e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/11/2024, 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe
Size

2.6MB
MD5

5fb0ab2b779a5b43e46b727207ac8204
SHA1

484c83491794b078ce5d1a8c35eb9ff19ceaa4a8
SHA256

e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8
SHA512

e9e377e63ceaed4ed54c00bd2f123e4ffbdce0e79c42c9f39eed6d2990db15adb1a70531dd8141ace3d669981d1d34c3e6e9fea35b0557603ade75b6337d2fba
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bSqn:sxX7QnxrloE5dpUp/bVn

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe

Executes dropped EXE 2 IoCs

pid	Process
2260	ecdevopti.exe
2296	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
1732	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe
1732	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidBY\\bodaloc.exe"	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeVD\\devoptiec.exe"	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1732	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe
1732	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe
2260	ecdevopti.exe
2296	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2260	1732	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe	30
PID 1732 wrote to memory of 2260	1732	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe	30
PID 1732 wrote to memory of 2260	1732	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe	30
PID 1732 wrote to memory of 2260	1732	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe	30
PID 1732 wrote to memory of 2296	1732	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe	31
PID 1732 wrote to memory of 2296	1732	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe	31
PID 1732 wrote to memory of 2296	1732	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe	31
PID 1732 wrote to memory of 2296	1732	e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe	31

C:\Users\Admin\AppData\Local\Temp\e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe
"C:\Users\Admin\AppData\Local\Temp\e098b53702008b889bdc0384aab0107d22de8a9e13d716a6e39cf7a7b8942bb8.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2260
- C:\AdobeVD\devoptiec.exe
  C:\AdobeVD\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeVD\devoptiec.exe

Filesize
2.6MB

MD5
ebacb41270e4880f0cb5dcbb1155bad5

SHA1
0a407f8f33ac67123ae11795693129d3c49bd351

SHA256
b2c539618f52de16456bcbaf0c092dab908d0c3b9314fbf6aca36f13c5d49054

SHA512
9f6c7be977bc3f2a8a51c4e147ea3712db136c3fdd0fa8b9857c8d76ec2d41799422952581f272ac89bb83c39b691331b520b07198da6af3830d23ea23b64933

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
57c80259bda0fa12a5405ee7cf1dd849

SHA1
2443e91267a93e301fde51dda29c90b6327238b2

SHA256
24611b61eebd0862048b5464329c11e5e1da6396c1e4512d380e33f1aad97b5b

SHA512
e781a7e2da31669a06348027670255034b1a1fcff29c28d0d58b6e349280a0a904fb845ab8c7bbbe86efff1491906d2858d685c1fab78bb37bfd5d65ec2908fc

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
9543d9baf68630ee7ad03208e3cff586

SHA1
f193cf1460c375b823a54c3475c3fb11599c8dbe

SHA256
08ceb7d70e30334bea6f0fca648c0420efaec8c6eee50dc95eb9468f0da8a4ca

SHA512
0e7476c1b6563d1f48c0e91a1b2e5f35f049375cfb506dc3696f39a3af25e1f19d693b4ee9335a5eddb8d20d8504340bfc988a02fc370ce115241b54ea44dd68

Download Submit
C:\VidBY\bodaloc.exe

Filesize
1.8MB

MD5
a11f76255b9ca6234bfd6aa66474643d

SHA1
e3cc3fe2e8e1a624e3288e828320a33d91a8d733

SHA256
2a97025511d98dd7e5dd0d7449ac38752616c9d970792c41fea246edadffc1d6

SHA512
5b3ad563c733fb5554189481e067a3fcec5460f763afe6445d5eb45bde640f5543a6c59de55edeb77e6711b5792e8c3ee8001ab9a7d7f8f8fcdcc56932530c56

Download Submit
C:\VidBY\bodaloc.exe

Filesize
2.6MB

MD5
69b95d92e59b312bc9e214d8d013c123

SHA1
e8f5f104c50600b5797f19dbecd32aae92098f09

SHA256
efb35f6b15a3c925991de8261fa418043ecbe0ca9e85329847affc27a241ddf6

SHA512
7ba55ad92d2917e396b4ecce6229078b009bb1eea04111754c8b8ada7070318600c2f4407679d21be90431c0f9dd5755f3748e887b364fb367cda71b0518fb33

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
2.6MB

MD5
19ebb4e84378f18a8145a1529639cc80

SHA1
1abee8c84ce75ed1b23730f09595d6a361dc5c1f

SHA256
a9558b1c0fa9b9e96da009a8137cfdc83efb740432b5568c6fde7d3261eb2f36

SHA512
8976f1974c39bf9759bdd61d87bf0b12f462c738469001e81f984de69cf1b2446ea5b65680b4c17d376aea05add9875edf257e7468574c512739a08f94d8b095

Download Submit