Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/06/2024, 07:51
Static task
static1
Behavioral task
behavioral1
Sample
bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe
Resource
win10v2004-20240426-en
General
-
Target
bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe
-
Size
3.0MB
-
MD5
523fbd55cca2fe1441d09a1ebae2511d
-
SHA1
30ad07a2b2cd23c40e12acc6b7517f615844b0c0
-
SHA256
bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14
-
SHA512
14534a35d7ff83c538caeb1c5c38193cf10468dd8c7e740861a020815a8c94e678b59d53e97c5e09911a31d168a113c2f3d4d745447ab4989efcef6e8c716fd0
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bSqz8:sxX7QnxrloE5dpUp5bVz8
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe -
Executes dropped EXE 2 IoCs
pid Process 3780 ecaopti.exe 4960 devdobloc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocJK\\devdobloc.exe" bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid6I\\dobdevloc.exe" bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5056 bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe 5056 bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe 5056 bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe 5056 bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe 3780 ecaopti.exe 3780 ecaopti.exe 4960 devdobloc.exe 4960 devdobloc.exe 3780 ecaopti.exe 3780 ecaopti.exe 4960 devdobloc.exe 4960 devdobloc.exe 3780 ecaopti.exe 3780 ecaopti.exe 4960 devdobloc.exe 4960 devdobloc.exe 3780 ecaopti.exe 3780 ecaopti.exe 4960 devdobloc.exe 4960 devdobloc.exe 3780 ecaopti.exe 3780 ecaopti.exe 4960 devdobloc.exe 4960 devdobloc.exe 3780 ecaopti.exe 3780 ecaopti.exe 4960 devdobloc.exe 4960 devdobloc.exe 3780 ecaopti.exe 3780 ecaopti.exe 4960 devdobloc.exe 4960 devdobloc.exe 3780 ecaopti.exe 3780 ecaopti.exe 4960 devdobloc.exe 4960 devdobloc.exe 3780 ecaopti.exe 3780 ecaopti.exe 4960 devdobloc.exe 4960 devdobloc.exe 3780 ecaopti.exe 3780 ecaopti.exe 4960 devdobloc.exe 4960 devdobloc.exe 3780 ecaopti.exe 3780 ecaopti.exe 4960 devdobloc.exe 4960 devdobloc.exe 3780 ecaopti.exe 3780 ecaopti.exe 4960 devdobloc.exe 4960 devdobloc.exe 3780 ecaopti.exe 3780 ecaopti.exe 4960 devdobloc.exe 4960 devdobloc.exe 3780 ecaopti.exe 3780 ecaopti.exe 4960 devdobloc.exe 4960 devdobloc.exe 3780 ecaopti.exe 3780 ecaopti.exe 4960 devdobloc.exe 4960 devdobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5056 wrote to memory of 3780 5056 bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe 84 PID 5056 wrote to memory of 3780 5056 bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe 84 PID 5056 wrote to memory of 3780 5056 bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe 84 PID 5056 wrote to memory of 4960 5056 bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe 85 PID 5056 wrote to memory of 4960 5056 bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe 85 PID 5056 wrote to memory of 4960 5056 bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe"C:\Users\Admin\AppData\Local\Temp\bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3780
-
-
C:\IntelprocJK\devdobloc.exeC:\IntelprocJK\devdobloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4960
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5f8ec92089906bdccb160d754e79a428c
SHA11401345ba076585a9c855ec22311da9847909510
SHA256eeb41fe303a1300dc1070160cda7ac32678f432af83a567f64ad25a6462413a9
SHA512ca8dc18e979501417bebd05e61b207fe1fe554101845e6aef2e73c48bb02979a7867428927e6e7ea533b5ef6adaf489515ea1cd3b2054e67d0196e774dfd35a6
-
Filesize
3.0MB
MD50cffe652f8d05144d1bde724e7998236
SHA100d186809e674a27985097832fc56ab610c9be48
SHA256c5c4ba51d97023e768f8d2ff33581a9c3d16d05c5f4571c8015e7b16677463e6
SHA5128ef0eaac5320a2f1b20252d52e1376d4a87e75f6f8e769c5cef8051c76f9e5231ee855a4dcdf656f7b706bb4220f4c6f5571f6a18fc611c1e922c0845beb810a
-
Filesize
207B
MD5ed44a95d9737197d878f30758d1ce783
SHA1a6b4bb94cd107acbeda291dd2dd9dc0b0bdd80e8
SHA256d68238c13eae79da1e6669fd5d3b8b97544b1fa565061092028a6a71f760a379
SHA5128ad46b0c1e68db9f19804b26c0a201020e30ec33219cde219d11712441d8bb4c2167d2bd645b4d615a6391c40c1775ad6dbe97e2fc1bae7fe7816e36d49df41c
-
Filesize
175B
MD59c7d7da8418071759e40051732d137e3
SHA1aecdfdd1efc664c7fcb4055dc07a2dd17eea7845
SHA2567d1478636a151ca4a1f47231adef277140310df5a73865753b5f37e3d545eb64
SHA5120e33925485fea3ada9309ed0680f563255fa7cac8bc7b11d979720fd932f869e7793a4a183198f3f8f4c3e3bc9ef613795cdad29f2692c88a096d5d0653104a8
-
Filesize
3.0MB
MD58d57a0f59baaaca4b32d965f4f96dba9
SHA1d01b1f749885d63de6b120ef7db1279ef42de8f5
SHA2567530515c5434c0d02cd9df94974284d15b711755d5b6acea40df02768e0a12f8
SHA512dd236bc9eedc0791287c8a2ac27b609da53d36ce6911eeb8fce7637c22c03a5591c5f4d9e7cf7493f08037e0be7860cdb7ec3189ee5e42b51b34a21192f4527f
-
Filesize
57KB
MD54fc24ec84981a4859f43b365bc7a6e01
SHA1ac430117e4d5c1ea397e258f30ae3977d121727d
SHA2564e0f91b98ee9c10c5c433f05a4fab324526ea6964036154553a58504c1526eb8
SHA5127ae0f4c703ab13ef1f84b75037d4bb6fc4fb467f89d41f732cd5a27483f762e9fa5e6032c950865b5268dde35e7f3deec80084459c110ad93c15d0d0882b7279
-
Filesize
25KB
MD5c9221e0eb3a16dce428ff8c482aa2dff
SHA1793cc75bc04db78d6d21cce028ebc5202ab1f199
SHA25689c1ad531a116c26ad2fba26da6aa3bfb742ddc6af38f6f62b23e30e4064dc82
SHA51247ee868b2819e8889fa54c5e846d987eb2e67d90d25d969bde5b4f55cf75e4b12765acc7077bab313d9e96935a1d554300bfac8ef2ebe9d36f2bedcf78e5ec12