c8a861f5d84df03a97ec8b51d77b4ba91e6ccc84dd7222b70d5a1f065efcae24

Analysis

max time kernel
119s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b5a4639b5d423aa1079f67ae74ae010N.exe
Size

3.6MB
MD5

4b5a4639b5d423aa1079f67ae74ae010
SHA1

eeb5bedf3071f79797ce675be3511ea51691cadf
SHA256

c8a861f5d84df03a97ec8b51d77b4ba91e6ccc84dd7222b70d5a1f065efcae24
SHA512

fc252824c9df9f9127a6815c03f7871701c4180237e9b00c5163ed55a5563151220d5e26dfb75a3a279df4ee82c9aa2d5fa853b42cf0b75db8fdd22c56b8f4e5
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBLB/bSqz8:sxX7QnxrloE5dpUp8bVz8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	4b5a4639b5d423aa1079f67ae74ae010N.exe

Executes dropped EXE 2 IoCs

pid	Process
2240	ecabod.exe
2464	adobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot4Q\\adobsys.exe"	4b5a4639b5d423aa1079f67ae74ae010N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintCX\\optialoc.exe"	4b5a4639b5d423aa1079f67ae74ae010N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b5a4639b5d423aa1079f67ae74ae010N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3652	4b5a4639b5d423aa1079f67ae74ae010N.exe
3652	4b5a4639b5d423aa1079f67ae74ae010N.exe
3652	4b5a4639b5d423aa1079f67ae74ae010N.exe
3652	4b5a4639b5d423aa1079f67ae74ae010N.exe
2240	ecabod.exe
2240	ecabod.exe
2464	adobsys.exe
2464	adobsys.exe
2240	ecabod.exe
2240	ecabod.exe
2464	adobsys.exe
2464	adobsys.exe
2240	ecabod.exe
2240	ecabod.exe
2464	adobsys.exe
2464	adobsys.exe
2240	ecabod.exe
2240	ecabod.exe
2464	adobsys.exe
2464	adobsys.exe
2240	ecabod.exe
2240	ecabod.exe
2464	adobsys.exe
2464	adobsys.exe
2240	ecabod.exe
2240	ecabod.exe
2464	adobsys.exe
2464	adobsys.exe
2240	ecabod.exe
2240	ecabod.exe
2464	adobsys.exe
2464	adobsys.exe
2240	ecabod.exe
2240	ecabod.exe
2464	adobsys.exe
2464	adobsys.exe
2240	ecabod.exe
2240	ecabod.exe
2464	adobsys.exe
2464	adobsys.exe
2240	ecabod.exe
2240	ecabod.exe
2464	adobsys.exe
2464	adobsys.exe
2240	ecabod.exe
2240	ecabod.exe
2464	adobsys.exe
2464	adobsys.exe
2240	ecabod.exe
2240	ecabod.exe
2464	adobsys.exe
2464	adobsys.exe
2240	ecabod.exe
2240	ecabod.exe
2464	adobsys.exe
2464	adobsys.exe
2240	ecabod.exe
2240	ecabod.exe
2464	adobsys.exe
2464	adobsys.exe
2240	ecabod.exe
2240	ecabod.exe
2464	adobsys.exe
2464	adobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 2240	3652	4b5a4639b5d423aa1079f67ae74ae010N.exe	87
PID 3652 wrote to memory of 2240	3652	4b5a4639b5d423aa1079f67ae74ae010N.exe	87
PID 3652 wrote to memory of 2240	3652	4b5a4639b5d423aa1079f67ae74ae010N.exe	87
PID 3652 wrote to memory of 2464	3652	4b5a4639b5d423aa1079f67ae74ae010N.exe	90
PID 3652 wrote to memory of 2464	3652	4b5a4639b5d423aa1079f67ae74ae010N.exe	90
PID 3652 wrote to memory of 2464	3652	4b5a4639b5d423aa1079f67ae74ae010N.exe	90

C:\Users\Admin\AppData\Local\Temp\4b5a4639b5d423aa1079f67ae74ae010N.exe
"C:\Users\Admin\AppData\Local\Temp\4b5a4639b5d423aa1079f67ae74ae010N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2240
- C:\UserDot4Q\adobsys.exe
  C:\UserDot4Q\adobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintCX\optialoc.exe

Filesize
3.6MB

MD5
2130c6d1a3c4b66d2c597cc4e98fa9a9

SHA1
926cec06d50d41f857499cd40fd7c16af7bc9a88

SHA256
31c7d1577846f63f98631a79ad61f1e39a4558eccc97b6c803625d48f81b5d6e

SHA512
f3c341a31c3f951d159d6363f335770b1794e0c640f1d0a3efc38c9145ef9253629c8f856b6bb8bd03202875709c4d8071402670ae573c97d1e48ffd39426ac2

Download Submit
C:\MintCX\optialoc.exe

Filesize
251KB

MD5
dfd53f71aa6bddc740c3881b21f88f7a

SHA1
30497bd7390885723f85873c90b157254a24b1c1

SHA256
33a28679acb9194b5468a8a2ef3da21bed05c6ec19a79002131aefe629de94fd

SHA512
27cb918bb9d67647c892c63bb486419c5061ebbf3ab1a3082662a3efe6367fb3d544ebffb2574ce63bb9c28946b1991b45f5d77a0cff58bbc661adf1b47b1927

Download Submit
C:\UserDot4Q\adobsys.exe

Filesize
3.6MB

MD5
90eab182cc4679096e4f973add90c88e

SHA1
f1dfe55f98eee52456a6438e5e2c1a57e67b1619

SHA256
e365996d6e39a1c2fe74e725e198e15a8dc7010aa86ca10d786595cc44e58661

SHA512
f5b4921c02b77def2f517c52066d6ee5276c725503ddd6836ccc44bf799f37a3ec014ae2dbaec46cc23ef7b2c87b7992696d77c2986c2ba737d46f3ddd46086a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
b9420a859244dc70b7c5fa449520ea5b

SHA1
ae7ee5146a436062b861fc62fdadcf6727d3f785

SHA256
b6fbcbec6b397f9cf70a1191c379f8a8ec3e40266bbcdb75e096308e4a9ab979

SHA512
ceb2718a0d4dcce4413b66b7348e712dbeca80090da04e37c6b61412f7307c622b0281d3cf34300abfc40e8f0f80c06b231cdfac9c6e811532f7743f97bf1578

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
0135cd871aeb55a34b4a757e7ce4df92

SHA1
0d82e3500e34203158b71f669797a7a8e4e683eb

SHA256
c8f00ab1cb93354a2db6ca834bed76f14caa02adbbeca98d8d45fbbd90b21829

SHA512
f7087f2300b602148a7a961a4fbd5e79bb37b87d1bf2f2e1c362debcf29dfb3082f18c9e78f4ee1b04f0386491cea68e498fc5341ff3d1beaee080a044a5311e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
3.6MB

MD5
54dabb7175d1d9b99921d188a35ff950

SHA1
a1199cf307a4260af577e78c156fbccdec97909f

SHA256
1bf29d4e7cf0fd97945a2c08ac59b861e790684723f49bb55f60d1696ba89470

SHA512
110f18c5e9ab0f96084f9a60ee3a2d583a1a70464dfdd8b1d11c30573aa223c87def98f732313d110c6f0b964620480061847dda0b108fc8eef5be17bda7f656

Download Submit