e67988b468bb3d3af355710a9324791fbdfdcb540ed6c9254e57701.exe
Size

2.6MB
MD5

0bb555e0ed8ece8c7c84afe427529665
SHA1

c94aec32a6ce6d8423ed02ca1ca8a3915ff34724
SHA256

c6bd9b3d4e67988b468bb3d3af355710a9324791fbdfdcb540ed6c9254e57701
SHA512

53bbbac1eba57dd984473f8cfe016aa982b46a1c13af5f1888810dea2f1d8f27d33e5557444831d887be65dfdd74ead7b7139fbf0ef5a7f2af5c30f040a89d9e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpOb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	c6bd9b3d4e67988b468bb3d3af355710a9324791fbdfdcb540ed6c9254e57701.exe

Executes dropped EXE 2 IoCs

pid	Process
3732	ecaopti.exe
2220	devdobsys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot75\\devdobsys.exe"	c6bd9b3d4e67988b468bb3d3af355710a9324791fbdfdcb540ed6c9254e57701.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxJX\\dobaec.exe"	c6bd9b3d4e67988b468bb3d3af355710a9324791fbdfdcb540ed6c9254e57701.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c6bd9b3d4e67988b468bb3d3af355710a9324791fbdfdcb540ed6c9254e57701.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecaopti.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3920	c6bd9b3d4e67988b468bb3d3af355710a9324791fbdfdcb540ed6c9254e57701.exe
3920	c6bd9b3d4e67988b468bb3d3af355710a9324791fbdfdcb540ed6c9254e57701.exe
3920	c6bd9b3d4e67988b468bb3d3af355710a9324791fbdfdcb540ed6c9254e57701.exe
3920	c6bd9b3d4e67988b468bb3d3af355710a9324791fbdfdcb540ed6c9254e57701.exe
3732	ecaopti.exe
3732	ecaopti.exe
2220	devdobsys.exe
2220	devdobsys.exe
3732	ecaopti.exe
3732	ecaopti.exe
2220	devdobsys.exe
2220	devdobsys.exe
3732	ecaopti.exe
3732	ecaopti.exe
2220	devdobsys.exe
2220	devdobsys.exe
3732	ecaopti.exe
3732	ecaopti.exe
2220	devdobsys.exe
2220	devdobsys.exe
3732	ecaopti.exe
3732	ecaopti.exe
2220	devdobsys.exe
2220	devdobsys.exe
3732	ecaopti.exe
3732	ecaopti.exe
2220	devdobsys.exe
2220	devdobsys.exe
3732	ecaopti.exe
3732	ecaopti.exe
2220	devdobsys.exe
2220	devdobsys.exe
3732	ecaopti.exe
3732	ecaopti.exe
2220	devdobsys.exe
2220	devdobsys.exe
3732	ecaopti.exe
3732	ecaopti.exe
2220	devdobsys.exe
2220	devdobsys.exe
3732	ecaopti.exe
3732	ecaopti.exe
2220	devdobsys.exe
2220	devdobsys.exe
3732	ecaopti.exe
3732	ecaopti.exe
2220	devdobsys.exe
2220	devdobsys.exe
3732	ecaopti.exe
3732	ecaopti.exe
2220	devdobsys.exe
2220	devdobsys.exe
3732	ecaopti.exe
3732	ecaopti.exe
2220	devdobsys.exe
2220	devdobsys.exe
3732	ecaopti.exe
3732	ecaopti.exe
2220	devdobsys.exe
2220	devdobsys.exe
3732	ecaopti.exe
3732	ecaopti.exe
2220	devdobsys.exe
2220	devdobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 3732	3920	c6bd9b3d4e67988b468bb3d3af355710a9324791fbdfdcb540ed6c9254e57701.exe	88
PID 3920 wrote to memory of 3732	3920	c6bd9b3d4e67988b468bb3d3af355710a9324791fbdfdcb540ed6c9254e57701.exe	88
PID 3920 wrote to memory of 3732	3920	c6bd9b3d4e67988b468bb3d3af355710a9324791fbdfdcb540ed6c9254e57701.exe	88
PID 3920 wrote to memory of 2220	3920	c6bd9b3d4e67988b468bb3d3af355710a9324791fbdfdcb540ed6c9254e57701.exe	89
PID 3920 wrote to memory of 2220	3920	c6bd9b3d4e67988b468bb3d3af355710a9324791fbdfdcb540ed6c9254e57701.exe	89
PID 3920 wrote to memory of 2220	3920	c6bd9b3d4e67988b468bb3d3af355710a9324791fbdfdcb540ed6c9254e57701.exe	89

C:\Users\Admin\AppData\Local\Temp\c6bd9b3d4e67988b468bb3d3af355710a9324791fbdfdcb540ed6c9254e57701.exe
"C:\Users\Admin\AppData\Local\Temp\c6bd9b3d4e67988b468bb3d3af355710a9324791fbdfdcb540ed6c9254e57701.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3732
- C:\UserDot75\devdobsys.exe
  C:\UserDot75\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxJX\dobaec.exe

Filesize
2.6MB

MD5
b286d0d077275952054f676d93b5c770

SHA1
4df11dd03e8e2b55f1b4d1eb2f2358a22a7f0414

SHA256
3ecba02597fac105a7ba049acf42baf9bfce6655529f7380f684783d093d66e8

SHA512
a8b59ee50c9b686588c1e1e2a966ed348e50f5cfb16bd9fde846e72cb40f1cc1b95bf6371665781b17d86b962d3bffd0f627d09de2aec9213c8b71a6fdf1663a

Download Submit
C:\GalaxJX\dobaec.exe

Filesize
2.6MB

MD5
cad03bee070029b74d951f849d2ddd0f

SHA1
31924ee3397d84081d99a9d80b72bdb4dda9ebd3

SHA256
606e56fab60737fcb91b01f89feb1d7b5ba9df44057823a7c0e9ebf13c1d8dca

SHA512
283a63afb582f6bb4396119775402e3a4a9b8f531a5c67456d8d45c3c8de64f54f2040c2ced0b14d48557998071d97e1491022766d3da51d659876fc11f61214

Download Submit
C:\UserDot75\devdobsys.exe

Filesize
452KB

MD5
40ea2c5fef736d745e682492bdef9196

SHA1
f811e38dd6e30db84a45e1e6442659f3bd70d595

SHA256
3330d5e8bcecd3ea2d26519d1041e107384b536ba308415d7e64df3e1b4e0180

SHA512
84bcdaf625ab623d1fa3627dffe95b0b2d1828e8e2089111c394f07bdf07cdfe43b88f6cf984733652a33d4642c67f8129b3e7e294e7025dafa5311ad0fc1291

Download Submit
C:\UserDot75\devdobsys.exe

Filesize
2.6MB

MD5
368818cfb5a39368fa12eec0faa79f99

SHA1
93bbe0746fa1d3248d06a89eacce6c0c8db951ee

SHA256
853982189f2c39aa9dd2deaf814e926c0e1dd7ae348db7d74af5c56bb9d3b361

SHA512
d1b17a8704a700fb13c052205d8fd97098a5900658d5afe7904631573e2def25e6c2dd1dc1efe032f1c4a3945264c8d34218133a9611460f63ba4353a6d2c838

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
bc5d06e023b4fd876e85bade4bb0d64a

SHA1
a053cbd13723ae5ff3bd19703091a4108f8b22f7

SHA256
67414d061aaa9b0dd41ab7d4aaef0d255c0104957743eb4364e30d13a1f57b49

SHA512
3d39965a7a26862062e19a5495c41fde3f1b5bbedec0fe79c8db8a3838d9eeb91e5fe02606c5bc9c83ce35e35ef1fcd50cad28920fce0c52a55055fa5c72061e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
9ccf324d21637641eb3485f2d21dd11a

SHA1
ed6456d80266d2fce790fd9ae8c079750058fb90

SHA256
2eb75f3998248b1e7e9b61bf71a640bd213fa370e841492e8c92383248ce5336

SHA512
1948448d3bdbade651f9151e731499343392830fafaee8eeb5b6d2c37663a347ca71a005eaee8f878eac4ac8a75946d5b37b97a0a5cb558d5054ffb601071b3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
2.6MB

MD5
37874e94c12daf5a7d09ec36ae228d32

SHA1
ec7366bb1ef2c871fe01a6c1f8c01245f295d470

SHA256
c96d0a1b6c692e20281654a54acf280ccfea04175bc3ed7d66bb42a86ff677cd

SHA512
919a8d5045bd942e66b2aa79a7994010084b0850966f74ceebe321d88956ff461a56f7a148eaff989b11679940b24077e2851f792dcfaab702e783ff7a7d4529

Download Submit