Analysis

  • max time kernel
    151s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-06-2024 00:00

General

  • Target

    8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe

  • Size

    3.0MB

  • MD5

    96917c0787e219264b75c553c652ea6f

  • SHA1

    6536bbb193afbb18329ada0e26b1c53c315105c1

  • SHA256

    8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2

  • SHA512

    538edee38e254dd085278f008bfb3e0a80df76c48d28f9b93a777291bb1266fbddd31c8aa07b0840a460971d24f4c6128c240201595277a87cc184e469ac71db

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSqz8b6LNX:sxX7QnxrloE5dpUpcbVz8eLF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe
    "C:\Users\Admin\AppData\Local\Temp\8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:220
    • C:\AdobeGW\devoptiec.exe
      C:\AdobeGW\devoptiec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3780
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4004 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2660

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\AdobeGW\devoptiec.exe

      Filesize

      3.0MB

      MD5

      59e71b2fe5fb2dad5a786e8341cbc549

      SHA1

      83517258b0885e54ee939f48b6fda636e53d53a6

      SHA256

      7e752a59fb7d6fd129b87033e33747c5fa0e74c6f10f5e70f43d73d07389bf3d

      SHA512

      15200aefad3361e7f25d3a994f44cb8c7c051ee04f0452df66b64d2259800931c60c826703b57405a0211643250f85b93646a51a7c8e8b4f71038d716c354da3

    • C:\LabZWT\dobdevec.exe

      Filesize

      1.6MB

      MD5

      507ab44ecf74ae871209e742e1eefbd5

      SHA1

      78205d20967fc94f9317df30022150beef3296cf

      SHA256

      39e54f1ad03266e524595cde8998cea40173ed52dfa943ab7fca11882e155009

      SHA512

      b68c4b7ac734ff9e6c1798867b955527ac8da245b1214c5fe0a9a5b510a8647a8c222205ff2710dd294530669e21fbb21de22ae556205f182bfa29926714f316

    • C:\LabZWT\dobdevec.exe

      Filesize

      3.0MB

      MD5

      3272caa4192b8d3cc4832cfbd777888b

      SHA1

      10e90f64214d6efb82cb0c61b61bb2432e1ace8e

      SHA256

      7347276718f89fd23f53377b813f9d00fed29dd8de42a4a7cb231d3b918771bf

      SHA512

      e729ad22b2452b1a1c0feeca7e66627fa9c11366ece405cd725088b5d0a02aac0bb04ebd8097be5cc76b2c047979c0752c0f3cf037d1cded0fb21f5d922ebe2f

    • C:\Users\Admin\253086396416_10.0_Admin.ini

      Filesize

      203B

      MD5

      e98e2d00a8ad3df9922f8639c962c7cd

      SHA1

      6435c945787ca4992cd3cbe1d4e9ad5dd9a21941

      SHA256

      87a99db7479a36d4cda718d5abd179481a379fced6f911f70c111b540d3151c4

      SHA512

      707d9a639397fdee00c3846ac1d5b2e18a9990901d7ab45a4530c7f1fc771bf9647547c47a9a2eb4a2dda2cf26b03f90a1e9f26c7314a4de1be87c3866d62523

    • C:\Users\Admin\253086396416_10.0_Admin.ini

      Filesize

      171B

      MD5

      57c3a9ebd25c627a17491abc3c9884f2

      SHA1

      4216f28fa9b13f435d9c1adeaf6dc28b68c75e5a

      SHA256

      d851e9ddf49c012358ce35ee50bee01dbad8dc0b868d608c8fbd4e32bc2dc3c4

      SHA512

      487722feb33cd8d23133b2a26b67763c08b16cd489408be3464d6c138874f879e32d3f62b3eeee2707f57d3fa7333905e772be1ec4c6dbdb1e6e50c785eeef7c

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

      Filesize

      3.0MB

      MD5

      d294b259c2367f65e4fb74804c66012e

      SHA1

      ca999dc36a7525781b5c11437cafda17ca1733f5

      SHA256

      1fb3e09226846e0cf592f9443d3a6a8b324ca3d3448f715eb98af6f302afaf60

      SHA512

      63e05f743e87b50f5b089ce1794076cdd28f7197591a5145e7c718f8519d55d8aa5987eaea56623b754371a250c001e0a613b1a1da47e7bb3792c47895c259d9