Analysis
-
max time kernel
149s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 21:05
Static task
static1
Behavioral task
behavioral1
Sample
3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe
Resource
win10v2004-20240709-en
General
-
Target
3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe
-
Size
3.2MB
-
MD5
4162ddf5275af7929f36bb4f04a80ede
-
SHA1
20b1c07822775fd6523d2b876d940d76aed79b5f
-
SHA256
3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49
-
SHA512
dfab67b475476723478145be8f3faa7907004b173e798e46d74448e1ca0fad8885695942ab1f059de26abcff15ec7d2e730779ec085e972b30d66320a0c70d90
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBIB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpHbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe 3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe -
Executes dropped EXE 2 IoCs
Processes:
ecdevdob.exedevoptisys.exepid process 1636 ecdevdob.exe 1956 devoptisys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocWJ\\devoptisys.exe" 3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax9X\\dobasys.exe" 3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exeecdevdob.exedevoptisys.exepid process 380 3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe 380 3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe 380 3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe 380 3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe 1636 ecdevdob.exe 1636 ecdevdob.exe 1956 devoptisys.exe 1956 devoptisys.exe 1636 ecdevdob.exe 1636 ecdevdob.exe 1956 devoptisys.exe 1956 devoptisys.exe 1636 ecdevdob.exe 1636 ecdevdob.exe 1956 devoptisys.exe 1956 devoptisys.exe 1636 ecdevdob.exe 1636 ecdevdob.exe 1956 devoptisys.exe 1956 devoptisys.exe 1636 ecdevdob.exe 1636 ecdevdob.exe 1956 devoptisys.exe 1956 devoptisys.exe 1636 ecdevdob.exe 1636 ecdevdob.exe 1956 devoptisys.exe 1956 devoptisys.exe 1636 ecdevdob.exe 1636 ecdevdob.exe 1956 devoptisys.exe 1956 devoptisys.exe 1636 ecdevdob.exe 1636 ecdevdob.exe 1956 devoptisys.exe 1956 devoptisys.exe 1636 ecdevdob.exe 1636 ecdevdob.exe 1956 devoptisys.exe 1956 devoptisys.exe 1636 ecdevdob.exe 1636 ecdevdob.exe 1956 devoptisys.exe 1956 devoptisys.exe 1636 ecdevdob.exe 1636 ecdevdob.exe 1956 devoptisys.exe 1956 devoptisys.exe 1636 ecdevdob.exe 1636 ecdevdob.exe 1956 devoptisys.exe 1956 devoptisys.exe 1636 ecdevdob.exe 1636 ecdevdob.exe 1956 devoptisys.exe 1956 devoptisys.exe 1636 ecdevdob.exe 1636 ecdevdob.exe 1956 devoptisys.exe 1956 devoptisys.exe 1636 ecdevdob.exe 1636 ecdevdob.exe 1956 devoptisys.exe 1956 devoptisys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exedescription pid process target process PID 380 wrote to memory of 1636 380 3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe ecdevdob.exe PID 380 wrote to memory of 1636 380 3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe ecdevdob.exe PID 380 wrote to memory of 1636 380 3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe ecdevdob.exe PID 380 wrote to memory of 1956 380 3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe devoptisys.exe PID 380 wrote to memory of 1956 380 3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe devoptisys.exe PID 380 wrote to memory of 1956 380 3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe devoptisys.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe"C:\Users\Admin\AppData\Local\Temp\3455b0b6874da6c84d72d1500a2f77fa6137a04cdce926687ea7c0bf6f0c8a49.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1636 -
C:\IntelprocWJ\devoptisys.exeC:\IntelprocWJ\devoptisys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1956
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
739KB
MD5cbc099f1ae0ca22c51e447583e04649d
SHA165227807d842097e58dc6826052770616b9017fd
SHA2569ae4039c17fb9f8707fd9b1dfc18115571563e47978d5290e360356cbc1879e3
SHA512acb8c18958f5e22ea1c311d5b4a985b87c412e7c0516840a7967b6e36f7ac5a2e109a5fa0e5cc89064ef5fa9454cf0684b6df1361ba8e706bb4c101e00db2e03
-
Filesize
1.1MB
MD55c78bac343c9880c7813a5c17ec6ead0
SHA1ae5cbf05bebd6ecd1c90442c5d0b31fba50c9209
SHA2561791314bae7b6919903d52351fd5207d1f61c2bb368a69bdb9abc5dbcb198410
SHA512750450f321215dbafabb98278374e35a771b6d8cf3f9283efa1c02cd1be202df283a446d7c8688b5901ec18293d6a8b70b2616d7364b2a6c1efd8c01f10f65f4
-
Filesize
3.2MB
MD5aab58776c1bb702178a5eb63362d26a4
SHA16526e35bb2a761bcb09721c775fa463306ddf29d
SHA2567d57f0f20514675190d75dbea4f6b012e3988b56685eeead17f75bd5cc44571e
SHA51271cbee5f5202f0a77086287b2b8414fea15158cf802655d1283af277d9ad54fb52b3954ef583d0de82b861eb4b471953bca8aa97e9ebbf96d522f146a295af57
-
Filesize
209B
MD532be78b14f81cf466cf902fda0793f17
SHA178d23ba0392672e9ae1f8b7f9bf055a93acf12f5
SHA2562f9094157a389b5594e44511248646f5f8fef305ec8733d74edeea8ab2d79928
SHA5122ccd863c6df4f16df154f0d92a504cd8dde09689062efc65ede58ab3822d87dfab6452c5044d6ff27c0d3fb687539bec8a49349fe9b841fecb26b70cbeff2b54
-
Filesize
177B
MD5d66c6d469221663584256e76684786a0
SHA13835d17a30ae288af5d89ec8c998efb6bb4c6c6f
SHA25685d8b2f67dd44422fd8392231378a85a35357a1025792c9024514041decd992d
SHA512ae7b451324383576558f02c16a6f5706120ef3e99f4157b738ec47af302ca016a0429fdc92cb83df5c1cc5e517243c3d09bd6a187af95af5c76438b5a33af2e8
-
Filesize
3.2MB
MD5234cec31ee696b1c8128e31cdcff4996
SHA161ec649caea87beb129be5be05fabfd968524f44
SHA256d87cee5db6cc7905b4357c6736e721b6958f825cd80e217ace11e9c94eae3ab9
SHA5129745b3e2e042c2cf3bada1d8a3a2390ed5305d59a7b150a4408a53b090c6bff1aa6edb115348153d6be8012e647cea1d8f9d90436cc14497ae69a474b168c7e0