Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 05:48
Static task
static1
Behavioral task
behavioral1
Sample
fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe
Resource
win10v2004-20240508-en
General
-
Target
fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe
-
Size
3.6MB
-
MD5
56981af27179a55421ace1b07a50962e
-
SHA1
f7fd6767bb14e2859411f06755c022c0fca8627b
-
SHA256
fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777
-
SHA512
b4396b9fd47157522bcc846ae688a1a197f5b31ab23ca1d5ff34febaf7bb066a11520237255863e98e66febef6a6ba9556ec5ecc4f69f9e2a2c9b79197817825
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB8B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpHbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe -
Executes dropped EXE 2 IoCs
Processes:
ecdevdob.exeaoptiec.exepid Process 4428 ecdevdob.exe 3008 aoptiec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesPI\\aoptiec.exe" fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintI0\\boddevec.exe" fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exeecdevdob.exeaoptiec.exepid Process 392 fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe 392 fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe 392 fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe 392 fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe 4428 ecdevdob.exe 4428 ecdevdob.exe 3008 aoptiec.exe 3008 aoptiec.exe 4428 ecdevdob.exe 4428 ecdevdob.exe 3008 aoptiec.exe 3008 aoptiec.exe 4428 ecdevdob.exe 4428 ecdevdob.exe 3008 aoptiec.exe 3008 aoptiec.exe 4428 ecdevdob.exe 4428 ecdevdob.exe 3008 aoptiec.exe 3008 aoptiec.exe 4428 ecdevdob.exe 4428 ecdevdob.exe 3008 aoptiec.exe 3008 aoptiec.exe 4428 ecdevdob.exe 4428 ecdevdob.exe 3008 aoptiec.exe 3008 aoptiec.exe 4428 ecdevdob.exe 4428 ecdevdob.exe 3008 aoptiec.exe 3008 aoptiec.exe 4428 ecdevdob.exe 4428 ecdevdob.exe 3008 aoptiec.exe 3008 aoptiec.exe 4428 ecdevdob.exe 4428 ecdevdob.exe 3008 aoptiec.exe 3008 aoptiec.exe 4428 ecdevdob.exe 4428 ecdevdob.exe 3008 aoptiec.exe 3008 aoptiec.exe 4428 ecdevdob.exe 4428 ecdevdob.exe 3008 aoptiec.exe 3008 aoptiec.exe 4428 ecdevdob.exe 4428 ecdevdob.exe 3008 aoptiec.exe 3008 aoptiec.exe 4428 ecdevdob.exe 4428 ecdevdob.exe 3008 aoptiec.exe 3008 aoptiec.exe 4428 ecdevdob.exe 4428 ecdevdob.exe 3008 aoptiec.exe 3008 aoptiec.exe 4428 ecdevdob.exe 4428 ecdevdob.exe 3008 aoptiec.exe 3008 aoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exedescription pid Process procid_target PID 392 wrote to memory of 4428 392 fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe 96 PID 392 wrote to memory of 4428 392 fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe 96 PID 392 wrote to memory of 4428 392 fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe 96 PID 392 wrote to memory of 3008 392 fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe 99 PID 392 wrote to memory of 3008 392 fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe 99 PID 392 wrote to memory of 3008 392 fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe"C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4428
-
-
C:\FilesPI\aoptiec.exeC:\FilesPI\aoptiec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4488,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4168 /prefetch:81⤵PID:2476
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD53181321c898ae392fe45d77292abea9f
SHA1fedc81dec184428048743b8e42d1fc58c80f25cf
SHA256a962e080e40dcf77a7d91909033cf87b258a1056656d1e063b7c5f1ec6100fa7
SHA5127e18a696b830267c7d66dc54296b54a10459873b26520bfc2e554c28624211f38a0f7a7aea5fcb2e1e4a2a294927219be3de89e9758b18f90b47e73d1cf0918d
-
Filesize
3.6MB
MD56d6dae27d15e8853734b5130f5ab971e
SHA198f741ee5df81df402ec4b4311c99036055b7273
SHA2568c7590bae21ad04249ba675f8e983c90f1362cb914bf2a0921349cc4cba8be17
SHA512759e92b6bb6ff7b3f7e1cb4bdabbaedb7eb539fe710f4d624f1945a5f68030fcff9e4aad06d3b750afdaf57127584fade1d5b7d98f9f74a2a92bb66cc49ddc65
-
Filesize
3.6MB
MD5ac21cd7ab07d98ec93759fdef42a4062
SHA1650579bea9f359d5bda0fb340b05543b9a5df5b8
SHA256e708318130c710978044ae5437a26ff87dfe7ad3b6e419216bf19487415faae9
SHA51288a38b8046494f779096dae6051454e79d26c98074181fd68575fd36ecc275e5bac2c7971ef9a5069e44401ebfd15f3eccf5dd3f3149b0e94732cc78c567cdfa
-
Filesize
202B
MD5543aad135b13b563616ce4c23248d453
SHA15ce20d983773ea3619f3f14bdac82a3e2672fd8b
SHA256cdcac49fa15a16cd7a600d2f3d0d08eac50599f8c85a98c5067c97c3c978f77b
SHA5121ca46fa83001816282d7d3b64452099d31f9532651ebb6560a26faa12194df6423d37a3d316b987b026fff94c091a570b44befe2bcc5d0bcd110f3d8faf8074d
-
Filesize
170B
MD5828ff3a257150c01c74e66ffbb5ec01a
SHA16e46ccf9f6ebe0e70d6bba879abc63a2cd9f634d
SHA25659fe1de57c3299b27a5e6ab2a42d01d39b86eb100b0ac85285dddb783504092d
SHA512a5b911d21e99bcc58ce313e08ffe1ce2f93b513952c1c543f50cb45a092311d470c82f7e44bae29e9fa48c263a02753bb5f831ce309b52f5d8bfa3265f711f19
-
Filesize
3.6MB
MD587df644322b03d52199403f3378a7221
SHA1e0304e38bc69366ccb7fa3f320ddf00d93d7482f
SHA256448c4bdf8003fbe16ce2a19e3b9020fcfa03a21e9323821c4f8b0b2b28b7f5fb
SHA512dfaa957a8bc41f4338a0fad8cf8ba2c10903d420665203a328d455739c5db516348579f522f3994271ad1c15f74cbcea75f96899ee7871321404d8ba054b7b3d