3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe
Size

2.6MB
MD5

03804f7f2533c60214c4201753867ed2
SHA1

b76d1ec4d7463c26afd6647b60b1e602b4b1117a
SHA256

3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4
SHA512

be52caa309218e2c835b4fe782aca42666df46de1e09fd9f2bf90a39c4fa70767084c4daab3958a5415abe6ee7fb4dbb68925b6a640d56e8c9df100b7d891e79
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bS:sxX7QnxrloE5dpUpWb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe

Executes dropped EXE 2 IoCs

pid	Process
5020	ecdevopti.exe
4596	xdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot3T\\xdobec.exe"	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintW8\\optidevec.exe"	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3256	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe
3256	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe
3256	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe
3256	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe
5020	ecdevopti.exe
5020	ecdevopti.exe
4596	xdobec.exe
4596	xdobec.exe
5020	ecdevopti.exe
5020	ecdevopti.exe
4596	xdobec.exe
4596	xdobec.exe
5020	ecdevopti.exe
5020	ecdevopti.exe
4596	xdobec.exe
4596	xdobec.exe
5020	ecdevopti.exe
5020	ecdevopti.exe
4596	xdobec.exe
4596	xdobec.exe
5020	ecdevopti.exe
5020	ecdevopti.exe
4596	xdobec.exe
4596	xdobec.exe
5020	ecdevopti.exe
5020	ecdevopti.exe
4596	xdobec.exe
4596	xdobec.exe
5020	ecdevopti.exe
5020	ecdevopti.exe
4596	xdobec.exe
4596	xdobec.exe
5020	ecdevopti.exe
5020	ecdevopti.exe
4596	xdobec.exe
4596	xdobec.exe
5020	ecdevopti.exe
5020	ecdevopti.exe
4596	xdobec.exe
4596	xdobec.exe
5020	ecdevopti.exe
5020	ecdevopti.exe
4596	xdobec.exe
4596	xdobec.exe
5020	ecdevopti.exe
5020	ecdevopti.exe
4596	xdobec.exe
4596	xdobec.exe
5020	ecdevopti.exe
5020	ecdevopti.exe
4596	xdobec.exe
4596	xdobec.exe
5020	ecdevopti.exe
5020	ecdevopti.exe
4596	xdobec.exe
4596	xdobec.exe
5020	ecdevopti.exe
5020	ecdevopti.exe
4596	xdobec.exe
4596	xdobec.exe
5020	ecdevopti.exe
5020	ecdevopti.exe
4596	xdobec.exe
4596	xdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3256 wrote to memory of 5020	3256	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe	84
PID 3256 wrote to memory of 5020	3256	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe	84
PID 3256 wrote to memory of 5020	3256	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe	84
PID 3256 wrote to memory of 4596	3256	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe	85
PID 3256 wrote to memory of 4596	3256	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe	85
PID 3256 wrote to memory of 4596	3256	3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe	85

C:\Users\Admin\AppData\Local\Temp\3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe
"C:\Users\Admin\AppData\Local\Temp\3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5020
- C:\UserDot3T\xdobec.exe
  C:\UserDot3T\xdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintW8\optidevec.exe

Filesize
239KB

MD5
215e27406642502f5fa74da900063ad5

SHA1
f17bd2291c64c91e6ce0093bd9a7db6f77d45004

SHA256
ad1cc6c4483f1820ee492bbdda5cf6b0849f6fdd205d8966a0f8958054f73f4d

SHA512
530020a1f376e8409558b2ca1659453c178bfe83db17c06b23b62b979a1fd70d7794f5bb673d92d0683e0fc3acb3bb6699472ab2faf01356b54a4651311065e1

Download Submit
C:\MintW8\optidevec.exe

Filesize
12KB

MD5
0d80c026ff7217667d1758553c9b1b94

SHA1
14d1f220d41220a37e1c0a894bbcc390e238adac

SHA256
3e19dbc8a98353863030300221ed12d9467946007da720ddec917a2b170c54b8

SHA512
5668dc066d36fdac6fc594b3bd11041af417aa62285919777cfb3602fe018599d010c464467465c525804c7e0b501ae6ee2fc1bec049267f5e18bb39d0aae82a

Download Submit
C:\UserDot3T\xdobec.exe

Filesize
2.6MB

MD5
a57f63c790127c230adc4ad81e9479ec

SHA1
4bce0c149d1142937abd56e29889e89b5a925ce1

SHA256
ae050e3aa4a845efb6f305960b011842d7c55b06a6bff0a5976249059a49c85e

SHA512
846f6dbcb7cf068107ad244bc3b945c2b2c1e4d6614b69a1b1f61b5d98cb1e6ce49d81237a4ca251face4d8a87f52269003a24df20087b48cdce07e65286f93f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
9a276381dcb05403788a2b58edd14810

SHA1
8e3cd081f6a08c133e999f8222144ba20a03918e

SHA256
3de02de387797840be6ec87fc3327c16ee8110ed6c0780a0d736905aea638828

SHA512
65644016ff702b8684650f9c1f2086a6a77a1368f7237dfa70a286c4d5ec14d3fecf3ca8a7daef3aca0d3d1217c628253ae047f7efe2db13a67fdf05d16c08e2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
ec5a6632094a6de69a5d5487338f10bb

SHA1
35248bba8d98b465dbfd78759d5c1d69e9f63b65

SHA256
02e8a1b9e7ba63b15e842532efb2980fafc9beacb9113bb24c0be76ca088806a

SHA512
b1060e7ef28ba989cc2cc3c0ffecea9cee4e7b48cb608d6b24bee0bb6d6962e756f8a26e6abb9a5ebc952ed23a33dc8502d904a66ee4b8f133cc3b9faff127dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
2.6MB

MD5
d06f551e3c822616c6d1467d9d5ab243

SHA1
0f35d1c5f6c8781338fe9f2d10ae2eb14c9c7c12

SHA256
639dfe1f108c6206ccc22700c6b015f0146ebcaa18845e615162996e1f28b7a3

SHA512
12c3cf0ad00477bb5bac6612b68a7299fa2076280d79739afccf4f10e9dbf4266fd177159aa980f2d966ea5e13ca3f59a4656ba06cd29ad8a5d282728679374a

Download Submit