fb848b348d5ccee7bd61e96f836cdc8ce8724797b706681716d9b7151fc77151

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb848b348d5ccee7bd61e96f836cdc8ce8724797b706681716d9b7151fc77151.exe
Size

2.6MB
MD5

280a95c46ad10877e70f9f05007d2ec5
SHA1

d099a5472582522c075ebf908dd74714281bc3f7
SHA256

fb848b348d5ccee7bd61e96f836cdc8ce8724797b706681716d9b7151fc77151
SHA512

e4212fe62eae719bb8a418987d366a6e9be9c052ece0418521661bcf0cab55debc7b1779b50a864e7824fb689b14c087caeac338761efd36a3994ac6ff69ec5f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bS:sxX7QnxrloE5dpUp8b

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	fb848b348d5ccee7bd61e96f836cdc8ce8724797b706681716d9b7151fc77151.exe

Executes dropped EXE 2 IoCs

pid	Process
2420	ecdevdob.exe
2604	aoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
1952	fb848b348d5ccee7bd61e96f836cdc8ce8724797b706681716d9b7151fc77151.exe
1952	fb848b348d5ccee7bd61e96f836cdc8ce8724797b706681716d9b7151fc77151.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot18\\aoptiec.exe"	fb848b348d5ccee7bd61e96f836cdc8ce8724797b706681716d9b7151fc77151.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxCP\\dobaec.exe"	fb848b348d5ccee7bd61e96f836cdc8ce8724797b706681716d9b7151fc77151.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1952	fb848b348d5ccee7bd61e96f836cdc8ce8724797b706681716d9b7151fc77151.exe
1952	fb848b348d5ccee7bd61e96f836cdc8ce8724797b706681716d9b7151fc77151.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe
2420	ecdevdob.exe
2604	aoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2420	1952	fb848b348d5ccee7bd61e96f836cdc8ce8724797b706681716d9b7151fc77151.exe	28
PID 1952 wrote to memory of 2420	1952	fb848b348d5ccee7bd61e96f836cdc8ce8724797b706681716d9b7151fc77151.exe	28
PID 1952 wrote to memory of 2420	1952	fb848b348d5ccee7bd61e96f836cdc8ce8724797b706681716d9b7151fc77151.exe	28
PID 1952 wrote to memory of 2420	1952	fb848b348d5ccee7bd61e96f836cdc8ce8724797b706681716d9b7151fc77151.exe	28
PID 1952 wrote to memory of 2604	1952	fb848b348d5ccee7bd61e96f836cdc8ce8724797b706681716d9b7151fc77151.exe	29
PID 1952 wrote to memory of 2604	1952	fb848b348d5ccee7bd61e96f836cdc8ce8724797b706681716d9b7151fc77151.exe	29
PID 1952 wrote to memory of 2604	1952	fb848b348d5ccee7bd61e96f836cdc8ce8724797b706681716d9b7151fc77151.exe	29
PID 1952 wrote to memory of 2604	1952	fb848b348d5ccee7bd61e96f836cdc8ce8724797b706681716d9b7151fc77151.exe	29

C:\Users\Admin\AppData\Local\Temp\fb848b348d5ccee7bd61e96f836cdc8ce8724797b706681716d9b7151fc77151.exe
"C:\Users\Admin\AppData\Local\Temp\fb848b348d5ccee7bd61e96f836cdc8ce8724797b706681716d9b7151fc77151.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2420
- C:\UserDot18\aoptiec.exe
  C:\UserDot18\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxCP\dobaec.exe

Filesize
2.6MB

MD5
4bfbaf773fab2b99f2aa245156dc2c04

SHA1
0503a320f42f75037b455f21c6883c5e9ce3a95d

SHA256
487e07b7fbf06373c77a26fb753399ca98e2083cc5cae1a2c13094a829b16958

SHA512
20ea22f505a8685f87590cc92e4afc599d37e7a431839ac517f08a1ade48deefb840f57159dc84b929e25d50a04ef04f4791d2670495c353211f75c0c98f022f

Download Submit
C:\GalaxCP\dobaec.exe

Filesize
2.6MB

MD5
6e53dabda8cd3599cdbb7be61e015275

SHA1
64eef81e585936a060f49746c3f37374155a9e42

SHA256
7e7762a06edf5671e691574cf7eb3813c54e0c812aad20bc1fd68722978254de

SHA512
d57cf2b98b4290820deee7a0f6557ab30002efd0946b5c9497a1694a18dd346b7a029204aee41b73d9d126c265afdb7bedb9a2e85eb1df6de147f8982e302761

Download Submit
C:\UserDot18\aoptiec.exe

Filesize
2.6MB

MD5
2d5fcd1186aaf8e8cb4300da16006efb

SHA1
8406b04cb7ac53f65f4859000c6777bfb695b34b

SHA256
f7499cb79f4892d74e3c83ff3b01e01a9b5fd20168e2b6b86056d85fce25eaa8

SHA512
4d82fa9194e94cd42ce6a70c8cd6594a7b735797ef6f299c9bbe672b6e011b628451b9b3222a01bb8c5dc89991dd50d6859cb94c55f721f85ed00768b19c1951

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
96a14077328d22afa083e4128815ff88

SHA1
f098b5414d8c552d91fa72502a605fdffd8227bb

SHA256
12a1286dad19a7d3eb9592e4e777c0912e240008c78d850f724ed8e0dca1e0c6

SHA512
fd534d4856f314b581026199f2d15510fb6f03a4d8d8fde009724cb92b32cb62811cb88635954cfd51b0181a7b3a1f3903fc189800f53871821a7e8b518fe321

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
86067fad4be25d6a4ebae7230f59fed6

SHA1
4ded0565a97aedc380bb31c62ee1c706139dfe88

SHA256
87c066791fa1fe7b7affe57c8edeeb7a6eb1f966502d7c261c893d1ce2096c00

SHA512
5905a6bddd8f296b4c6a4652f3c67be001d3811ec3e819b1c19b4aba8d2d84e89d18643e607d81394966dfdc6f92cb0a026bd7e7e671e8dffad38d799a6e7afd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
2.6MB

MD5
ae0563fb82e9122eedaa961bc185986c

SHA1
5a3b03af6e29fc1304fb1ae9a33e61e3dd8e31c6

SHA256
3ff20b90792ce60ad9a462aac29d73a5dd5f40601de6e5e35a0dd8d4e47e255d

SHA512
abcc98b4c5c7d6f103a0bbda96501a97c4948f329655f920f0bded0f9343dcdb14b17fc4a3d935c9d04ab88ce488081b21a4ebc489431c781e3ef7cf0980754a

Download Submit