Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/08/2024, 20:12
Static task
static1
Behavioral task
behavioral1
Sample
3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe
Resource
win10v2004-20240802-en
General
-
Target
3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe
-
Size
2.6MB
-
MD5
03804f7f2533c60214c4201753867ed2
-
SHA1
b76d1ec4d7463c26afd6647b60b1e602b4b1117a
-
SHA256
3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4
-
SHA512
be52caa309218e2c835b4fe782aca42666df46de1e09fd9f2bf90a39c4fa70767084c4daab3958a5415abe6ee7fb4dbb68925b6a640d56e8c9df100b7d891e79
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bS:sxX7QnxrloE5dpUpWb
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe 3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe -
Executes dropped EXE 2 IoCs
pid Process 5020 ecdevopti.exe 4596 xdobec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot3T\\xdobec.exe" 3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintW8\\optidevec.exe" 3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3256 3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe 3256 3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe 3256 3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe 3256 3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe 5020 ecdevopti.exe 5020 ecdevopti.exe 4596 xdobec.exe 4596 xdobec.exe 5020 ecdevopti.exe 5020 ecdevopti.exe 4596 xdobec.exe 4596 xdobec.exe 5020 ecdevopti.exe 5020 ecdevopti.exe 4596 xdobec.exe 4596 xdobec.exe 5020 ecdevopti.exe 5020 ecdevopti.exe 4596 xdobec.exe 4596 xdobec.exe 5020 ecdevopti.exe 5020 ecdevopti.exe 4596 xdobec.exe 4596 xdobec.exe 5020 ecdevopti.exe 5020 ecdevopti.exe 4596 xdobec.exe 4596 xdobec.exe 5020 ecdevopti.exe 5020 ecdevopti.exe 4596 xdobec.exe 4596 xdobec.exe 5020 ecdevopti.exe 5020 ecdevopti.exe 4596 xdobec.exe 4596 xdobec.exe 5020 ecdevopti.exe 5020 ecdevopti.exe 4596 xdobec.exe 4596 xdobec.exe 5020 ecdevopti.exe 5020 ecdevopti.exe 4596 xdobec.exe 4596 xdobec.exe 5020 ecdevopti.exe 5020 ecdevopti.exe 4596 xdobec.exe 4596 xdobec.exe 5020 ecdevopti.exe 5020 ecdevopti.exe 4596 xdobec.exe 4596 xdobec.exe 5020 ecdevopti.exe 5020 ecdevopti.exe 4596 xdobec.exe 4596 xdobec.exe 5020 ecdevopti.exe 5020 ecdevopti.exe 4596 xdobec.exe 4596 xdobec.exe 5020 ecdevopti.exe 5020 ecdevopti.exe 4596 xdobec.exe 4596 xdobec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3256 wrote to memory of 5020 3256 3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe 84 PID 3256 wrote to memory of 5020 3256 3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe 84 PID 3256 wrote to memory of 5020 3256 3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe 84 PID 3256 wrote to memory of 4596 3256 3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe 85 PID 3256 wrote to memory of 4596 3256 3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe 85 PID 3256 wrote to memory of 4596 3256 3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe"C:\Users\Admin\AppData\Local\Temp\3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5020
-
-
C:\UserDot3T\xdobec.exeC:\UserDot3T\xdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4596
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
239KB
MD5215e27406642502f5fa74da900063ad5
SHA1f17bd2291c64c91e6ce0093bd9a7db6f77d45004
SHA256ad1cc6c4483f1820ee492bbdda5cf6b0849f6fdd205d8966a0f8958054f73f4d
SHA512530020a1f376e8409558b2ca1659453c178bfe83db17c06b23b62b979a1fd70d7794f5bb673d92d0683e0fc3acb3bb6699472ab2faf01356b54a4651311065e1
-
Filesize
12KB
MD50d80c026ff7217667d1758553c9b1b94
SHA114d1f220d41220a37e1c0a894bbcc390e238adac
SHA2563e19dbc8a98353863030300221ed12d9467946007da720ddec917a2b170c54b8
SHA5125668dc066d36fdac6fc594b3bd11041af417aa62285919777cfb3602fe018599d010c464467465c525804c7e0b501ae6ee2fc1bec049267f5e18bb39d0aae82a
-
Filesize
2.6MB
MD5a57f63c790127c230adc4ad81e9479ec
SHA14bce0c149d1142937abd56e29889e89b5a925ce1
SHA256ae050e3aa4a845efb6f305960b011842d7c55b06a6bff0a5976249059a49c85e
SHA512846f6dbcb7cf068107ad244bc3b945c2b2c1e4d6614b69a1b1f61b5d98cb1e6ce49d81237a4ca251face4d8a87f52269003a24df20087b48cdce07e65286f93f
-
Filesize
205B
MD59a276381dcb05403788a2b58edd14810
SHA18e3cd081f6a08c133e999f8222144ba20a03918e
SHA2563de02de387797840be6ec87fc3327c16ee8110ed6c0780a0d736905aea638828
SHA51265644016ff702b8684650f9c1f2086a6a77a1368f7237dfa70a286c4d5ec14d3fecf3ca8a7daef3aca0d3d1217c628253ae047f7efe2db13a67fdf05d16c08e2
-
Filesize
173B
MD5ec5a6632094a6de69a5d5487338f10bb
SHA135248bba8d98b465dbfd78759d5c1d69e9f63b65
SHA25602e8a1b9e7ba63b15e842532efb2980fafc9beacb9113bb24c0be76ca088806a
SHA512b1060e7ef28ba989cc2cc3c0ffecea9cee4e7b48cb608d6b24bee0bb6d6962e756f8a26e6abb9a5ebc952ed23a33dc8502d904a66ee4b8f133cc3b9faff127dc
-
Filesize
2.6MB
MD5d06f551e3c822616c6d1467d9d5ab243
SHA10f35d1c5f6c8781338fe9f2d10ae2eb14c9c7c12
SHA256639dfe1f108c6206ccc22700c6b015f0146ebcaa18845e615162996e1f28b7a3
SHA51212c3cf0ad00477bb5bac6612b68a7299fa2076280d79739afccf4f10e9dbf4266fd177159aa980f2d966ea5e13ca3f59a4656ba06cd29ad8a5d282728679374a