Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 21:07
Static task
static1
Behavioral task
behavioral1
Sample
34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe
Resource
win10v2004-20240709-en
General
-
Target
34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe
-
Size
4.1MB
-
MD5
03a7e9995d0a557460b5d7670ba7dc2d
-
SHA1
4db8d8d938cb1ecf01cabfad0ee37b4268c0f0a9
-
SHA256
34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d
-
SHA512
c3ad4bba75ae6ab4476ff5d164e72a0e6bb6b345679a8ebf03f9cec0298b24cbe9e2b3fe9cc2eb622a27ec6413ef7dab282e587105be799e5fdea8facf57009d
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpGbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe 34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe -
Executes dropped EXE 2 IoCs
Processes:
ecabod.exedevdobsys.exepid process 944 ecabod.exe 1848 devdobsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeS4\\devdobsys.exe" 34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxZ4\\optidevec.exe" 34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exeecabod.exedevdobsys.exepid process 544 34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe 544 34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe 544 34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe 544 34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe 944 ecabod.exe 944 ecabod.exe 1848 devdobsys.exe 1848 devdobsys.exe 944 ecabod.exe 944 ecabod.exe 1848 devdobsys.exe 1848 devdobsys.exe 944 ecabod.exe 944 ecabod.exe 1848 devdobsys.exe 1848 devdobsys.exe 944 ecabod.exe 944 ecabod.exe 1848 devdobsys.exe 1848 devdobsys.exe 944 ecabod.exe 944 ecabod.exe 1848 devdobsys.exe 1848 devdobsys.exe 944 ecabod.exe 944 ecabod.exe 1848 devdobsys.exe 1848 devdobsys.exe 944 ecabod.exe 944 ecabod.exe 1848 devdobsys.exe 1848 devdobsys.exe 944 ecabod.exe 944 ecabod.exe 1848 devdobsys.exe 1848 devdobsys.exe 944 ecabod.exe 944 ecabod.exe 1848 devdobsys.exe 1848 devdobsys.exe 944 ecabod.exe 944 ecabod.exe 1848 devdobsys.exe 1848 devdobsys.exe 944 ecabod.exe 944 ecabod.exe 1848 devdobsys.exe 1848 devdobsys.exe 944 ecabod.exe 944 ecabod.exe 1848 devdobsys.exe 1848 devdobsys.exe 944 ecabod.exe 944 ecabod.exe 1848 devdobsys.exe 1848 devdobsys.exe 944 ecabod.exe 944 ecabod.exe 1848 devdobsys.exe 1848 devdobsys.exe 944 ecabod.exe 944 ecabod.exe 1848 devdobsys.exe 1848 devdobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exedescription pid process target process PID 544 wrote to memory of 944 544 34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe ecabod.exe PID 544 wrote to memory of 944 544 34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe ecabod.exe PID 544 wrote to memory of 944 544 34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe ecabod.exe PID 544 wrote to memory of 1848 544 34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe devdobsys.exe PID 544 wrote to memory of 1848 544 34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe devdobsys.exe PID 544 wrote to memory of 1848 544 34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe devdobsys.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe"C:\Users\Admin\AppData\Local\Temp\34c71c789a33cea271b9cbe5bf67e32ed6dd3f5bec126b39b8adf6966433d66d.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:944 -
C:\AdobeS4\devdobsys.exeC:\AdobeS4\devdobsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD58c3627c138b69a29f1f3e7743c377ac9
SHA138d00db20d4ccba9fef285bc5b2c50eb73f352a7
SHA2562d835e282b9a7e65559019000af2d36aea1151090066ff801f25da276c99e627
SHA5120e81b2f188fef8742620e583da5a47aa6eae70cf24a798f64d916f01fad49d5ad6f3e883deed9cc6b3dbd7301c28e483ebcc324d83c8a63b41ef839432ef7a21
-
Filesize
4.1MB
MD54375afc6733dbc0b90afa18085b022d8
SHA1926bf548f6527f436dc5f041035b57e6710eed2b
SHA2568c261cdfa4f7e1393331f26ea5c4988dd3a8346796afe94b765b75b66c3636b6
SHA512b8c3074e3b25c73b0dfcc62a89d607940ddc700e4aae590b19452f3ae520fb1ab08ab28e55e30d388a7635edceba22d53261eacc5c53467e85b13b0eb0d03b3a
-
Filesize
4.1MB
MD5d9db0d2b7650975510da74005fbf1ecd
SHA18bab17113912855de84bb39025d06687474b33e9
SHA2561c00e73ad1525f0cf1ef2e314f6ab82d5f140f8dfdf62f7808706047ac135e3d
SHA51204b7c3119c04d9e2a7cd7779fd8ad1cc8e25404af4bcb7844832ba66ba907b19023148a3fe96dc83552879c58a8f547ecac9818be59f24059128fd3d8eb37801
-
Filesize
887KB
MD582146fb03fd0e9fa9326939e41d7021f
SHA1d38de66a7de6f4360cad2ab2bbc3f30043911e89
SHA25699da567c8e8751cd3ab7444c635df7e8b15e8891e74333ba29ccbee629f59d52
SHA512aca6c862cd359c4b615d583488584542a8601eec922b3bad65f6697f05a2cbe05c2172f50a378e8d14e929c95095fedf96accc4cdaa551b7d7742f6ac386c219
-
Filesize
204B
MD5b9c4ad900ff4ba27ad0850b125ca7c24
SHA1dff933f4585e54285ac0ca5fceb650e1d6f56d4e
SHA25666bcf7c1bee825be5157855623b28d02752cc4f6168b98c0a41be27699906777
SHA512d03a1558ab04c2fd57b76403b6298bd4ee84237879f4cbe14ab909d4208ea6c86a1d7b69a0b522e3e74a52462c5dc477a395c4a9306553baafc5b171c35dd7b5
-
Filesize
172B
MD59733f12cb0c6a179527bf8a410b9fad1
SHA1a9fb6f6a2cf41e5275f46115d54833f304e0ac53
SHA25656e2f41cd01fc6374fd09c7877d7b69a1b9d3a331402db20f2258f5207214e2b
SHA512b97e36d078fe2afdce76df01954c410f67c4bcaf8c91cb0cbad91687cdf61db6dcf383638c29dfff2aa65ce7a087cb9fda749a504f6e9fe496ecbf41dc08bef6
-
Filesize
4.1MB
MD577c43e4f36b0c70eeb20a322591cc226
SHA15819146467997e4ae9b7ec443debf1d58ac3b79d
SHA256acc6c43f8ab31da673c9f3ba7925295a42a44fb6c56e17f00c4b0a1daab64c7e
SHA51269175a3013056f03bcadf70f88eb42fed9ec642861e3f9c72c2a9b549c63cc26915af791ac3a1563527d7d0bd0b47f729ed7a3036f148b8be077b1abda25485a