Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 23:17
Static task
static1
Behavioral task
behavioral1
Sample
72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe
Resource
win10v2004-20240426-en
General
-
Target
72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe
-
Size
4.1MB
-
MD5
882d05386b0ec3c2e19df624ce93281a
-
SHA1
6571d0d1042a60e97bf03475be21194437141e28
-
SHA256
72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0
-
SHA512
f0519071499f44f974f463af623fff32c8d8c5a65ca23feb42a3d1494396ecc758baca5fa26e7e0d80a514395c24409fde597b54b3300e0054af27634e34ea4b
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB9B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpibVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe -
Executes dropped EXE 2 IoCs
pid Process 3780 ecadob.exe 1592 devoptisys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc2N\\devoptisys.exe" 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax15\\boddevec.exe" 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4984 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe 4984 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe 4984 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe 4984 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe 3780 ecadob.exe 3780 ecadob.exe 1592 devoptisys.exe 1592 devoptisys.exe 3780 ecadob.exe 3780 ecadob.exe 1592 devoptisys.exe 1592 devoptisys.exe 3780 ecadob.exe 3780 ecadob.exe 1592 devoptisys.exe 1592 devoptisys.exe 3780 ecadob.exe 3780 ecadob.exe 1592 devoptisys.exe 1592 devoptisys.exe 3780 ecadob.exe 3780 ecadob.exe 1592 devoptisys.exe 1592 devoptisys.exe 3780 ecadob.exe 3780 ecadob.exe 1592 devoptisys.exe 1592 devoptisys.exe 3780 ecadob.exe 3780 ecadob.exe 1592 devoptisys.exe 1592 devoptisys.exe 3780 ecadob.exe 3780 ecadob.exe 1592 devoptisys.exe 1592 devoptisys.exe 3780 ecadob.exe 3780 ecadob.exe 1592 devoptisys.exe 1592 devoptisys.exe 3780 ecadob.exe 3780 ecadob.exe 1592 devoptisys.exe 1592 devoptisys.exe 3780 ecadob.exe 3780 ecadob.exe 1592 devoptisys.exe 1592 devoptisys.exe 3780 ecadob.exe 3780 ecadob.exe 1592 devoptisys.exe 1592 devoptisys.exe 3780 ecadob.exe 3780 ecadob.exe 1592 devoptisys.exe 1592 devoptisys.exe 3780 ecadob.exe 3780 ecadob.exe 1592 devoptisys.exe 1592 devoptisys.exe 3780 ecadob.exe 3780 ecadob.exe 1592 devoptisys.exe 1592 devoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4984 wrote to memory of 3780 4984 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe 85 PID 4984 wrote to memory of 3780 4984 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe 85 PID 4984 wrote to memory of 3780 4984 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe 85 PID 4984 wrote to memory of 1592 4984 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe 88 PID 4984 wrote to memory of 1592 4984 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe 88 PID 4984 wrote to memory of 1592 4984 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe"C:\Users\Admin\AppData\Local\Temp\72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3780
-
-
C:\Intelproc2N\devoptisys.exeC:\Intelproc2N\devoptisys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1592
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD59ce8a05d4e7545d8767fdb5f41ae20eb
SHA1d28d8b70dcd539aae11b5009151a00a552313b91
SHA256346fd158e582503fb2956ef67ca73d6bdc59f3a88af49be3d140aeceff6c6981
SHA512b2a3299200ed06f4c08d5ef57fabdf7e0e59deeca81dd46239dbef77f1a8c9135ac2f01b1f27ec15b238b0e727c200e17896b1411aae80bbb96c85195c8f4d5c
-
Filesize
4.1MB
MD5f69aeb02f45137991ed81168245b3f1b
SHA16bb2c0ea804f84c3a0591623a05c59b19b2cccca
SHA256afbe12083809699acd7df5003213f84af4d7879af0b2c1eb1dc6fdc1c0180552
SHA5126c496cdab78620ff6b0cfd548a3d0bd216f99c709e0c0fb3e8902f6f01b94c485ae1f2cbe879675831f4dbb27b8d6b677589aca7abab28193f9ff94f2571f528
-
Filesize
4.1MB
MD5d95dfd47892d77cc18928a016fce804d
SHA10beec5057ac6a64258953590a06b36e0cc58ad23
SHA25691ae5b3abb24d72b42bb1197e7624947354c083041b074ac5bdc99889746d2fe
SHA512102fa89a141b9b3e6d1377e1c9a28d56b9c2ceef559daa9030416f7939c8647589106a2156cc685f05eb87a2d647db2c788e313a7b3eeb0221149e8f07219f24
-
Filesize
208B
MD5dad9d8944835aad210d3f78616322ccb
SHA141ef7ccc6413995d2b0f4c11915dbaf836c5fcd4
SHA25633f192a3176c41ff8d2de6c4f121fd2ac4da8e38cc89caccb1ec4d3b2b66afbe
SHA51297be59999ad9a00e3f0a3f66432b7232ba85d351576e2d7dbf78f499164f003fb2fbcde9994707e27248263a414c18f5c4098f40c9c85039b46ca287c4418b74
-
Filesize
176B
MD5528cf5756d873cf82b92f12ae0944fcb
SHA1f33f792d7acd5f6dc275665505b91643b6bceb0f
SHA256bc7ae57e6f48f3e2cea6a3c52b9a533c52aa1582df36c288f2866eedee819ea2
SHA51229513640aa16c5f09f5990a75ba07ac6942c82c9344bd743d5dba5ad1f6f0a6fe0d2441826502ca30819650afd4031c3e1bd9147c38137a31e531b63ea2d6c2c
-
Filesize
4.1MB
MD523cf8b3e77450549a06bf1abdd385136
SHA1225a7b46ca55851ab01de9d62f3d00261c58d5dd
SHA256e98c73cd1ac53082b1898cc765e41e54d90d295afdebf431e35823b2b7dc98c2
SHA512b8d964e0cfa8115c4d536d9c2034da9449e09447c525f013e9ac9cf9b4e74bb295fca8b39b45b9e7b10b8ee51c8d12022ee9e8213eaa2ec8fed0442502af014b