ac4b66f11a345266b4bdf91c6357a821b30cdf7e545c917feef76acef3c2c50f

Analysis

max time kernel
149s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac4b66f11a345266b4bdf91c6357a821b30cdf7e545c917feef76acef3c2c50f.exe
Size

4.0MB
MD5

9bc09572edf757e9a3184fbb78436b96
SHA1

8b088a7f3c01a82827765cfaa0e8f486a809ad1e
SHA256

ac4b66f11a345266b4bdf91c6357a821b30cdf7e545c917feef76acef3c2c50f
SHA512

ad6c60e988ce92ff8661ad90f77d1b1ebd2543f15d9f7df463de608916e21ea3bd32794a751b1faedbd7d77299485afd039998ac3250a55a0feb66f38cbfe470
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp3bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	ac4b66f11a345266b4bdf91c6357a821b30cdf7e545c917feef76acef3c2c50f.exe

Executes dropped EXE 2 IoCs

pid	Process
392	ecdevdob.exe
3668	devoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeGT\\devoptiloc.exe"	ac4b66f11a345266b4bdf91c6357a821b30cdf7e545c917feef76acef3c2c50f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZXW\\dobaec.exe"	ac4b66f11a345266b4bdf91c6357a821b30cdf7e545c917feef76acef3c2c50f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5036	ac4b66f11a345266b4bdf91c6357a821b30cdf7e545c917feef76acef3c2c50f.exe
5036	ac4b66f11a345266b4bdf91c6357a821b30cdf7e545c917feef76acef3c2c50f.exe
5036	ac4b66f11a345266b4bdf91c6357a821b30cdf7e545c917feef76acef3c2c50f.exe
5036	ac4b66f11a345266b4bdf91c6357a821b30cdf7e545c917feef76acef3c2c50f.exe
392	ecdevdob.exe
392	ecdevdob.exe
3668	devoptiloc.exe
3668	devoptiloc.exe
392	ecdevdob.exe
392	ecdevdob.exe
3668	devoptiloc.exe
3668	devoptiloc.exe
392	ecdevdob.exe
392	ecdevdob.exe
3668	devoptiloc.exe
3668	devoptiloc.exe
392	ecdevdob.exe
392	ecdevdob.exe
3668	devoptiloc.exe
3668	devoptiloc.exe
392	ecdevdob.exe
392	ecdevdob.exe
3668	devoptiloc.exe
3668	devoptiloc.exe
392	ecdevdob.exe
392	ecdevdob.exe
3668	devoptiloc.exe
3668	devoptiloc.exe
392	ecdevdob.exe
392	ecdevdob.exe
3668	devoptiloc.exe
3668	devoptiloc.exe
392	ecdevdob.exe
392	ecdevdob.exe
3668	devoptiloc.exe
3668	devoptiloc.exe
392	ecdevdob.exe
392	ecdevdob.exe
3668	devoptiloc.exe
3668	devoptiloc.exe
392	ecdevdob.exe
392	ecdevdob.exe
3668	devoptiloc.exe
3668	devoptiloc.exe
392	ecdevdob.exe
392	ecdevdob.exe
3668	devoptiloc.exe
3668	devoptiloc.exe
392	ecdevdob.exe
392	ecdevdob.exe
3668	devoptiloc.exe
3668	devoptiloc.exe
392	ecdevdob.exe
392	ecdevdob.exe
3668	devoptiloc.exe
3668	devoptiloc.exe
392	ecdevdob.exe
392	ecdevdob.exe
3668	devoptiloc.exe
3668	devoptiloc.exe
392	ecdevdob.exe
392	ecdevdob.exe
3668	devoptiloc.exe
3668	devoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 392	5036	ac4b66f11a345266b4bdf91c6357a821b30cdf7e545c917feef76acef3c2c50f.exe	88
PID 5036 wrote to memory of 392	5036	ac4b66f11a345266b4bdf91c6357a821b30cdf7e545c917feef76acef3c2c50f.exe	88
PID 5036 wrote to memory of 392	5036	ac4b66f11a345266b4bdf91c6357a821b30cdf7e545c917feef76acef3c2c50f.exe	88
PID 5036 wrote to memory of 3668	5036	ac4b66f11a345266b4bdf91c6357a821b30cdf7e545c917feef76acef3c2c50f.exe	92
PID 5036 wrote to memory of 3668	5036	ac4b66f11a345266b4bdf91c6357a821b30cdf7e545c917feef76acef3c2c50f.exe	92
PID 5036 wrote to memory of 3668	5036	ac4b66f11a345266b4bdf91c6357a821b30cdf7e545c917feef76acef3c2c50f.exe	92

C:\Users\Admin\AppData\Local\Temp\ac4b66f11a345266b4bdf91c6357a821b30cdf7e545c917feef76acef3c2c50f.exe
"C:\Users\Admin\AppData\Local\Temp\ac4b66f11a345266b4bdf91c6357a821b30cdf7e545c917feef76acef3c2c50f.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:392
- C:\AdobeGT\devoptiloc.exe
  C:\AdobeGT\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeGT\devoptiloc.exe

Filesize
4.0MB

MD5
96f03c2ad236827c6cfe8e11baeb94e7

SHA1
55ef97b435faa51dfc40463a8eab0b3f2e5ac6ae

SHA256
c9c770a78734e63038abcf1a4b1f6e9faa7cc0e40dc7ca6955b7c4e208440a36

SHA512
a5482bf84a6277a6e427219af419c492de5de662d22600cab31a6d4d62254cf3c65e5777732b5a4a2c794f68e0400209d83e9a6d2a874511b347fbb66e2af3ff

Download Submit
C:\LabZXW\dobaec.exe

Filesize
29KB

MD5
aedec4c6b0e5bfb94bce1bb80817c9ca

SHA1
d8888798c78356a9f59d73c5b7227eac8a3d3ff1

SHA256
ba0e29f0dfc36a71ea3c2a65261c8cfd2ec2da59ed3290df3be385d38f53f535

SHA512
2e25b0f7a806f50159117897913f424cd75f62e46f214aecafd047faa007c7aab75a96f05f6d27efda1a4a5d84e18c35a5f8dbb4892c3345823d5344680f505d

Download Submit
C:\LabZXW\dobaec.exe

Filesize
4.0MB

MD5
1ee5a067c2f759aa71d700305d8700ee

SHA1
10b525492964bc785b11395a8a3b636d3ae78889

SHA256
15d898f187a889e72b342a9986e524a91ad607b7cafcf321540b6c7d89d14f8c

SHA512
21dc90887ec0af7af0296399dbeb6232fda73adef9cfa63e76f8919e1a1485370ebe2705101fb9066a632ed911c45f318cf0a4f47243b34272f90a28f37a3962

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
597b9446bfc7ec40bc9c604ebd714c80

SHA1
d6cc0ff5b37cbb4cc156f162239dc01a89dbe142

SHA256
a60517d3fb6c2ae314976db43a7155b36e092f19b4b3a8139befeaa8df9c8b60

SHA512
d50eb735d8e9211384f97d64320fe8c88c75217a3640182371717715e496a70f134d67e70e0ac6bc4236a7d6bdb2e035d93a4b3437d3f892dd1c7249eec17dbe

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
0b72106db47ed82ebda71f4c55625c76

SHA1
90b8f28ace0bf8ace736e2b1a51e953ba863754b

SHA256
bf2042f9a1fb3d0550afe8e16f586325aadada496eebfdb3ada5c2628a96b92a

SHA512
b1ad0218ac4ee007f8edcb67c2f5ff8d7bd51e3887677d1cca48bdc3e3671045a8c317819e72965eb97a798324bd4e1e9513859644be043e47b7fda680d25ae6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
4.0MB

MD5
ad804d7e1c4c9696688696156d78749c

SHA1
3ea040f5744a2ac1385938c38b81557c46fad153

SHA256
9596c24915652d6c7d51af8c6d67c04ab9932304ce7609878e1f2cdcbd605a93

SHA512
94aa2507ff77ef7ae51695184b899ed9cf0a163a43c877f2f2c448fee77f67a6b2fe55b3ad759d1a66f21cfd06aa18bdd5dfb95aaf57ddc8e1488af8a504bc74

Download Submit