Analysis
-
max time kernel
120s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2024 01:52
Static task
static1
Behavioral task
behavioral1
Sample
498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21N.exe
Resource
win10v2004-20241007-en
General
-
Target
498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21N.exe
-
Size
2.6MB
-
MD5
a15549388e8505b38d0cbc086ab21650
-
SHA1
ffd85f890273c73fe210f5c2feb0008b853c62b5
-
SHA256
498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21
-
SHA512
1973395607f23f5e2face253dd5bd8cdd8c830ca589263628b0b4f83d4828911a4994a5db9621095023b1360414a976a05c73b5aece9a8528ef30b486c317d0f
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bS:sxX7QnxrloE5dpUplb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21N.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe 498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21N.exe -
Executes dropped EXE 2 IoCs
Processes:
ecdevbod.exeaoptiec.exepid process 244 ecdevbod.exe 4744 aoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21N.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintC3\\dobaec.exe" 498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvY3\\aoptiec.exe" 498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ecdevbod.exeaoptiec.exe498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21N.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21N.exeecdevbod.exeaoptiec.exepid process 864 498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21N.exe 864 498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21N.exe 864 498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21N.exe 864 498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21N.exe 244 ecdevbod.exe 244 ecdevbod.exe 4744 aoptiec.exe 4744 aoptiec.exe 244 ecdevbod.exe 244 ecdevbod.exe 4744 aoptiec.exe 4744 aoptiec.exe 244 ecdevbod.exe 244 ecdevbod.exe 4744 aoptiec.exe 4744 aoptiec.exe 244 ecdevbod.exe 244 ecdevbod.exe 4744 aoptiec.exe 4744 aoptiec.exe 244 ecdevbod.exe 244 ecdevbod.exe 4744 aoptiec.exe 4744 aoptiec.exe 244 ecdevbod.exe 244 ecdevbod.exe 4744 aoptiec.exe 4744 aoptiec.exe 244 ecdevbod.exe 244 ecdevbod.exe 4744 aoptiec.exe 4744 aoptiec.exe 244 ecdevbod.exe 244 ecdevbod.exe 4744 aoptiec.exe 4744 aoptiec.exe 244 ecdevbod.exe 244 ecdevbod.exe 4744 aoptiec.exe 4744 aoptiec.exe 244 ecdevbod.exe 244 ecdevbod.exe 4744 aoptiec.exe 4744 aoptiec.exe 244 ecdevbod.exe 244 ecdevbod.exe 4744 aoptiec.exe 4744 aoptiec.exe 244 ecdevbod.exe 244 ecdevbod.exe 4744 aoptiec.exe 4744 aoptiec.exe 244 ecdevbod.exe 244 ecdevbod.exe 4744 aoptiec.exe 4744 aoptiec.exe 244 ecdevbod.exe 244 ecdevbod.exe 4744 aoptiec.exe 4744 aoptiec.exe 244 ecdevbod.exe 244 ecdevbod.exe 4744 aoptiec.exe 4744 aoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21N.exedescription pid process target process PID 864 wrote to memory of 244 864 498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21N.exe ecdevbod.exe PID 864 wrote to memory of 244 864 498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21N.exe ecdevbod.exe PID 864 wrote to memory of 244 864 498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21N.exe ecdevbod.exe PID 864 wrote to memory of 4744 864 498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21N.exe aoptiec.exe PID 864 wrote to memory of 4744 864 498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21N.exe aoptiec.exe PID 864 wrote to memory of 4744 864 498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21N.exe aoptiec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21N.exe"C:\Users\Admin\AppData\Local\Temp\498bdb531edcd99d85464d0717b790138a3e76950c24f2cf9a141e020e8c7b21N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:244 -
C:\SysDrvY3\aoptiec.exeC:\SysDrvY3\aoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4744
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD53193f6732970f64ca3094d85171d7380
SHA10d2f450337cb69eafa727d6d6de40feb0750ba1d
SHA256e09faa78045b943266c903ad6e7b69a1069ca062bfda7c5f794f8e9e7eb9ad9b
SHA512b23afd97dc8f9fe6ddb53b3a780345bde4ea50f989055db34d69d243649f4b7cb2c2c4429e9fa318a396fe363aaa923f2c261ba475390673664ac4fda7c5b3f8
-
Filesize
15KB
MD510e6df3619bbbd1a2464d5000a56fbb5
SHA19080f324c059847c04fbc434d62d8ab2e06140a9
SHA256e437e0733cdde421f32dedbcb49fb69873f23116dc2523e2a45b18e005fd1559
SHA5129cf956066c20f94e36fc21e8c536ef7625e51e279c3c9794d5029cac42d155db5a2e79ccfe4010364e50c34b0675745a5fc121a112892a31b331ab14427ac6ff
-
Filesize
2.6MB
MD58cc4bd9e962da8395dfc84d95db6b5b6
SHA185172b77249150f85432fccba873bcaed37fb278
SHA256a1d5c93fbfed913c4e91a0f3c266e0c622d0f399dd1718915d9fadb097a268a6
SHA51233cfdca24b25a380b9d99cdb760042786fd08fd2ed2d4c3ac76119145270e3f3cc16511f6815703bf93516195475c6626f8d0c6ecc4c0b876a5f0c3529d6cba5
-
Filesize
201B
MD51c3b72c83354d8d32854d16e09abe458
SHA116e98c1ae540627af7c2782718c31bd0dbaae99b
SHA256d2f8e59fc40158af7ba25f8dcc467d1764c480a3a30c8a35165e3ab36d6d3c91
SHA51298c9d575ca1ba257f5f4d23e11c4c139e3efb0192bd50587f255fcf6f29a5b1d5e27d83aa13d9732a2c8a9121c13401ba531d97929b5e7d23fa68eec2b2fb576
-
Filesize
169B
MD5a7e8a056eb2ea6544e554cbd4a351ac3
SHA130aff2072b3bf16c7fe0ae73043c87c0dbacf221
SHA2564d147a0e80b9727c921f66143cd30ad16ed7e61bdf6f430fa2f356ff2c072e1d
SHA51241fb8a838ed6d423ebfc4289084f4750368f80eda0390d55a4bf54d519d598492ee37dd512b046c6244820f97bf8efbf0ae526d0222295d7a8eacf258861366d
-
Filesize
2.6MB
MD50d77f950040263a86f16d19eb4d18c70
SHA135de10f84b045a6fbe924320e2e2880fb8524a21
SHA256281aca67e6742dc7798067674aace57d579696613c051206ae61b2778cb3fe9b
SHA51210c00e91e0b77413be768f4653ae723dd17d93fe29c7e3da7b35f2158b0a3925e16e2edf39def01ea44a9365525bd491441a0cfb980b485fb1f92c9dc5f07b2d