142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032

Analysis

max time kernel
119s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe
Size

2.6MB
MD5

5269a668a24af4644abde5c875624ab0
SHA1

5ed479d2f3024c2a3ae04ad65037c62bf4b50eb9
SHA256

142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032
SHA512

ccb2011acd0d8aaa7a60bcc34e866ac0275f1ad97596e9acde3c540a248c9230f535b633482f1d588d96a6d986fe6cb92973998d1103aabbbdbdf1ccc2462a88
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bSq:sxX7QnxrloE5dpUpSbV

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe

Executes dropped EXE 2 IoCs

pid	Process
1520	ecadob.exe
3692	devdobec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvPP\\devdobec.exe"	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidAC\\dobxsys.exe"	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2276	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe
2276	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe
2276	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe
2276	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe
1520	ecadob.exe
1520	ecadob.exe
3692	devdobec.exe
3692	devdobec.exe
1520	ecadob.exe
1520	ecadob.exe
3692	devdobec.exe
3692	devdobec.exe
1520	ecadob.exe
1520	ecadob.exe
3692	devdobec.exe
3692	devdobec.exe
1520	ecadob.exe
1520	ecadob.exe
3692	devdobec.exe
3692	devdobec.exe
1520	ecadob.exe
1520	ecadob.exe
3692	devdobec.exe
3692	devdobec.exe
1520	ecadob.exe
1520	ecadob.exe
3692	devdobec.exe
3692	devdobec.exe
1520	ecadob.exe
1520	ecadob.exe
3692	devdobec.exe
3692	devdobec.exe
1520	ecadob.exe
1520	ecadob.exe
3692	devdobec.exe
3692	devdobec.exe
1520	ecadob.exe
1520	ecadob.exe
3692	devdobec.exe
3692	devdobec.exe
1520	ecadob.exe
1520	ecadob.exe
3692	devdobec.exe
3692	devdobec.exe
1520	ecadob.exe
1520	ecadob.exe
3692	devdobec.exe
3692	devdobec.exe
1520	ecadob.exe
1520	ecadob.exe
3692	devdobec.exe
3692	devdobec.exe
1520	ecadob.exe
1520	ecadob.exe
3692	devdobec.exe
3692	devdobec.exe
1520	ecadob.exe
1520	ecadob.exe
3692	devdobec.exe
3692	devdobec.exe
1520	ecadob.exe
1520	ecadob.exe
3692	devdobec.exe
3692	devdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 1520	2276	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe	87
PID 2276 wrote to memory of 1520	2276	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe	87
PID 2276 wrote to memory of 1520	2276	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe	87
PID 2276 wrote to memory of 3692	2276	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe	90
PID 2276 wrote to memory of 3692	2276	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe	90
PID 2276 wrote to memory of 3692	2276	142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe	90

C:\Users\Admin\AppData\Local\Temp\142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe
"C:\Users\Admin\AppData\Local\Temp\142b88d69d1f133447ba6d87c0138d591a9241a1ec5b952d7463eb9205450032N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1520
- C:\SysDrvPP\devdobec.exe
  C:\SysDrvPP\devdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvPP\devdobec.exe

Filesize
2.6MB

MD5
2e08831c4495f2999288bd5f98653715

SHA1
a77c67fab2d3a58adf8c7ed10029b48014f8450b

SHA256
59f3790257e766219d3197dd7ae66e19f256606efdfe6cd7417c7750832b453f

SHA512
d7d11d18f6afc100a403ab3b749753bb9dbeed57ea0bce8bd102fbd655708594870c13963d8436028083b569bf6d1c882f7b72809ef196df93205ffcad17f391

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
184d67a866f3f28b471513b4a7210982

SHA1
7eba17bfe9ef3ac1cd34be26a943a1f55eae90b2

SHA256
7bf27cd95516a94207e63fd440d3549ad7e1f3873bb2ee906f08daedf99bb6fd

SHA512
e9760d4dbba3a7fe12a0a69911e162c149dce6a660c57c0c738c83f1935e1656cd120641848aabf0beb5657cf69bc9357d749e27862bfce9f0cc62da5841d504

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
168B

MD5
56ba58859bfc597363d9f4a484d309e4

SHA1
85a4186626d8ead1b8349c0d6eb2c8e0aa5e0873

SHA256
2406af8c383fae8aca16a90c4f30dbe99b4f493b743a9aa0aaefd9b3e81e8eaa

SHA512
a7cb20f613bee2da592f4917501c783de638fe86315866b0621c7b7cb907e2f017a4a6489931ce4377ef9efea6a0ef1751b9a34265ed0551c047fe58923cd46c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
2.6MB

MD5
d5056e09c0abac0977af1838b833fb5f

SHA1
c4d2dc07f84db09dd96857a9d89d8c7b59b9bae9

SHA256
2cb35ba12f0c73db07a3e81e9770394f10bb6a5c94be7faf9235ab8359e0e5f0

SHA512
53757c7d6dab0b4d13541c689d721d190a554fa7e645c1ee5fedf287e1f3bd28a95c1d0c1aeec1cfe291cba3d9a64cff11d3e333e2f007bceb74abdc56da1a9e

Download Submit
C:\VidAC\dobxsys.exe

Filesize
1.3MB

MD5
bbae5439b7310d1b62245b56c1a37748

SHA1
ca8f98b4157397fe973dbd72d8e9fde54fb3c206

SHA256
e315912e9961cea4b02da64f2ff700175abfbb6e18819ffc83f75e4d3290edd2

SHA512
07c17179070d9a0e04dcfd249288ed1f3b1b56549b8adae8e88d6d0c4d0dacc31b420db5fc8676136970de287fbbeb4d56b9b1ae6593ac6ba4ff3dafe46aa7b9

Download Submit
C:\VidAC\dobxsys.exe

Filesize
2.2MB

MD5
474cd93094706f42223ce52697bdb532

SHA1
bfda1e09bdda3031f49c19e593c2ef5b79cfdcb6

SHA256
775b46b4c7de5620db46b8a5cbd453ba2b26dafa3fb2ea33f6288139266e3eb9

SHA512
560a0e735bd592cf643e22a051f912f86eaa0acfe08866512eb160d0cc3b1f447555b718a0fbf786cf147a8ec5d4009865c46d2e85ad742420d18ffc954f9eb1

Download Submit