Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/08/2024, 04:55

General

  • Target

    fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe

  • Size

    2.6MB

  • MD5

    5499a17af6f5fa676c67767d371d5726

  • SHA1

    bec05aa2bcf12f94ba03facc1538d7b774cfbc20

  • SHA256

    fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f

  • SHA512

    2fc31691f4f23858ba7d8cf11bf2bfda46c6f15d0420694a06f9c4d637fc7c7e417acc8cd991d61e7cfb44afa79c5ce91a14f6a143e3ce78d3c3b30600ad6873

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bS:sxX7QnxrloE5dpUp3b

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe
    "C:\Users\Admin\AppData\Local\Temp\fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:228
    • C:\IntelprocI4\adobsys.exe
      C:\IntelprocI4\adobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocI4\adobsys.exe

    Filesize

    17KB

    MD5

    f218ec25fbf44d8ada55b81c57e9368c

    SHA1

    3254b68c8ff9dd72772ec3c826687fc2f2e58051

    SHA256

    467e21f563b16934238c7063303543443c22689335e46bb9c062de8adfa02303

    SHA512

    a4d4e08e5dd2456e7d6dbe472cdfcec7bd18be974c39e1035955ed3d4dd06043ef6abf9551cd150c97e10652878ffcf1e8241e72ad729ce1a9c525863a8a35c9

  • C:\IntelprocI4\adobsys.exe

    Filesize

    2.6MB

    MD5

    d25a0d589f05aa2faa1e3ca18ee95ecd

    SHA1

    6dd264a94e254e327b7f4aa60d44d8de8766f1f1

    SHA256

    4aa1f77f9829dfb30fdaf267b9125491f0e2f2c0dfaf8964bd5ab7ee5d498267

    SHA512

    704b209ef3297074bb29985047b6717d775d0664c940724c170226dfa48399616b5effe977db7a63c48f0beb299c872fe91fd83d304184ae5944bae4c5b449da

  • C:\LabZVQ\dobxloc.exe

    Filesize

    702KB

    MD5

    99b860ef898581c0df73a09ed1ed4383

    SHA1

    d9c2069289960fffe3da8bbec7b3dff102ca7626

    SHA256

    4ee55fa9ba95749b8c8d2787271dd9c04b5761649c744ae92a442be44c39aad0

    SHA512

    448221e29f01b576706b41e10993c09d3684970b42142a8be9518fe0c07bdab08e436e2112b153fc7953bf4d2d13212b8a01828060bbf9c33fb0c15321e958bd

  • C:\LabZVQ\dobxloc.exe

    Filesize

    110KB

    MD5

    617f6035143ed9a9e5fbe494b6347852

    SHA1

    ca6e57b8091658caeaf7a40ab489835de57d7a0f

    SHA256

    0ab44d450e2fdae9c18f60e79ab8adc6af3de6f9021f5ec9a66e69700024c022

    SHA512

    fde3221c872cdef5574fb602d2a5379fdccdd0d2323cbecc99cb0fd829e866b731d58158f250f5199f6edddb393a83d4431c61c3e5028d49873e1988c31e73b1

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    206B

    MD5

    32e3bb1132edf9b48bccb68db803a9b5

    SHA1

    a42d4136b8102fb5ffb461632ef9b40d706924ea

    SHA256

    1ed33c0f47389c43f37b03ec240f070cda8537c7baae96807d6915b5db8b542e

    SHA512

    a79c09309cb880331e422d71483c6da7077f0152bdc8f438fd4e28f4bffc3387102d434e8821118f7d66a3554c81a6fd65c70cc94a8a714fd9f816493452c784

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    174B

    MD5

    204db9a1e5cb38e1961a41ead5004190

    SHA1

    70d48904ad898a9e045331cad19b791eb4b5d154

    SHA256

    ebadd7d7aeeb2aa911a5429d55cca4cb12eeb4c61af125974c8d07970a83112e

    SHA512

    3140679162d2372678261d7a4f8e14207f9c3c2b4f60b810e2d9360be5c6cf1ec8c08c2b8b2aa3bac84aaf090b79d3a309f58766bb90301a99189b6ce6bfb1a0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

    Filesize

    2.6MB

    MD5

    18b46e25b316a14138dc58cf784d06c0

    SHA1

    334f5af7ed0c780c69d1fdeae315d086c1d3c139

    SHA256

    e8a5f75e9f59b97c601bc487ae8051bc2438131b1da4a1636fa60f1c13edc4f2

    SHA512

    34c62cd20028ab5e7b03808114ba2e12a1fbc25258e54b8a764b2952b37120a3b12a3135013355d0cf7b606798ae5be7e8d2c636d40f7655b99a7fec8bbf58ca