72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe
Size

3.6MB
MD5

00b6b2878b67825d3d7c75fa07375ead
SHA1

5ecdc8ead0c9f7c8e47a3988c9f298c0a166219f
SHA256

72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b
SHA512

3e93ad4528c55344f8c070c17521adbf5c57642470ed4ce6bf1ef7074b56588e63e53f2707de81c86b45f9afc0fc4f4e06f8ff4056a720aaa4260ff6a427d11f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bSqz8:sxX7QnxrloE5dpUpobVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe

Executes dropped EXE 2 IoCs

pid	Process
5096	ecdevdob.exe
448	aoptiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files2F\\aoptiec.exe"	72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxT9\\boddevec.exe"	72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1528	72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe
1528	72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe
1528	72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe
1528	72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe
5096	ecdevdob.exe
5096	ecdevdob.exe
448	aoptiec.exe
448	aoptiec.exe
5096	ecdevdob.exe
5096	ecdevdob.exe
448	aoptiec.exe
448	aoptiec.exe
5096	ecdevdob.exe
5096	ecdevdob.exe
448	aoptiec.exe
448	aoptiec.exe
5096	ecdevdob.exe
5096	ecdevdob.exe
448	aoptiec.exe
448	aoptiec.exe
5096	ecdevdob.exe
5096	ecdevdob.exe
448	aoptiec.exe
448	aoptiec.exe
5096	ecdevdob.exe
5096	ecdevdob.exe
448	aoptiec.exe
448	aoptiec.exe
5096	ecdevdob.exe
5096	ecdevdob.exe
448	aoptiec.exe
448	aoptiec.exe
5096	ecdevdob.exe
5096	ecdevdob.exe
448	aoptiec.exe
448	aoptiec.exe
5096	ecdevdob.exe
5096	ecdevdob.exe
448	aoptiec.exe
448	aoptiec.exe
5096	ecdevdob.exe
5096	ecdevdob.exe
448	aoptiec.exe
448	aoptiec.exe
5096	ecdevdob.exe
5096	ecdevdob.exe
448	aoptiec.exe
448	aoptiec.exe
5096	ecdevdob.exe
5096	ecdevdob.exe
448	aoptiec.exe
448	aoptiec.exe
5096	ecdevdob.exe
5096	ecdevdob.exe
448	aoptiec.exe
448	aoptiec.exe
5096	ecdevdob.exe
5096	ecdevdob.exe
448	aoptiec.exe
448	aoptiec.exe
5096	ecdevdob.exe
5096	ecdevdob.exe
448	aoptiec.exe
448	aoptiec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 5096	1528	72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe	92
PID 1528 wrote to memory of 5096	1528	72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe	92
PID 1528 wrote to memory of 5096	1528	72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe	92
PID 1528 wrote to memory of 448	1528	72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe	96
PID 1528 wrote to memory of 448	1528	72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe	96
PID 1528 wrote to memory of 448	1528	72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe	96

C:\Users\Admin\AppData\Local\Temp\72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe
"C:\Users\Admin\AppData\Local\Temp\72ebc8cd13139b1a49443a8d1e928a54ced0c3e31a1c4d13a94e8589fcb3076b.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5096
- C:\Files2F\aoptiec.exe
  C:\Files2F\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files2F\aoptiec.exe

Filesize
870KB

MD5
9e981ee12cb6605a7ea6350c606b33aa

SHA1
41a1c91f0e6fa76d8aefd5b1e51d28ed578c6eeb

SHA256
6774b1cf3ed65acc6d099dade41ae2dcc00e2cf52549cda673f4cd53845fd814

SHA512
232af2c963d63d2ff4b36449b5629f6ff1fdd4fb39b4e8b39212079e983c8c7c0e27e5fcfa2e0c3e2d9c4d8f4924ed963c86c67b9c82ab29adc9eb4fd2fbedd1

Download Submit
C:\Files2F\aoptiec.exe

Filesize
3.6MB

MD5
6dce6c13508df2334cfa9d1b295ed937

SHA1
52014bc2449ec741e4afd5dd2b382c77a13762ed

SHA256
91e5589630713746a6cb483418c2ecc0e9d8187d99e3173f464c51b8784a7893

SHA512
4ca52619ad023ebf110c82a82b898149ac083bf8417aede5a276a2f7fc0e943b991cc0d9f97345715f85d7275af5107772e79ba546befa08d0e4f70152f09a21

Download Submit
C:\GalaxT9\boddevec.exe

Filesize
3.6MB

MD5
2c80c6d3b0ef1f7c74a64c9222944518

SHA1
5cd07a62338bf0a5be1f5d03ffbf5850c5d7349c

SHA256
5fd0cae94cbaddc712d8625b37d430b9e8b83ebadb082dff6ba313ac0c41ce55

SHA512
1809db16fd980b462ffbf521619b834e30d4899f32ded9748972ead40348c5d5ef9f35b5676ab3f98fbb37c8ea700efa7565191c43c4ba301b8f3e44a83ef9ae

Download Submit
C:\GalaxT9\boddevec.exe

Filesize
3.6MB

MD5
dd3ea5e2ef8d46c3931cd28c0ea948c2

SHA1
de59193dedc28637d474aeaffaa5a01e9f9991b5

SHA256
6938ef2f46c218707cd5edb61d9e9dd4463869221a3f8c303f1c0b39d493ab05

SHA512
8b1c8d772c8a0cad286b8ce9510ba0db8237a1a261da638786ee797855a93ef952d0820c96319f1dc233fc8079731ec1384b985b683662c6ce692d26794a2ef9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
1e58ab5965a1e219d19223a9e7013217

SHA1
843a1d9506de21597fce6dc66bdbd5e9bce25bfb

SHA256
17c46150dcfd37439828f935e749f235c10dba36e4f0d9939a01ec5484c530c6

SHA512
4e78b1ad3d606e23861fbad97e40aa0be4f07f144ddf4eb9ed49d5e71a9bb33025f086baa757b56ccf83a3488ee18ef340817f58d61cdd765de802d74c5b5d48

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
337c6b0d0b954bd0dc61edba64ac3af1

SHA1
c357cffcec867b422c68126507c826a55ad921f2

SHA256
bb7f5b22b8d3b1d16b6aced05d66f10feb61e808a2a622a2833808a15ab60345

SHA512
7aa29aaa3751ee128d17a547a27b1ea632df78acb713ec203f69883ec5dfe7563bdd20157e971aa92771c9e9aa9bb9f08af840262dfe79a456c84f7242beca24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
3.6MB

MD5
7e2008a9ce0f6b4f669c6d767eedeae2

SHA1
d14acb82e8ea3849009b18d3d8f95aa6377e2242

SHA256
4c99fc5751f3fdff57671bab69544ccb0550beac1880f78bedeca0d85e8084f8

SHA512
ee30206c7e151a457322e35456a4afacb8cb25cd2e78bda6ae39aac8adc301114ba3f7d909d838c5f59ada2c96786db10b6154114cefcc568272fbbe210f893d

Download Submit