Analysis
-
max time kernel
149s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 21:06
Static task
static1
Behavioral task
behavioral1
Sample
348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe
Resource
win10v2004-20240709-en
General
-
Target
348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe
-
Size
2.6MB
-
MD5
7bb120571c084e731f81c6dabc5e4dba
-
SHA1
0c23cb9cedec350ec95c55cddf203980f1b5238b
-
SHA256
348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7
-
SHA512
a2280ef1c989c2900f1822f6fcefb6691821016d03421dc00de4b246c870d3739fea2e0627ce91e14c253a3a3e69889e80ed731b69fcdd368ed463d97713c9f7
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bS:sxX7QnxrloE5dpUprb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe 348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe -
Executes dropped EXE 2 IoCs
Processes:
ecdevbod.exeaoptisys.exepid process 4500 ecdevbod.exe 4456 aoptisys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot2O\\aoptisys.exe" 348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintV1\\optiaec.exe" 348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exeecdevbod.exeaoptisys.exepid process 1548 348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe 1548 348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe 1548 348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe 1548 348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe 4500 ecdevbod.exe 4500 ecdevbod.exe 4456 aoptisys.exe 4456 aoptisys.exe 4500 ecdevbod.exe 4500 ecdevbod.exe 4456 aoptisys.exe 4456 aoptisys.exe 4500 ecdevbod.exe 4500 ecdevbod.exe 4456 aoptisys.exe 4456 aoptisys.exe 4500 ecdevbod.exe 4500 ecdevbod.exe 4456 aoptisys.exe 4456 aoptisys.exe 4500 ecdevbod.exe 4500 ecdevbod.exe 4456 aoptisys.exe 4456 aoptisys.exe 4500 ecdevbod.exe 4500 ecdevbod.exe 4456 aoptisys.exe 4456 aoptisys.exe 4500 ecdevbod.exe 4500 ecdevbod.exe 4456 aoptisys.exe 4456 aoptisys.exe 4500 ecdevbod.exe 4500 ecdevbod.exe 4456 aoptisys.exe 4456 aoptisys.exe 4500 ecdevbod.exe 4500 ecdevbod.exe 4456 aoptisys.exe 4456 aoptisys.exe 4500 ecdevbod.exe 4500 ecdevbod.exe 4456 aoptisys.exe 4456 aoptisys.exe 4500 ecdevbod.exe 4500 ecdevbod.exe 4456 aoptisys.exe 4456 aoptisys.exe 4500 ecdevbod.exe 4500 ecdevbod.exe 4456 aoptisys.exe 4456 aoptisys.exe 4500 ecdevbod.exe 4500 ecdevbod.exe 4456 aoptisys.exe 4456 aoptisys.exe 4500 ecdevbod.exe 4500 ecdevbod.exe 4456 aoptisys.exe 4456 aoptisys.exe 4500 ecdevbod.exe 4500 ecdevbod.exe 4456 aoptisys.exe 4456 aoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exedescription pid process target process PID 1548 wrote to memory of 4500 1548 348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe ecdevbod.exe PID 1548 wrote to memory of 4500 1548 348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe ecdevbod.exe PID 1548 wrote to memory of 4500 1548 348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe ecdevbod.exe PID 1548 wrote to memory of 4456 1548 348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe aoptisys.exe PID 1548 wrote to memory of 4456 1548 348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe aoptisys.exe PID 1548 wrote to memory of 4456 1548 348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe aoptisys.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe"C:\Users\Admin\AppData\Local\Temp\348353ef39e235d4a02119fda03d5f811e1cc2a1dfe0848d764583f89aa53eb7.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4500 -
C:\UserDot2O\aoptisys.exeC:\UserDot2O\aoptisys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4456
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
867KB
MD591cf7cc5ca28ba27026cacd0b93a42eb
SHA1996d51e2597471be5c4402971272cbfa49ffac64
SHA2566a5377a13c7be7e884ec1b8f383e263ee02f224ca1db907223ab32a9f6098b6c
SHA512150f47e9a037afbd4d5b5ba846ca0f3c274c61843fc26491417f8b4ad8fd98e6a459678f35be8d0516f25387ced04a592a27652d56b75e9b882c158c58047f20
-
Filesize
2.6MB
MD5f40871a8a7fff29e6ec1ba6058b1c06f
SHA16843dcac082149464a509bf9180543103edc3240
SHA2567d242dceb4fa59e5072755047b9c337b6d5e3bfbce3b9310ec1454d21d23d262
SHA5127b9fd014cc523bb034679c31d60cae0b613099594bcb886845b2a1253fa13f98efea3699d634a0421eb3dffd2567bc2f34f20dd5a9932e56f7781ea6a1e4ba95
-
Filesize
2.6MB
MD56600d037e06a6e711bd94e36e033b719
SHA18e4c1cb0d12c5362aac9f82a9e5b58e0c6fd7663
SHA25612b92044bcca46c71402e24db78195b7772873f98a9235aa768ca57aae143166
SHA512baf558d2bb764a742f2ad69c88b641cff188561d05e573ced8177c1769fe4a9b2efcaff383e79186b052a7fd31bd6568e1db656374d10e5c70d94bfcc4642f11
-
Filesize
204B
MD52364bdfe951d1c7597c6515aa745cd9b
SHA17c0cd576176de3879f59dcb7b54fcd5d053e071d
SHA256f7d2bb64f010e0aa6f0609e04222ab95560a4f120439b3ac9ccbb02c0511db4a
SHA5121428de5a1c268f70aa5d4d16372127b7cbad4291419432fec199166868bb80618961ec5fa3e46303e9c80e21fdf47cbed3a2b76f300afc874db3e27f8cc565df
-
Filesize
172B
MD5c3bd9d15528498008ce685bfb0011565
SHA1b736c9432c1a986f6e60d566a4bb79e21ae0558f
SHA2563b9fcc1e839f3e045e7880a233861bfc4b0cf1be46d14ffdb306ee0e2171f52f
SHA5121e33960f4b5c43bfd54c3a76173d41a840693443c789a41b9f6e0baa7d588ee759b1c3bc866941b21f7c79030beb9e5ea5602ba7d6d55caedcd4c9884b283adf
-
Filesize
2.6MB
MD561acb3ead22514f2a82da11e123f95d6
SHA1a69c7e69ceedbb23b826d640a2bccd7c95ca87e4
SHA25639ee1d6072feb3986778a047efb399c171e06f39244bf9780e92f9298efb664f
SHA5129a9046b33114e0990424eff5ef5b9f380eda1fbb4bebf665649134ea87c0a4e8db5cb6879565ae0ef9c3f613cac91530dbf81c4d1256c0b390b73a0197fb60cf