3615b52e16b586798efc5a8e78dc9d0f823e7926d824d69caff87d8350a313a5

Analysis

max time kernel
119s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2024, 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ef5e12336cde017f467dbfe49bea1e0N.exe
Size

3.6MB
MD5

9ef5e12336cde017f467dbfe49bea1e0
SHA1

3e9f4b22c937cf90b722d1ab9a576beb7dbdf765
SHA256

3615b52e16b586798efc5a8e78dc9d0f823e7926d824d69caff87d8350a313a5
SHA512

54760b19b91f5474cfeda3af1affd16c27cea01a3e504ecad1974a08b8c7dcd9b9e57ffc4ff0b8a2e09e21551492d3dfe9a81b918d3fbaff0d61ed77e7e0ae66
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBuB/bSqz8:sxX7QnxrloE5dpUppbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	9ef5e12336cde017f467dbfe49bea1e0N.exe

Executes dropped EXE 2 IoCs

pid	Process
3040	ecadob.exe
800	adobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocK3\\adobec.exe"	9ef5e12336cde017f467dbfe49bea1e0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintJR\\bodaloc.exe"	9ef5e12336cde017f467dbfe49bea1e0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2740	9ef5e12336cde017f467dbfe49bea1e0N.exe
2740	9ef5e12336cde017f467dbfe49bea1e0N.exe
2740	9ef5e12336cde017f467dbfe49bea1e0N.exe
2740	9ef5e12336cde017f467dbfe49bea1e0N.exe
3040	ecadob.exe
3040	ecadob.exe
800	adobec.exe
800	adobec.exe
3040	ecadob.exe
3040	ecadob.exe
800	adobec.exe
800	adobec.exe
3040	ecadob.exe
3040	ecadob.exe
800	adobec.exe
800	adobec.exe
3040	ecadob.exe
3040	ecadob.exe
800	adobec.exe
800	adobec.exe
3040	ecadob.exe
3040	ecadob.exe
800	adobec.exe
800	adobec.exe
3040	ecadob.exe
3040	ecadob.exe
800	adobec.exe
800	adobec.exe
3040	ecadob.exe
3040	ecadob.exe
800	adobec.exe
800	adobec.exe
3040	ecadob.exe
3040	ecadob.exe
800	adobec.exe
800	adobec.exe
3040	ecadob.exe
3040	ecadob.exe
800	adobec.exe
800	adobec.exe
3040	ecadob.exe
3040	ecadob.exe
800	adobec.exe
800	adobec.exe
3040	ecadob.exe
3040	ecadob.exe
800	adobec.exe
800	adobec.exe
3040	ecadob.exe
3040	ecadob.exe
800	adobec.exe
800	adobec.exe
3040	ecadob.exe
3040	ecadob.exe
800	adobec.exe
800	adobec.exe
3040	ecadob.exe
3040	ecadob.exe
800	adobec.exe
800	adobec.exe
3040	ecadob.exe
3040	ecadob.exe
800	adobec.exe
800	adobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 3040	2740	9ef5e12336cde017f467dbfe49bea1e0N.exe	87
PID 2740 wrote to memory of 3040	2740	9ef5e12336cde017f467dbfe49bea1e0N.exe	87
PID 2740 wrote to memory of 3040	2740	9ef5e12336cde017f467dbfe49bea1e0N.exe	87
PID 2740 wrote to memory of 800	2740	9ef5e12336cde017f467dbfe49bea1e0N.exe	88
PID 2740 wrote to memory of 800	2740	9ef5e12336cde017f467dbfe49bea1e0N.exe	88
PID 2740 wrote to memory of 800	2740	9ef5e12336cde017f467dbfe49bea1e0N.exe	88

C:\Users\Admin\AppData\Local\Temp\9ef5e12336cde017f467dbfe49bea1e0N.exe
"C:\Users\Admin\AppData\Local\Temp\9ef5e12336cde017f467dbfe49bea1e0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3040
- C:\IntelprocK3\adobec.exe
  C:\IntelprocK3\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocK3\adobec.exe

Filesize
111KB

MD5
bfe13093448409f3d9622d6aae54689b

SHA1
6df1139ad200d44d9c02ce5ab2acd6ba860b35e2

SHA256
e38feb5a714a74228a7050d1d831c42bb9a99821f80568435a76006b968895c8

SHA512
5c2e00ed33db8de3a2eacca1e4e3d9c204eb257998a81f6647e8caa356d2e73ee7741d16b0fd16e14f19150aed8ad3107833123b5c681648ab3cad41de07a64c

Download Submit
C:\IntelprocK3\adobec.exe

Filesize
3.6MB

MD5
e4a2e343abe7b977511a20d66edb2275

SHA1
373cf686d7aea159beb4d0b44badeb86d685a4d2

SHA256
5dd3da724456b8ad9e5e427e07e159463e6b3cf69d08bfac220e4e0ee3eb405e

SHA512
3d2f0dc1a0358c12aa92b104af86da59d50b2ef0bd161f3c39658306339e223d978581e9a3601fa62f74ffb5b1c45e13c0314f4b55992240c8c76bcf47d5db39

Download Submit
C:\MintJR\bodaloc.exe

Filesize
10KB

MD5
97183a53db85f80c5c65a84230319c99

SHA1
38ebd5b073338c908beb00c4207a9a9bd816e157

SHA256
49a49585b78e1b7d2f4487aa2386e0723707b94dcce968b7599c776fdfbb6467

SHA512
9650b8fc9f5409f50ad57412a9a82bab33582a7e64d3c869fe639c5e7723123b5826bf923b8a7c9c1488641d4e6873ca744ffffb1ccfa4c5656763e0972a4622

Download Submit
C:\MintJR\bodaloc.exe

Filesize
447KB

MD5
1dc38781176be25e3600c2ded876f946

SHA1
3301054c4f6ccb51a665c95923843147d4b8e0da

SHA256
507947cde9fe9100bc6973b1cd88a51966a55c85564cb795a4b5679c51754741

SHA512
60f14fae2b0b05856cb44436c2e6b9fa567efe08e13e3db85e15925e3313c4a51202f7adbbade58a9e7bb766072cc10ad6a063cc7978b4204104d140281ac016

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
4cb3aea3cd860078c70fc647d2037a33

SHA1
ae5ec3105371c7b6a43abfc99a8291ee76a35bf4

SHA256
a433ec941bb67e8bac26678c62086c491e68cff60a9bca2551b5311976849829

SHA512
c5eefa2b920b0d2af7e4d9f61c603f7d76dd50fac8b7db19f681ec95c8044e18bd4693ad33aedc17f71c506ac96b02a783e9cde6913710b3f4bfd1e526199dd2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
a5eebf1b3816885e5c6f81f70d608739

SHA1
b486f54cc04ebd8a72adeea45f7466179bb4e055

SHA256
2ae02e332fafca2b8b528b795ea4cb72745ebd6102736c2001844ee34255778d

SHA512
f9c84e0438ddf9b0cee9b6c6d819e776cbd57563c4dc503a2bf822868f5f6e488f923ce0fd00eeeea0ad2a315562f0c559762780ddbc7acec8d560b0865cf568

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
3.6MB

MD5
196a66d0e49429162fef5051c8bac48b

SHA1
4ab0dc28ca3c175b2e8b36e220315e7f9b2a2dcb

SHA256
1d2889b3cc713538cf05ce85a4ebc985e32607dc4848e6c918342b9db1aaab02

SHA512
e5987a9d127b6479392d5f2a46632d736349531702c63668c649b7a38fe27d7e80e1b4065af9fd6e84a41bae0440b1ec06c9f164dda0aae080cd9ed175f017a4

Download Submit