Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/08/2024, 20:12

General

  • Target

    3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe

  • Size

    2.6MB

  • MD5

    03804f7f2533c60214c4201753867ed2

  • SHA1

    b76d1ec4d7463c26afd6647b60b1e602b4b1117a

  • SHA256

    3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4

  • SHA512

    be52caa309218e2c835b4fe782aca42666df46de1e09fd9f2bf90a39c4fa70767084c4daab3958a5415abe6ee7fb4dbb68925b6a640d56e8c9df100b7d891e79

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bS:sxX7QnxrloE5dpUpWb

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe
    "C:\Users\Admin\AppData\Local\Temp\3283f6ba2b371509bd1308e36d2f3b4d84946ce57d5557dccd11e660bd398ae4.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3256
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5020
    • C:\UserDot3T\xdobec.exe
      C:\UserDot3T\xdobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4596

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintW8\optidevec.exe

    Filesize

    239KB

    MD5

    215e27406642502f5fa74da900063ad5

    SHA1

    f17bd2291c64c91e6ce0093bd9a7db6f77d45004

    SHA256

    ad1cc6c4483f1820ee492bbdda5cf6b0849f6fdd205d8966a0f8958054f73f4d

    SHA512

    530020a1f376e8409558b2ca1659453c178bfe83db17c06b23b62b979a1fd70d7794f5bb673d92d0683e0fc3acb3bb6699472ab2faf01356b54a4651311065e1

  • C:\MintW8\optidevec.exe

    Filesize

    12KB

    MD5

    0d80c026ff7217667d1758553c9b1b94

    SHA1

    14d1f220d41220a37e1c0a894bbcc390e238adac

    SHA256

    3e19dbc8a98353863030300221ed12d9467946007da720ddec917a2b170c54b8

    SHA512

    5668dc066d36fdac6fc594b3bd11041af417aa62285919777cfb3602fe018599d010c464467465c525804c7e0b501ae6ee2fc1bec049267f5e18bb39d0aae82a

  • C:\UserDot3T\xdobec.exe

    Filesize

    2.6MB

    MD5

    a57f63c790127c230adc4ad81e9479ec

    SHA1

    4bce0c149d1142937abd56e29889e89b5a925ce1

    SHA256

    ae050e3aa4a845efb6f305960b011842d7c55b06a6bff0a5976249059a49c85e

    SHA512

    846f6dbcb7cf068107ad244bc3b945c2b2c1e4d6614b69a1b1f61b5d98cb1e6ce49d81237a4ca251face4d8a87f52269003a24df20087b48cdce07e65286f93f

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    205B

    MD5

    9a276381dcb05403788a2b58edd14810

    SHA1

    8e3cd081f6a08c133e999f8222144ba20a03918e

    SHA256

    3de02de387797840be6ec87fc3327c16ee8110ed6c0780a0d736905aea638828

    SHA512

    65644016ff702b8684650f9c1f2086a6a77a1368f7237dfa70a286c4d5ec14d3fecf3ca8a7daef3aca0d3d1217c628253ae047f7efe2db13a67fdf05d16c08e2

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    173B

    MD5

    ec5a6632094a6de69a5d5487338f10bb

    SHA1

    35248bba8d98b465dbfd78759d5c1d69e9f63b65

    SHA256

    02e8a1b9e7ba63b15e842532efb2980fafc9beacb9113bb24c0be76ca088806a

    SHA512

    b1060e7ef28ba989cc2cc3c0ffecea9cee4e7b48cb608d6b24bee0bb6d6962e756f8a26e6abb9a5ebc952ed23a33dc8502d904a66ee4b8f133cc3b9faff127dc

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

    Filesize

    2.6MB

    MD5

    d06f551e3c822616c6d1467d9d5ab243

    SHA1

    0f35d1c5f6c8781338fe9f2d10ae2eb14c9c7c12

    SHA256

    639dfe1f108c6206ccc22700c6b015f0146ebcaa18845e615162996e1f28b7a3

    SHA512

    12c3cf0ad00477bb5bac6612b68a7299fa2076280d79739afccf4f10e9dbf4266fd177159aa980f2d966ea5e13ca3f59a4656ba06cd29ad8a5d282728679374a