Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2024, 05:07
Static task
static1
Behavioral task
behavioral1
Sample
f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe
Resource
win10v2004-20241007-en
General
-
Target
f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe
-
Size
2.6MB
-
MD5
a37a4fe8457103d4e56baa5f929ca4b9
-
SHA1
ffa5598357454bb21adf25042afd2e245735df63
-
SHA256
f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46
-
SHA512
3911485d0cd63a27562e84e97af79a146076f70e0da33fabc7715e117949ed561736746715b0cfa21b2ce9b906d1bf628fe49db8a498a0acad62fde56a050c91
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bS:sxX7QnxrloE5dpUpDb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe -
Executes dropped EXE 2 IoCs
pid Process 3412 ecdevbod.exe 112 devoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesKD\\devoptiloc.exe" f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZAV\\optialoc.exe" f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3132 f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe 3132 f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe 3132 f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe 3132 f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe 3412 ecdevbod.exe 3412 ecdevbod.exe 112 devoptiloc.exe 112 devoptiloc.exe 3412 ecdevbod.exe 3412 ecdevbod.exe 112 devoptiloc.exe 112 devoptiloc.exe 3412 ecdevbod.exe 3412 ecdevbod.exe 112 devoptiloc.exe 112 devoptiloc.exe 3412 ecdevbod.exe 3412 ecdevbod.exe 112 devoptiloc.exe 112 devoptiloc.exe 3412 ecdevbod.exe 3412 ecdevbod.exe 112 devoptiloc.exe 112 devoptiloc.exe 3412 ecdevbod.exe 3412 ecdevbod.exe 112 devoptiloc.exe 112 devoptiloc.exe 3412 ecdevbod.exe 3412 ecdevbod.exe 112 devoptiloc.exe 112 devoptiloc.exe 3412 ecdevbod.exe 3412 ecdevbod.exe 112 devoptiloc.exe 112 devoptiloc.exe 3412 ecdevbod.exe 3412 ecdevbod.exe 112 devoptiloc.exe 112 devoptiloc.exe 3412 ecdevbod.exe 3412 ecdevbod.exe 112 devoptiloc.exe 112 devoptiloc.exe 3412 ecdevbod.exe 3412 ecdevbod.exe 112 devoptiloc.exe 112 devoptiloc.exe 3412 ecdevbod.exe 3412 ecdevbod.exe 112 devoptiloc.exe 112 devoptiloc.exe 3412 ecdevbod.exe 3412 ecdevbod.exe 112 devoptiloc.exe 112 devoptiloc.exe 3412 ecdevbod.exe 3412 ecdevbod.exe 112 devoptiloc.exe 112 devoptiloc.exe 3412 ecdevbod.exe 3412 ecdevbod.exe 112 devoptiloc.exe 112 devoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3132 wrote to memory of 3412 3132 f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe 86 PID 3132 wrote to memory of 3412 3132 f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe 86 PID 3132 wrote to memory of 3412 3132 f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe 86 PID 3132 wrote to memory of 112 3132 f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe 87 PID 3132 wrote to memory of 112 3132 f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe 87 PID 3132 wrote to memory of 112 3132 f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe"C:\Users\Admin\AppData\Local\Temp\f310bce8bad44419ae46ed0da57a2aed9845c63ab96970bc9b7338cf97210e46.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3412
-
-
C:\FilesKD\devoptiloc.exeC:\FilesKD\devoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:112
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5a4c9a5ec0a8d24f3f52c14ed1e84db99
SHA19c9a42a52867101c5bfd2e581cb0cd46d9978e65
SHA2563b9fe1d814504cb1fa0be7aa5f8f35f3ff63e568887e53a29bd4f5d30df87cb3
SHA512c8e09eb0a745e4fff78dc982f1a348c8a4def10a08a32d7056306175f3fc277f3ae2a3215d306ef33767e5ab60cc991c21cf1d2723da255f63a5b6e86deb9122
-
Filesize
997KB
MD58a69c5cee071ab813dd13ccf46eee492
SHA1183cbeff384d2f200087ac81514bdd76ed10ae3e
SHA2565d23601d7c070ff03e00b6281a4279fa2618eeac0c1613b72498335e4cf958d7
SHA51272599db04102c5529bc149b5d3c20add6969df5c59e1d6ad216651dbda3622ea1f5d197b158023fd25c6f0d4efdacf84c0ab7b99246bf1d23c24db390faf3666
-
Filesize
388KB
MD5819aac3b24b945cfab4821e239d56081
SHA17a6aed11e2e732622ea60e0d968287bb78111b20
SHA25663a225e8123941b8770207d28bb429442d1e699a7de86ec2706dbd0322881519
SHA512f584e60a946b3463868dc1647dc517fc826012e6b538317ebc03c06f60c9c49eef428ad2d81cba7f2ea43fdf3785125cac899e44d814735b6998403ea9f4bfc7
-
Filesize
205B
MD5cd21c21f5ee8cd49ffdceede3da230c7
SHA11b75e75f29e2f4504c29eaa646927843bc746668
SHA25683ddd8cc64bbc347aaec3611d690b5cef9087dc67ac6390ba0378258b463d522
SHA51224581c711b2dee7bb2209cd3972db1f6d910c8410da3f2653f857cd256838cb93c635a39de044ff4f8671bbbbe846dbae4fd2e327f4648ed0d78ecaf634b14a6
-
Filesize
173B
MD5be894c3d86ca9901e1ee17427357ccd6
SHA1cfb3d8814850e6eb1963721c65e90944d51387c0
SHA256e882145fc6db4f0a0c0fc30d274f910ce04d40250e62d9bee5587e5356b38b15
SHA51249f475a168fe17ba82b2b73ff84ca2651852ebf8ebd85ce4e0676360dab8ea32342dc6c0a9efc55e63e489d50ef657d35b742eaf8c2b8ee8223e9d759d5273b6
-
Filesize
2.6MB
MD505de1d353c665f47662471c2e1178cf5
SHA1a87469251dbf7c0df9719e31feeb2105a38ac29d
SHA256a28bb1d59a1d0beda6f4c47b0001b1dc1e85c98a739b8aa50798390bccec98bd
SHA51214e8f014a1b447118475aee92b894a03e42f8093974ed44452ff76eebe02d5600c7b0c8559c8fd4a2c2ef1e3cb165a1df849722f87d2140d9147db04b8e2206d