Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 23:36
Static task
static1
Behavioral task
behavioral1
Sample
714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe
Resource
win10v2004-20241007-en
General
-
Target
714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe
-
Size
2.6MB
-
MD5
cbd0bf2ceb1e66b901c9a5e53b9c830b
-
SHA1
7982722543a8118da5f1d313a3b09a429e428834
-
SHA256
714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899
-
SHA512
8fed557f28860f87fc058dde07da8eedacceebb1d63fb131d0e5fc2487444ea3124eddd1bdc1bfadcf7f8614d35969171b851151bcd04264086e5c2a6473409d
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBZB/bS:sxX7QnxrloE5dpUp+b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe -
Executes dropped EXE 2 IoCs
pid Process 4376 ecadob.exe 1160 devoptiloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvOY\\devoptiloc.exe" 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxGD\\dobaloc.exe" 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1784 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe 1784 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe 1784 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe 1784 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe 4376 ecadob.exe 4376 ecadob.exe 1160 devoptiloc.exe 1160 devoptiloc.exe 4376 ecadob.exe 4376 ecadob.exe 1160 devoptiloc.exe 1160 devoptiloc.exe 4376 ecadob.exe 4376 ecadob.exe 1160 devoptiloc.exe 1160 devoptiloc.exe 4376 ecadob.exe 4376 ecadob.exe 1160 devoptiloc.exe 1160 devoptiloc.exe 4376 ecadob.exe 4376 ecadob.exe 1160 devoptiloc.exe 1160 devoptiloc.exe 4376 ecadob.exe 4376 ecadob.exe 1160 devoptiloc.exe 1160 devoptiloc.exe 4376 ecadob.exe 4376 ecadob.exe 1160 devoptiloc.exe 1160 devoptiloc.exe 4376 ecadob.exe 4376 ecadob.exe 1160 devoptiloc.exe 1160 devoptiloc.exe 4376 ecadob.exe 4376 ecadob.exe 1160 devoptiloc.exe 1160 devoptiloc.exe 4376 ecadob.exe 4376 ecadob.exe 1160 devoptiloc.exe 1160 devoptiloc.exe 4376 ecadob.exe 4376 ecadob.exe 1160 devoptiloc.exe 1160 devoptiloc.exe 4376 ecadob.exe 4376 ecadob.exe 1160 devoptiloc.exe 1160 devoptiloc.exe 4376 ecadob.exe 4376 ecadob.exe 1160 devoptiloc.exe 1160 devoptiloc.exe 4376 ecadob.exe 4376 ecadob.exe 1160 devoptiloc.exe 1160 devoptiloc.exe 4376 ecadob.exe 4376 ecadob.exe 1160 devoptiloc.exe 1160 devoptiloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1784 wrote to memory of 4376 1784 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe 89 PID 1784 wrote to memory of 4376 1784 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe 89 PID 1784 wrote to memory of 4376 1784 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe 89 PID 1784 wrote to memory of 1160 1784 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe 90 PID 1784 wrote to memory of 1160 1784 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe 90 PID 1784 wrote to memory of 1160 1784 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe"C:\Users\Admin\AppData\Local\Temp\714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4376
-
-
C:\SysDrvOY\devoptiloc.exeC:\SysDrvOY\devoptiloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1160
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
465KB
MD58c48839869cdc33ee8d808cefe4bff31
SHA15b0b150ac50ac276c0394f201a9a70914f7030d1
SHA2560c7ff96bd5692ea5156bae38325137308fb73a9dcc77a1d4745d404c26fd50c8
SHA51292c3e5ffc33e917f5f31664804b9a54caa4fe3bbaa7597b30172b6643fa48df9ca0ab3a9dd9c5c87c16a92feb5d88232a9ba4f26b67c04e892cff5889fc847eb
-
Filesize
2.6MB
MD53cfc1096b13ce7ab8735810ab4d16307
SHA1caec2fb8e8dc9f9bde8779b61c413edc3b752e62
SHA256d757b692d8295f6e5b02f40a09fea36c1171593d26429207a0b113b86ff250c4
SHA51261f5644ce7a001748eabe5f645daea9a9adff9e8409f85d217e4a176fbf0baae2454b9ff2ebc158dd87b06294458cda8e5a2941720a858d4135e77d3e04cb1e0
-
Filesize
368KB
MD5e34520bc93203a072a939ec6969e94e9
SHA18c1f498f5e8e597e6684225ad02860b524bfd4c6
SHA2564ad79bf2a64f85d256f14d61117eaae47ed13ffc396bce3be1863004e20cc67f
SHA51222ee91e55d2257abd6f1819a1cc18770579d03c47e9f5b016a3c40fe565aa221358019fb10289bd3e1d33d961cadcf5cfa2a2bd77ef03282c9541b3d660ac81a
-
Filesize
2.6MB
MD52d8c055e41eb6bc8a100f1bd093d9904
SHA144a3ee96b13dc251aae76666ec80f94ec62f0e8e
SHA25668d691d6131936d0e1862e3fe6325d7e0d3b68543afe9a20b17c3fba427413f5
SHA51275643960cfe3de728bacfaed82d67333d6f85270426c2abe069f241b2e7dc53b35a63b3b54ce2b4ca4a189b2d832a00b2c5f597146a572267595c4f635d813db
-
Filesize
204B
MD5df01066a5764d81c61bf68c499b3e71f
SHA1b5fa03ce2cc4e54db01f60f0cbd1cb604d2ef654
SHA256ebede10db995092baa009b0de44d98a63fd3cbaf32ba3b7a742c4207e1ae7b2f
SHA5128a061243a4757018cf5d3078036f96392b6e65edaabecf23a258f9b3afd8b1210901328837ffb77ec197b32b5c0c0a7375636aa838045a10bfb9ba7e36ab654b
-
Filesize
172B
MD5b8a05e527e95d01834a8c99257bac3d0
SHA18c1489e2f6557fa8de714d0cebc6557426f5f111
SHA2569aa08b1e2271249979feffa21514e0c24eda82ed1e1d39c93da8f6b75a9343cc
SHA512568ebda83ba21593fe7194c0e8bdf0dc1900cf8c646b56d8a42b875ded18ad1c8b965a5abd60960fc13cafdd50f0b7fd94124a2557405a1ed4d0989f579f9a5e
-
Filesize
2.6MB
MD522e6746ea60c6d0e40396860fabd618f
SHA118a24cbb9f6f950d7ade64704d7d89b4ec158ba0
SHA256ef03825813b22188768f0ec777c21dc4ddd43544237d55babced99d919e40d01
SHA512bf12004ab7dae8fed2290b1815f003002e4ed61b7bc00f8901fc4ec12b04896176b83d55711b65420071f5ad4ea4eb530d5e2fde748d41ba982acef56a96798f