Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2024, 05:07

General

  • Target

    f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe

  • Size

    2.6MB

  • MD5

    a37a4fe8457103d4e56baa5f929ca4b9

  • SHA1

    ffa5598357454bb21adf25042afd2e245735df63

  • SHA256

    f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46

  • SHA512

    3911485d0cd63a27562e84e97af79a146076f70e0da33fabc7715e117949ed561736746715b0cfa21b2ce9b906d1bf628fe49db8a498a0acad62fde56a050c91

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bS:sxX7QnxrloE5dpUpDb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe
    "C:\Users\Admin\AppData\Local\Temp\f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3132
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3412
    • C:\FilesKD\devoptiloc.exe
      C:\FilesKD\devoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesKD\devoptiloc.exe

    Filesize

    2.6MB

    MD5

    a4c9a5ec0a8d24f3f52c14ed1e84db99

    SHA1

    9c9a42a52867101c5bfd2e581cb0cd46d9978e65

    SHA256

    3b9fe1d814504cb1fa0be7aa5f8f35f3ff63e568887e53a29bd4f5d30df87cb3

    SHA512

    c8e09eb0a745e4fff78dc982f1a348c8a4def10a08a32d7056306175f3fc277f3ae2a3215d306ef33767e5ab60cc991c21cf1d2723da255f63a5b6e86deb9122

  • C:\LabZAV\optialoc.exe

    Filesize

    997KB

    MD5

    8a69c5cee071ab813dd13ccf46eee492

    SHA1

    183cbeff384d2f200087ac81514bdd76ed10ae3e

    SHA256

    5d23601d7c070ff03e00b6281a4279fa2618eeac0c1613b72498335e4cf958d7

    SHA512

    72599db04102c5529bc149b5d3c20add6969df5c59e1d6ad216651dbda3622ea1f5d197b158023fd25c6f0d4efdacf84c0ab7b99246bf1d23c24db390faf3666

  • C:\LabZAV\optialoc.exe

    Filesize

    388KB

    MD5

    819aac3b24b945cfab4821e239d56081

    SHA1

    7a6aed11e2e732622ea60e0d968287bb78111b20

    SHA256

    63a225e8123941b8770207d28bb429442d1e699a7de86ec2706dbd0322881519

    SHA512

    f584e60a946b3463868dc1647dc517fc826012e6b538317ebc03c06f60c9c49eef428ad2d81cba7f2ea43fdf3785125cac899e44d814735b6998403ea9f4bfc7

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    205B

    MD5

    cd21c21f5ee8cd49ffdceede3da230c7

    SHA1

    1b75e75f29e2f4504c29eaa646927843bc746668

    SHA256

    83ddd8cc64bbc347aaec3611d690b5cef9087dc67ac6390ba0378258b463d522

    SHA512

    24581c711b2dee7bb2209cd3972db1f6d910c8410da3f2653f857cd256838cb93c635a39de044ff4f8671bbbbe846dbae4fd2e327f4648ed0d78ecaf634b14a6

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    173B

    MD5

    be894c3d86ca9901e1ee17427357ccd6

    SHA1

    cfb3d8814850e6eb1963721c65e90944d51387c0

    SHA256

    e882145fc6db4f0a0c0fc30d274f910ce04d40250e62d9bee5587e5356b38b15

    SHA512

    49f475a168fe17ba82b2b73ff84ca2651852ebf8ebd85ce4e0676360dab8ea32342dc6c0a9efc55e63e489d50ef657d35b742eaf8c2b8ee8223e9d759d5273b6

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

    Filesize

    2.6MB

    MD5

    05de1d353c665f47662471c2e1178cf5

    SHA1

    a87469251dbf7c0df9719e31feeb2105a38ac29d

    SHA256

    a28bb1d59a1d0beda6f4c47b0001b1dc1e85c98a739b8aa50798390bccec98bd

    SHA512

    14e8f014a1b447118475aee92b894a03e42f8093974ed44452ff76eebe02d5600c7b0c8559c8fd4a2c2ef1e3cb165a1df849722f87d2140d9147db04b8e2206d