7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe

Analysis

max time kernel
151s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe
Size

3.9MB
MD5

e0d751bcff49d70af84b09611194c46b
SHA1

d4adc77f981af0cb0e0c59f56a39fe8e43124958
SHA256

7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe
SHA512

525c9e15ca081caf1735f80ea6b131940a8e89489600a9dd4396fe258cb5b1b3fa3b4239f7051b5398c9076419e9b7a1936dc89d7eed0a47b38c0e526aca3b63
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bSqz8:sxX7QnxrloE5dpUpebVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe

Executes dropped EXE 2 IoCs

pid	Process
3068	ecdevbod.exe
4628	devoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeRY\\devoptiec.exe"	7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxEN\\optixec.exe"	7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
908	7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe
908	7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe
908	7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe
908	7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe
3068	ecdevbod.exe
3068	ecdevbod.exe
4628	devoptiec.exe
4628	devoptiec.exe
3068	ecdevbod.exe
3068	ecdevbod.exe
4628	devoptiec.exe
4628	devoptiec.exe
3068	ecdevbod.exe
3068	ecdevbod.exe
4628	devoptiec.exe
4628	devoptiec.exe
3068	ecdevbod.exe
3068	ecdevbod.exe
4628	devoptiec.exe
4628	devoptiec.exe
3068	ecdevbod.exe
3068	ecdevbod.exe
4628	devoptiec.exe
4628	devoptiec.exe
3068	ecdevbod.exe
3068	ecdevbod.exe
4628	devoptiec.exe
4628	devoptiec.exe
3068	ecdevbod.exe
3068	ecdevbod.exe
4628	devoptiec.exe
4628	devoptiec.exe
3068	ecdevbod.exe
3068	ecdevbod.exe
4628	devoptiec.exe
4628	devoptiec.exe
3068	ecdevbod.exe
3068	ecdevbod.exe
4628	devoptiec.exe
4628	devoptiec.exe
3068	ecdevbod.exe
3068	ecdevbod.exe
4628	devoptiec.exe
4628	devoptiec.exe
3068	ecdevbod.exe
3068	ecdevbod.exe
4628	devoptiec.exe
4628	devoptiec.exe
3068	ecdevbod.exe
3068	ecdevbod.exe
4628	devoptiec.exe
4628	devoptiec.exe
3068	ecdevbod.exe
3068	ecdevbod.exe
4628	devoptiec.exe
4628	devoptiec.exe
3068	ecdevbod.exe
3068	ecdevbod.exe
4628	devoptiec.exe
4628	devoptiec.exe
3068	ecdevbod.exe
3068	ecdevbod.exe
4628	devoptiec.exe
4628	devoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 3068	908	7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe	95
PID 908 wrote to memory of 3068	908	7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe	95
PID 908 wrote to memory of 3068	908	7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe	95
PID 908 wrote to memory of 4628	908	7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe	98
PID 908 wrote to memory of 4628	908	7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe	98
PID 908 wrote to memory of 4628	908	7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe	98

C:\Users\Admin\AppData\Local\Temp\7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe
"C:\Users\Admin\AppData\Local\Temp\7af325be27414172a61dd69ff53b556f5cf3bfa832321987add5b88abf1630fe.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:908
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3068
- C:\AdobeRY\devoptiec.exe
  C:\AdobeRY\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeRY\devoptiec.exe

Filesize
3.9MB

MD5
d405a90ecbd8b3dc1679497d9cf4066a

SHA1
c7cceed1c1ed29ecd7e824eae4c36c00d5822d25

SHA256
6ab61eb7e637ddfb763e3acd1a8ec77ccfe45f2ab4c834076b6a9cbdd177598d

SHA512
33389209ac25a869e6782ad9d69e815236267592c3815125bd7b797a2848387256deb1b74e0461685f605b00d8eea9a9f3a62d9400681d677a1cba775713f52d

Download Submit
C:\GalaxEN\optixec.exe

Filesize
3.0MB

MD5
f9f68189b7679faa65f0761f744906e9

SHA1
bda0729c6f62bebffa92a85ab178a053d3d53253

SHA256
fc4af85a0f1a24018fa7e823735aff244f90523571845940cbf3899896ba7147

SHA512
d65488fe855aad81b321afa277d9defa0bfa6678f8d7377131edc99f62724ed768d432bd56211568fbba4347973c83a38ee7387fbf92ad0c28172084cd320547

Download Submit
C:\GalaxEN\optixec.exe

Filesize
99KB

MD5
808aafecf87513ba404030b7feb0546e

SHA1
4fed430c56e46a3a9c3c27d3c6d3af9a7b709ee8

SHA256
46d0b01558fa93ab583c9ced40dc42d0e1d4e7cd95457db719b19abb064c0a76

SHA512
b05ac71f720752d75566e2f239aa7e515948a7289e4aadeefebf1266600b250d9c724c224d97ae7315a4f70c32fb191e1cdc80e5778144be5a4984df437552b8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
800c61b2fb0257b23016c504b236f4c8

SHA1
059c138c235f09ff87d1bbc38aa599bb55237a2b

SHA256
90159923b88d4d0e3f2e36df4884a7441f0b6e0141f82ff0a22caa666aa9cff2

SHA512
9e95acbf1572ac462dc1c120d6ed524c0beef42edbeb49555f84787feddad1f68b4c7ed4e0648320c14f2a30497951b850d4fc59a283b38a61221cd6f0305f95

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
71365c69f2b2876cd9a1c375bb1f3d33

SHA1
013ad6367c3e601b7545cf73685bc6330df5f1f0

SHA256
01b522c2c0e4ffe0b3d99e23f510c8817c96a44bb247caf7dc34b2b6ca21c841

SHA512
614a13d2159af4662cd3cba41d1bed46443145b807a72a629adb72ca9a4b4a11762f4fdb400865d94550adab9fc0028d2aa62db203c5fbe30c024566d62cba2a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
3.9MB

MD5
80bb76fa0b4d35fa5f87ed29ebf55f71

SHA1
f3641a09115997316906229c17dc780a4d85dde7

SHA256
a23e73e5406efac147865eabaceaf7dc317ea01492e84e6cac78a4f0276dc526

SHA512
2a06119629e9db4910a2081be27997a16c70340d96dc250f76eccddc74f29f560f7e24f5749559c84ba2b907371cecb62a5309c6302129d904ef5176abf34a42

Download Submit