ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe
Size

3.0MB
MD5

77d94bc38db2cfd3259f5c6c2a253ebd
SHA1

6fa31ea6d8a4621e6a07747ccf0806c1dfd3a94a
SHA256

ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278
SHA512

62f8f1bc5c8e1c6729e36e8046724a61b4a7e6fb41b90539ef86d2f2cf080ac9826408609baf4c59fa74365b2d9c57021a8682af34bd5c231e0680900165c429
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bSqz8b6LNX:sxX7QnxrloE5dpUppbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe

Executes dropped EXE 2 IoCs

pid	Process
4304	ecdevdob.exe
4968	devoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeGT\\devoptiloc.exe"	ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZXW\\dobaec.exe"	ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3368	ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe
3368	ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe
3368	ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe
3368	ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe
4304	ecdevdob.exe
4304	ecdevdob.exe
4968	devoptiloc.exe
4968	devoptiloc.exe
4304	ecdevdob.exe
4304	ecdevdob.exe
4968	devoptiloc.exe
4968	devoptiloc.exe
4304	ecdevdob.exe
4304	ecdevdob.exe
4968	devoptiloc.exe
4968	devoptiloc.exe
4304	ecdevdob.exe
4304	ecdevdob.exe
4968	devoptiloc.exe
4968	devoptiloc.exe
4304	ecdevdob.exe
4304	ecdevdob.exe
4968	devoptiloc.exe
4968	devoptiloc.exe
4304	ecdevdob.exe
4304	ecdevdob.exe
4968	devoptiloc.exe
4968	devoptiloc.exe
4304	ecdevdob.exe
4304	ecdevdob.exe
4968	devoptiloc.exe
4968	devoptiloc.exe
4304	ecdevdob.exe
4304	ecdevdob.exe
4968	devoptiloc.exe
4968	devoptiloc.exe
4304	ecdevdob.exe
4304	ecdevdob.exe
4968	devoptiloc.exe
4968	devoptiloc.exe
4304	ecdevdob.exe
4304	ecdevdob.exe
4968	devoptiloc.exe
4968	devoptiloc.exe
4304	ecdevdob.exe
4304	ecdevdob.exe
4968	devoptiloc.exe
4968	devoptiloc.exe
4304	ecdevdob.exe
4304	ecdevdob.exe
4968	devoptiloc.exe
4968	devoptiloc.exe
4304	ecdevdob.exe
4304	ecdevdob.exe
4968	devoptiloc.exe
4968	devoptiloc.exe
4304	ecdevdob.exe
4304	ecdevdob.exe
4968	devoptiloc.exe
4968	devoptiloc.exe
4304	ecdevdob.exe
4304	ecdevdob.exe
4968	devoptiloc.exe
4968	devoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 4304	3368	ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe	87
PID 3368 wrote to memory of 4304	3368	ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe	87
PID 3368 wrote to memory of 4304	3368	ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe	87
PID 3368 wrote to memory of 4968	3368	ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe	89
PID 3368 wrote to memory of 4968	3368	ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe	89
PID 3368 wrote to memory of 4968	3368	ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe	89

C:\Users\Admin\AppData\Local\Temp\ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe
"C:\Users\Admin\AppData\Local\Temp\ac1f06a1381283a20ca741f7debc2eb00ba1704e656ea0d178d48b685b5b2278.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4304
- C:\AdobeGT\devoptiloc.exe
  C:\AdobeGT\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeGT\devoptiloc.exe

Filesize
3.0MB

MD5
0ed84f5134555673ab23aa25e9c80ba5

SHA1
4503d83fb01a243c70e6a3cd514b33118b43fd91

SHA256
3b94753b66ff0579e89ed451e16616682b63544eaa3d6200aa9e1d50f986d65b

SHA512
c62fbb63d25ad7a382f38cde71c5cd49a4b78bb6af1dc194ef9c5e1f84201e05db0e1d38574495465c96158884ac22dc21a5b024c1f44d1d60386bd95a511f5d

Download Submit
C:\LabZXW\dobaec.exe

Filesize
3.0MB

MD5
53557663219bfe4e480599e9dd010e72

SHA1
ae7b861a2a54995ee993dcef9e013af93a31fb5c

SHA256
948d2021d94a2a0fbe5236ff23f57c77174a2a198e6561f73285101dad7e3c3b

SHA512
578397c47c26d4a3f2d2815cc2e5ca2660d0f954ab8b73eb1b9da3b9fadc2c4727498dd2651dc654aaccabec7cb5eec1374e3390535722bd89d09c5265447396

Download Submit
C:\LabZXW\dobaec.exe

Filesize
3.0MB

MD5
3a168c980af4efca62d1414788059eb4

SHA1
717164a88fc69af24d5e5ab0626dea1b1ae6c054

SHA256
c262777d1a39e0177cf263c5e0307998aae3fb47e7945323e15a3d38f734d894

SHA512
02c52a63fcb88643b828cc2063b9b5f19187ca8b3b0a47059763fcbfc6e22754070a802e98c7ad5b4f43c7fff1a5932e693450103e46f150062d7896d05a323c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
597b9446bfc7ec40bc9c604ebd714c80

SHA1
d6cc0ff5b37cbb4cc156f162239dc01a89dbe142

SHA256
a60517d3fb6c2ae314976db43a7155b36e092f19b4b3a8139befeaa8df9c8b60

SHA512
d50eb735d8e9211384f97d64320fe8c88c75217a3640182371717715e496a70f134d67e70e0ac6bc4236a7d6bdb2e035d93a4b3437d3f892dd1c7249eec17dbe

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
0b72106db47ed82ebda71f4c55625c76

SHA1
90b8f28ace0bf8ace736e2b1a51e953ba863754b

SHA256
bf2042f9a1fb3d0550afe8e16f586325aadada496eebfdb3ada5c2628a96b92a

SHA512
b1ad0218ac4ee007f8edcb67c2f5ff8d7bd51e3887677d1cca48bdc3e3671045a8c317819e72965eb97a798324bd4e1e9513859644be043e47b7fda680d25ae6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
3.0MB

MD5
09887ee695f628833060124fdce3e678

SHA1
29570d8644dbfdd46869e18275dcb6634e0eb9da

SHA256
8d7e7637d2c572b5fceb0937ae962d8847d8e6190a48afdca4458085e36b9157

SHA512
42188486fe8e04ce6b8d5130865a1d3dc86df8ae4e50626be7b6b46580f0fdbe171aeaba3f8bbaf3cf1f937bbc35ea9f2ebe76a9295ad900d53801f1febd517f

Download Submit