2f59f2c13d923e9bb01ef423f2daf60d4dc7fc024d5a56e29dd48c77b75be160

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3352fde1244027dd7cfaf8506ecb3270N.exe
Size

3.0MB
MD5

3352fde1244027dd7cfaf8506ecb3270
SHA1

3dad82981a3ac30bf0508a2ab03e3faea8f78159
SHA256

2f59f2c13d923e9bb01ef423f2daf60d4dc7fc024d5a56e29dd48c77b75be160
SHA512

5b72b3d3ba60c9a10fbcb74a6b9c7ebb250e3e81c2620bd8ec772f0d769dede6ab0573fd011b0ad5974205b336858d198b3e03cdd0f7f2f7f7900d8d86a509da
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bSqz8:sxX7QnxrloE5dpUpbbVz8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	3352fde1244027dd7cfaf8506ecb3270N.exe

Executes dropped EXE 2 IoCs

pid	Process
1780	ecdevbod.exe
1036	adobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotD6\\adobloc.exe"	3352fde1244027dd7cfaf8506ecb3270N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintPA\\optiasys.exe"	3352fde1244027dd7cfaf8506ecb3270N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3352fde1244027dd7cfaf8506ecb3270N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1120	3352fde1244027dd7cfaf8506ecb3270N.exe
1120	3352fde1244027dd7cfaf8506ecb3270N.exe
1120	3352fde1244027dd7cfaf8506ecb3270N.exe
1120	3352fde1244027dd7cfaf8506ecb3270N.exe
1780	ecdevbod.exe
1780	ecdevbod.exe
1036	adobloc.exe
1036	adobloc.exe
1780	ecdevbod.exe
1780	ecdevbod.exe
1036	adobloc.exe
1036	adobloc.exe
1780	ecdevbod.exe
1780	ecdevbod.exe
1036	adobloc.exe
1036	adobloc.exe
1780	ecdevbod.exe
1780	ecdevbod.exe
1036	adobloc.exe
1036	adobloc.exe
1780	ecdevbod.exe
1780	ecdevbod.exe
1036	adobloc.exe
1036	adobloc.exe
1780	ecdevbod.exe
1780	ecdevbod.exe
1036	adobloc.exe
1036	adobloc.exe
1780	ecdevbod.exe
1780	ecdevbod.exe
1036	adobloc.exe
1036	adobloc.exe
1780	ecdevbod.exe
1780	ecdevbod.exe
1036	adobloc.exe
1036	adobloc.exe
1780	ecdevbod.exe
1780	ecdevbod.exe
1036	adobloc.exe
1036	adobloc.exe
1780	ecdevbod.exe
1780	ecdevbod.exe
1036	adobloc.exe
1036	adobloc.exe
1780	ecdevbod.exe
1780	ecdevbod.exe
1036	adobloc.exe
1036	adobloc.exe
1780	ecdevbod.exe
1780	ecdevbod.exe
1036	adobloc.exe
1036	adobloc.exe
1780	ecdevbod.exe
1780	ecdevbod.exe
1036	adobloc.exe
1036	adobloc.exe
1780	ecdevbod.exe
1780	ecdevbod.exe
1036	adobloc.exe
1036	adobloc.exe
1780	ecdevbod.exe
1780	ecdevbod.exe
1036	adobloc.exe
1036	adobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 1780	1120	3352fde1244027dd7cfaf8506ecb3270N.exe	88
PID 1120 wrote to memory of 1780	1120	3352fde1244027dd7cfaf8506ecb3270N.exe	88
PID 1120 wrote to memory of 1780	1120	3352fde1244027dd7cfaf8506ecb3270N.exe	88
PID 1120 wrote to memory of 1036	1120	3352fde1244027dd7cfaf8506ecb3270N.exe	91
PID 1120 wrote to memory of 1036	1120	3352fde1244027dd7cfaf8506ecb3270N.exe	91
PID 1120 wrote to memory of 1036	1120	3352fde1244027dd7cfaf8506ecb3270N.exe	91

C:\Users\Admin\AppData\Local\Temp\3352fde1244027dd7cfaf8506ecb3270N.exe
"C:\Users\Admin\AppData\Local\Temp\3352fde1244027dd7cfaf8506ecb3270N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1780
- C:\UserDotD6\adobloc.exe
  C:\UserDotD6\adobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintPA\optiasys.exe

Filesize
3.0MB

MD5
8a3b55ce4c209918857c45ac3cbbabbd

SHA1
2f197b0503dda1b91d7bac9a5b46e09289af2aab

SHA256
e996e207ee31f9915f4555868b3911a6978de4a50eabe24de134a16887906a5b

SHA512
bcc081e9310f65eb2e5f2a56fa4f4e297c70b06b802236a772997698cc4c72b1f78c6dcf9cc550cb03cc7fe1d9dc853db50e560ac6dcefb0c489cfd98cb1d6b1

Download Submit
C:\MintPA\optiasys.exe

Filesize
3.0MB

MD5
55b7ceea2c2efaad29aad386799db00a

SHA1
f164c0cbf7ccec26dcec04baf66e9f22fb94042f

SHA256
840dd37049c0894732f0019a5692760a0ac785d89570a2ee3f04161dfab9d810

SHA512
b6afd0bc836433485ef1e42e18888639a1af269024503bc74f48fb72698fc3aacc7a2bd35cf39f5d7d1c3ff88f1fdfa2332123829be9974f47fdec74c4b52e54

Download Submit
C:\UserDotD6\adobloc.exe

Filesize
615KB

MD5
41de40a79781386cd565f96a1bf86add

SHA1
e6f570e175ab099a4b33799423d6a44885562e4f

SHA256
09773ad1b2aa931c35dfdf509b076148e51de800e49517bc41ec3f6f9bd85b1f

SHA512
f1b7182e9c3f2a756cd6dcfe71b76f5ee041bb5c56d8db69f53c0e2d901785f248fdad59331a39890d2d67934d9767cc11276945de8cb7cee463345e401fb0f4

Download Submit
C:\UserDotD6\adobloc.exe

Filesize
3.0MB

MD5
e48234ea18153b794d852151907e7ad7

SHA1
e151e48f66265d4e5ffe305241e4bbc98542d482

SHA256
8859673024400da0f0cfde1a8f7d8f969a2ad04f621b20e7c9738eda3ab50365

SHA512
016c75ec845157647bb267775b3bc992b1b8a3af4505e0410c20f7e13745237ff4d1e3c4bb5e4043ec3506c1e57730b4be74ed31b02c9a70da15fe13880124f8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
13c2a7e90a264afd0ac7e5d51d27c538

SHA1
b232f2b418fc4df2afbf16a288aca1d21d14db83

SHA256
2532fcfe7626076cfa5e663d74d6e5458babe62e27f29cad6acccc89ec1b5379

SHA512
49b72cbec83532e269062fea65be74af4392e13b25947fe159f80ae0fff202276ee3740c567fa98804495dd3826ce9529a77a8918a1e803378b7a30d9863f6ca

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
a690b0751089f68e49336d6b944c6293

SHA1
5c5d2ed3e5b04cd0d5d0e106c4815e4bdc7cc867

SHA256
bc9c2ef7e87abac6ff2cd4f8824e95b7767733e858bb8c60974584f1c4dea853

SHA512
f48fb0cc9ee9b7e3ef4396a94d17e8aca1107b676945fbb232a167d3c09e338f9a9a122f7a80ed41fbc1a7e758ffbadc467c8d9cd94f5a7eab756bc550f36922

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
3.0MB

MD5
5ded347363798ba26b5d2041e35dcf63

SHA1
7d884977ebcc6e32501705ba0c6b595a738fb561

SHA256
c2d8088d2f4499a95498ee06df7a1f2fac2a38f827a0806c5aad7c8e9a304558

SHA512
c0bdf1c34c17a5221b093100f6febad9fa90ad9c7e6974b1b0bf0be8af8ce2e6a83ed1ffbdc00726cf54439b12be6703ea2f8c8e5bab7558da7f99eeabfcf39c

Download Submit