Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/06/2024, 07:51

General

  • Target

    bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe

  • Size

    3.0MB

  • MD5

    523fbd55cca2fe1441d09a1ebae2511d

  • SHA1

    30ad07a2b2cd23c40e12acc6b7517f615844b0c0

  • SHA256

    bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14

  • SHA512

    14534a35d7ff83c538caeb1c5c38193cf10468dd8c7e740861a020815a8c94e678b59d53e97c5e09911a31d168a113c2f3d4d745447ab4989efcef6e8c716fd0

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bSqz8:sxX7QnxrloE5dpUp5bVz8

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe
    "C:\Users\Admin\AppData\Local\Temp\bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5056
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3780
    • C:\IntelprocJK\devdobloc.exe
      C:\IntelprocJK\devdobloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4960

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocJK\devdobloc.exe

    Filesize

    1.1MB

    MD5

    f8ec92089906bdccb160d754e79a428c

    SHA1

    1401345ba076585a9c855ec22311da9847909510

    SHA256

    eeb41fe303a1300dc1070160cda7ac32678f432af83a567f64ad25a6462413a9

    SHA512

    ca8dc18e979501417bebd05e61b207fe1fe554101845e6aef2e73c48bb02979a7867428927e6e7ea533b5ef6adaf489515ea1cd3b2054e67d0196e774dfd35a6

  • C:\IntelprocJK\devdobloc.exe

    Filesize

    3.0MB

    MD5

    0cffe652f8d05144d1bde724e7998236

    SHA1

    00d186809e674a27985097832fc56ab610c9be48

    SHA256

    c5c4ba51d97023e768f8d2ff33581a9c3d16d05c5f4571c8015e7b16677463e6

    SHA512

    8ef0eaac5320a2f1b20252d52e1376d4a87e75f6f8e769c5cef8051c76f9e5231ee855a4dcdf656f7b706bb4220f4c6f5571f6a18fc611c1e922c0845beb810a

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    207B

    MD5

    ed44a95d9737197d878f30758d1ce783

    SHA1

    a6b4bb94cd107acbeda291dd2dd9dc0b0bdd80e8

    SHA256

    d68238c13eae79da1e6669fd5d3b8b97544b1fa565061092028a6a71f760a379

    SHA512

    8ad46b0c1e68db9f19804b26c0a201020e30ec33219cde219d11712441d8bb4c2167d2bd645b4d615a6391c40c1775ad6dbe97e2fc1bae7fe7816e36d49df41c

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    175B

    MD5

    9c7d7da8418071759e40051732d137e3

    SHA1

    aecdfdd1efc664c7fcb4055dc07a2dd17eea7845

    SHA256

    7d1478636a151ca4a1f47231adef277140310df5a73865753b5f37e3d545eb64

    SHA512

    0e33925485fea3ada9309ed0680f563255fa7cac8bc7b11d979720fd932f869e7793a4a183198f3f8f4c3e3bc9ef613795cdad29f2692c88a096d5d0653104a8

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

    Filesize

    3.0MB

    MD5

    8d57a0f59baaaca4b32d965f4f96dba9

    SHA1

    d01b1f749885d63de6b120ef7db1279ef42de8f5

    SHA256

    7530515c5434c0d02cd9df94974284d15b711755d5b6acea40df02768e0a12f8

    SHA512

    dd236bc9eedc0791287c8a2ac27b609da53d36ce6911eeb8fce7637c22c03a5591c5f4d9e7cf7493f08037e0be7860cdb7ec3189ee5e42b51b34a21192f4527f

  • C:\Vid6I\dobdevloc.exe

    Filesize

    57KB

    MD5

    4fc24ec84981a4859f43b365bc7a6e01

    SHA1

    ac430117e4d5c1ea397e258f30ae3977d121727d

    SHA256

    4e0f91b98ee9c10c5c433f05a4fab324526ea6964036154553a58504c1526eb8

    SHA512

    7ae0f4c703ab13ef1f84b75037d4bb6fc4fb467f89d41f732cd5a27483f762e9fa5e6032c950865b5268dde35e7f3deec80084459c110ad93c15d0d0882b7279

  • C:\Vid6I\dobdevloc.exe

    Filesize

    25KB

    MD5

    c9221e0eb3a16dce428ff8c482aa2dff

    SHA1

    793cc75bc04db78d6d21cce028ebc5202ab1f199

    SHA256

    89c1ad531a116c26ad2fba26da6aa3bfb742ddc6af38f6f62b23e30e4064dc82

    SHA512

    47ee868b2819e8889fa54c5e846d987eb2e67d90d25d969bde5b4f55cf75e4b12765acc7077bab313d9e96935a1d554300bfac8ef2ebe9d36f2bedcf78e5ec12