4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/11/2024, 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe
Size

2.6MB
MD5

5f75770cd1b4f0c75cf21010124e6050
SHA1

acd5d13cfeb9dffbe029d7f8f1cd8d4f56e7ce4f
SHA256

4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453
SHA512

5c7fde930976f6b75f9d2c6336a8ecfd65e7167a245781b770fce949992009a16915f048f5ddbbc8c96996f04e1b0c0729a8b32948ee5684ab59566358d0c9a4
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bS:sxX7QnxrloE5dpUpNb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe

Executes dropped EXE 2 IoCs

pid	Process
2396	ecabod.exe
2292	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
1936	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe
1936	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe5W\\devoptiec.exe"	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZM2\\dobxloc.exe"	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecabod.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1936	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe
1936	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe
2396	ecabod.exe
2292	devoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2396	1936	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe	30
PID 1936 wrote to memory of 2396	1936	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe	30
PID 1936 wrote to memory of 2396	1936	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe	30
PID 1936 wrote to memory of 2396	1936	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe	30
PID 1936 wrote to memory of 2292	1936	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe	31
PID 1936 wrote to memory of 2292	1936	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe	31
PID 1936 wrote to memory of 2292	1936	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe	31
PID 1936 wrote to memory of 2292	1936	4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe	31

C:\Users\Admin\AppData\Local\Temp\4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe
"C:\Users\Admin\AppData\Local\Temp\4cf1b5b0025126dcb171e852276d413533c62ffd7ab5c4b1f57f8e3708bb8453N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2396
- C:\Adobe5W\devoptiec.exe
  C:\Adobe5W\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe5W\devoptiec.exe

Filesize
2.6MB

MD5
d3e246c1868095517f767b1f145d55cc

SHA1
cb2db894740f9d85262c0f3ee4bb6ed9b7743e6a

SHA256
27639f717c398dbf6fe9a46ff73a137a79842bc8cb0b1a763d791495f2f86e8d

SHA512
89ca5540de47f75f82dc71dee5611c9d8c7985a0354418df59dd27b14d5f47efccfc8f07b4d13955e6cb6c58e896caf9df751a1a731059b09d47c5e3eee0cf0b

Download Submit
C:\LabZM2\dobxloc.exe

Filesize
2.6MB

MD5
491cf08c8f446a00679db9e104a29d44

SHA1
6fb052ae5807f95ca4db42c3b950e0d7713ce948

SHA256
bea74f8dfe4fb1e2f3ffc8b859cce38940f10688b7f6262c6c9ad482fa040d2e

SHA512
60a668d5989e4b7be45be7177217982908ab9cf3ccb64efd371a5bc973c4fa4897df8161a4ea5db9a5c2818ae12e5239302e8f87d767575b843b5d8558c472c8

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
f0b8774f42bc8efa21f410edc1cd519b

SHA1
6f22e125a95b040fc3734a1a10a6d3b6ccc5b1ee

SHA256
d4e59cd9e957f96b6f0db8d21d93e7931d5a762cc7ede183f49a6f67d7f65a62

SHA512
d682007c074bc2afd82a185a37a422e28998c1323844e85bb24e1d0d2b669dd91a246f74a9a2b36f112d03afbc0ecde680fd62e2ffb5da30ebfae1029f252faa

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
f83e0d1698a5e069a0f18de52a8a9f60

SHA1
4651735b8dfcd8422426d59aa2c14c463c390093

SHA256
6797a5202fc122f390eb8a6c20884f75ab3bbbc61803a4db697c4cbc657d95d7

SHA512
65171332a7bf55f5dd35039127e31685a7c14e4e26334a0c1a7510792b764e86c4693be48e13c98c7349ae2ea13c82abee541f895177be0a3670300dce1bbae9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
2.6MB

MD5
d47f485761e3852ccad2adf6e5ce2c50

SHA1
6c3b378a753e8fa13fc92160e49fd68ff5e705f7

SHA256
823814346814b059a55e2ccbd0e7969b9b082693c41d2cc19069b33d5f3ed9eb

SHA512
e456020de45f08cf4e8fa6d45cd03b15751f5d8c45116ef4386ad028ba2b2f74b023e56acf9f0cdff473df34436e66a5ca7fc9d3ab1fab4c08d3eae4b5ab22fd

Download Submit