Analysis
-
max time kernel
151s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 00:00
Static task
static1
Behavioral task
behavioral1
Sample
8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe
Resource
win10v2004-20240226-en
General
-
Target
8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe
-
Size
3.0MB
-
MD5
96917c0787e219264b75c553c652ea6f
-
SHA1
6536bbb193afbb18329ada0e26b1c53c315105c1
-
SHA256
8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2
-
SHA512
538edee38e254dd085278f008bfb3e0a80df76c48d28f9b93a777291bb1266fbddd31c8aa07b0840a460971d24f4c6128c240201595277a87cc184e469ac71db
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSqz8b6LNX:sxX7QnxrloE5dpUpcbVz8eLF
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe 8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe -
Executes dropped EXE 2 IoCs
Processes:
ecaopti.exedevoptiec.exepid process 220 ecaopti.exe 3780 devoptiec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeGW\\devoptiec.exe" 8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZWT\\dobdevec.exe" 8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exeecaopti.exedevoptiec.exepid process 3012 8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe 3012 8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe 3012 8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe 3012 8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe 220 ecaopti.exe 220 ecaopti.exe 3780 devoptiec.exe 3780 devoptiec.exe 220 ecaopti.exe 220 ecaopti.exe 3780 devoptiec.exe 3780 devoptiec.exe 220 ecaopti.exe 220 ecaopti.exe 3780 devoptiec.exe 3780 devoptiec.exe 220 ecaopti.exe 220 ecaopti.exe 3780 devoptiec.exe 3780 devoptiec.exe 220 ecaopti.exe 220 ecaopti.exe 3780 devoptiec.exe 3780 devoptiec.exe 220 ecaopti.exe 220 ecaopti.exe 3780 devoptiec.exe 3780 devoptiec.exe 220 ecaopti.exe 220 ecaopti.exe 3780 devoptiec.exe 3780 devoptiec.exe 220 ecaopti.exe 220 ecaopti.exe 3780 devoptiec.exe 3780 devoptiec.exe 220 ecaopti.exe 220 ecaopti.exe 3780 devoptiec.exe 3780 devoptiec.exe 220 ecaopti.exe 220 ecaopti.exe 3780 devoptiec.exe 3780 devoptiec.exe 220 ecaopti.exe 220 ecaopti.exe 3780 devoptiec.exe 3780 devoptiec.exe 220 ecaopti.exe 220 ecaopti.exe 3780 devoptiec.exe 3780 devoptiec.exe 220 ecaopti.exe 220 ecaopti.exe 3780 devoptiec.exe 3780 devoptiec.exe 220 ecaopti.exe 220 ecaopti.exe 3780 devoptiec.exe 3780 devoptiec.exe 220 ecaopti.exe 220 ecaopti.exe 3780 devoptiec.exe 3780 devoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exedescription pid process target process PID 3012 wrote to memory of 220 3012 8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe ecaopti.exe PID 3012 wrote to memory of 220 3012 8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe ecaopti.exe PID 3012 wrote to memory of 220 3012 8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe ecaopti.exe PID 3012 wrote to memory of 3780 3012 8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe devoptiec.exe PID 3012 wrote to memory of 3780 3012 8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe devoptiec.exe PID 3012 wrote to memory of 3780 3012 8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe devoptiec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe"C:\Users\Admin\AppData\Local\Temp\8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:220 -
C:\AdobeGW\devoptiec.exeC:\AdobeGW\devoptiec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3780
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4004 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:81⤵PID:2660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD559e71b2fe5fb2dad5a786e8341cbc549
SHA183517258b0885e54ee939f48b6fda636e53d53a6
SHA2567e752a59fb7d6fd129b87033e33747c5fa0e74c6f10f5e70f43d73d07389bf3d
SHA51215200aefad3361e7f25d3a994f44cb8c7c051ee04f0452df66b64d2259800931c60c826703b57405a0211643250f85b93646a51a7c8e8b4f71038d716c354da3
-
Filesize
1.6MB
MD5507ab44ecf74ae871209e742e1eefbd5
SHA178205d20967fc94f9317df30022150beef3296cf
SHA25639e54f1ad03266e524595cde8998cea40173ed52dfa943ab7fca11882e155009
SHA512b68c4b7ac734ff9e6c1798867b955527ac8da245b1214c5fe0a9a5b510a8647a8c222205ff2710dd294530669e21fbb21de22ae556205f182bfa29926714f316
-
Filesize
3.0MB
MD53272caa4192b8d3cc4832cfbd777888b
SHA110e90f64214d6efb82cb0c61b61bb2432e1ace8e
SHA2567347276718f89fd23f53377b813f9d00fed29dd8de42a4a7cb231d3b918771bf
SHA512e729ad22b2452b1a1c0feeca7e66627fa9c11366ece405cd725088b5d0a02aac0bb04ebd8097be5cc76b2c047979c0752c0f3cf037d1cded0fb21f5d922ebe2f
-
Filesize
203B
MD5e98e2d00a8ad3df9922f8639c962c7cd
SHA16435c945787ca4992cd3cbe1d4e9ad5dd9a21941
SHA25687a99db7479a36d4cda718d5abd179481a379fced6f911f70c111b540d3151c4
SHA512707d9a639397fdee00c3846ac1d5b2e18a9990901d7ab45a4530c7f1fc771bf9647547c47a9a2eb4a2dda2cf26b03f90a1e9f26c7314a4de1be87c3866d62523
-
Filesize
171B
MD557c3a9ebd25c627a17491abc3c9884f2
SHA14216f28fa9b13f435d9c1adeaf6dc28b68c75e5a
SHA256d851e9ddf49c012358ce35ee50bee01dbad8dc0b868d608c8fbd4e32bc2dc3c4
SHA512487722feb33cd8d23133b2a26b67763c08b16cd489408be3464d6c138874f879e32d3f62b3eeee2707f57d3fa7333905e772be1ec4c6dbdb1e6e50c785eeef7c
-
Filesize
3.0MB
MD5d294b259c2367f65e4fb74804c66012e
SHA1ca999dc36a7525781b5c11437cafda17ca1733f5
SHA2561fb3e09226846e0cf592f9443d3a6a8b324ca3d3448f715eb98af6f302afaf60
SHA51263e05f743e87b50f5b089ce1794076cdd28f7197591a5145e7c718f8519d55d8aa5987eaea56623b754371a250c001e0a613b1a1da47e7bb3792c47895c259d9