Analysis
-
max time kernel
153s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 05:34
Static task
static1
Behavioral task
behavioral1
Sample
f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe
Resource
win10v2004-20240226-en
General
-
Target
f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe
-
Size
4.1MB
-
MD5
8f466d4abf03a5d6f4e88699db920637
-
SHA1
9664af2358342eb7baa0ed5b8596faafbc570d21
-
SHA256
f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680
-
SHA512
e760c6348b5b6775a31a4c6b73572c5a913e295c3f7f8ab9e5f9a3fa0b0b41b3631f298bb1126654b45217c3c47901b9b5d9fd99fcef754abdaa13ad5a871e36
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBiB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpdbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe -
Executes dropped EXE 2 IoCs
Processes:
ecdevdob.exedevdobec.exepid Process 4628 ecdevdob.exe 3668 devdobec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeLQ\\devdobec.exe" f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax3P\\boddevsys.exe" f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exeecdevdob.exedevdobec.exepid Process 4768 f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe 4768 f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe 4768 f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe 4768 f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe 4628 ecdevdob.exe 4628 ecdevdob.exe 4628 ecdevdob.exe 4628 ecdevdob.exe 3668 devdobec.exe 3668 devdobec.exe 4628 ecdevdob.exe 4628 ecdevdob.exe 3668 devdobec.exe 3668 devdobec.exe 4628 ecdevdob.exe 4628 ecdevdob.exe 3668 devdobec.exe 3668 devdobec.exe 4628 ecdevdob.exe 4628 ecdevdob.exe 3668 devdobec.exe 3668 devdobec.exe 4628 ecdevdob.exe 4628 ecdevdob.exe 3668 devdobec.exe 3668 devdobec.exe 4628 ecdevdob.exe 4628 ecdevdob.exe 3668 devdobec.exe 3668 devdobec.exe 4628 ecdevdob.exe 4628 ecdevdob.exe 3668 devdobec.exe 3668 devdobec.exe 4628 ecdevdob.exe 4628 ecdevdob.exe 3668 devdobec.exe 3668 devdobec.exe 4628 ecdevdob.exe 4628 ecdevdob.exe 3668 devdobec.exe 3668 devdobec.exe 4628 ecdevdob.exe 4628 ecdevdob.exe 3668 devdobec.exe 3668 devdobec.exe 4628 ecdevdob.exe 4628 ecdevdob.exe 3668 devdobec.exe 3668 devdobec.exe 4628 ecdevdob.exe 4628 ecdevdob.exe 3668 devdobec.exe 3668 devdobec.exe 4628 ecdevdob.exe 4628 ecdevdob.exe 3668 devdobec.exe 3668 devdobec.exe 4628 ecdevdob.exe 4628 ecdevdob.exe 3668 devdobec.exe 3668 devdobec.exe 4628 ecdevdob.exe 4628 ecdevdob.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exedescription pid Process procid_target PID 4768 wrote to memory of 4628 4768 f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe 92 PID 4768 wrote to memory of 4628 4768 f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe 92 PID 4768 wrote to memory of 4628 4768 f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe 92 PID 4768 wrote to memory of 3668 4768 f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe 93 PID 4768 wrote to memory of 3668 4768 f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe 93 PID 4768 wrote to memory of 3668 4768 f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe"C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4628
-
-
C:\AdobeLQ\devdobec.exeC:\AdobeLQ\devdobec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:4680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
319KB
MD5154968e9ef005118202aea2b1d05fcf9
SHA152b21a6910b967ef36b2723534904820b5f7a906
SHA256f7bb8d36a9ed17856280a0427107018860c93cef430deb49e4eb57918830997c
SHA5125adbca246c05550bb2486952832eac7e9d0a38492bea77c3d5bf084bd853ed602bcf4caca61b32d412f58b1383a779ee1c07c28802fdc23f5db70cf4399bc8fc
-
Filesize
4.1MB
MD573eda3a1f5fc4555107256038f979c04
SHA18d8651f11195467817a59124a2e9a93fe2b56051
SHA2567db57fef2b3fcd4e99a5668f2352842880951523344467bfa94f52a609567607
SHA5128c4f7b0e4375765d9cd500fcbf8141d664ea84c271f2e2f6373c809968eca00056d2502ed9f6a2ce32aeec1c9009eeb8d25dfcdbae1711d65efa2b67c6d96d51
-
Filesize
4.1MB
MD52359be6e30cf56ace6e358faf1958993
SHA1faf96a0ef12960f8d54c7be81734f91ede2d592b
SHA256c204e04062455b19d8a601a70ea7c883cf15c7c4d7bc0b2f614a57367221c2d9
SHA51210f296837961438d78a8722be08a18bf8e0b1cca06330f1fe77d1d5b99c360d302a39db0d9890c81ea277695b7b711810903c32f4d7bcbdcd6afcebc0fa34502
-
Filesize
3KB
MD51277107cabcc016a5fd1f1042e36a2e3
SHA1d7f8e8f7a16218d6bb1dce7bd03617500801eb78
SHA2568e909b1d2c6f2b50ac77632d0c29bee78baafb5a1b3d23226e037507fc026273
SHA512f129adcdeabd08d93ae5036fe57020e5d0eab6c1565a555dce876fa729326075b333ac31bc8a7973c21d03d17b08334e1acad9033a1e66962d79780e301afbf3
-
Filesize
205B
MD5742e89c8bc8d837b56bdac9a17316dc7
SHA13be0f683a5a829c8afb619de37dc02f57f2f1a3b
SHA256cc5b61473a514a5845a88d41fa190200f77b468605ae1fd71bbd4cd37266f1fe
SHA512d33315bcc2cefffa054124f02796f1edbed1c82df0ce43db5f8d20d9f21acb2e41c0babb23caec640e6bdcc2423a8a5f48983cb96f406f3b998ead549400615e
-
Filesize
173B
MD552a1ea14eb78bea5bbde55e2da97abe9
SHA129587eba683fea4383a459ed1dc90259707f776a
SHA2569fa8ada38902945f312aafbd7550fbc27fcf09fa5b2ceeee38f432b36684e2f9
SHA512c82be58ceb1abede5678f4734305a46ad22c05d25fe98781e1332afef671cdefd6bace3de8d77f73e6d0050908765daa843efb9d822c71b1b723a22175e1f733
-
Filesize
4.1MB
MD5f35808f8909b7f28ffb345472e55354c
SHA1286a07a3686ab42d84bdd48dff1ace6a837839f9
SHA256c3eb5f1327f911f92b020c8abe439d41ff93f55150adcec09696d7fb7a95de3c
SHA512822311352fc279dc9662147924f4b6f936fd2e0d1540d3990812912f668398dc981f942f137125d174117961005be5bc98d9fd7bc52b948144ccfe2a68e3fd5c