Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10/08/2024, 04:55
Static task
static1
Behavioral task
behavioral1
Sample
fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe
Resource
win10v2004-20240802-en
General
-
Target
fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe
-
Size
2.6MB
-
MD5
5499a17af6f5fa676c67767d371d5726
-
SHA1
bec05aa2bcf12f94ba03facc1538d7b774cfbc20
-
SHA256
fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f
-
SHA512
2fc31691f4f23858ba7d8cf11bf2bfda46c6f15d0420694a06f9c4d637fc7c7e417acc8cd991d61e7cfb44afa79c5ce91a14f6a143e3ce78d3c3b30600ad6873
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bS:sxX7QnxrloE5dpUp3b
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe -
Executes dropped EXE 2 IoCs
pid Process 228 ecdevopti.exe 2692 adobsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocI4\\adobsys.exe" fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZVQ\\dobxloc.exe" fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1180 fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe 1180 fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe 1180 fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe 1180 fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe 228 ecdevopti.exe 228 ecdevopti.exe 2692 adobsys.exe 2692 adobsys.exe 228 ecdevopti.exe 228 ecdevopti.exe 2692 adobsys.exe 2692 adobsys.exe 228 ecdevopti.exe 228 ecdevopti.exe 2692 adobsys.exe 2692 adobsys.exe 228 ecdevopti.exe 228 ecdevopti.exe 2692 adobsys.exe 2692 adobsys.exe 228 ecdevopti.exe 228 ecdevopti.exe 2692 adobsys.exe 2692 adobsys.exe 228 ecdevopti.exe 228 ecdevopti.exe 2692 adobsys.exe 2692 adobsys.exe 228 ecdevopti.exe 228 ecdevopti.exe 2692 adobsys.exe 2692 adobsys.exe 228 ecdevopti.exe 228 ecdevopti.exe 2692 adobsys.exe 2692 adobsys.exe 228 ecdevopti.exe 228 ecdevopti.exe 2692 adobsys.exe 2692 adobsys.exe 228 ecdevopti.exe 228 ecdevopti.exe 2692 adobsys.exe 2692 adobsys.exe 228 ecdevopti.exe 228 ecdevopti.exe 2692 adobsys.exe 2692 adobsys.exe 228 ecdevopti.exe 228 ecdevopti.exe 2692 adobsys.exe 2692 adobsys.exe 228 ecdevopti.exe 228 ecdevopti.exe 2692 adobsys.exe 2692 adobsys.exe 228 ecdevopti.exe 228 ecdevopti.exe 2692 adobsys.exe 2692 adobsys.exe 228 ecdevopti.exe 228 ecdevopti.exe 2692 adobsys.exe 2692 adobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1180 wrote to memory of 228 1180 fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe 87 PID 1180 wrote to memory of 228 1180 fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe 87 PID 1180 wrote to memory of 228 1180 fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe 87 PID 1180 wrote to memory of 2692 1180 fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe 90 PID 1180 wrote to memory of 2692 1180 fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe 90 PID 1180 wrote to memory of 2692 1180 fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe"C:\Users\Admin\AppData\Local\Temp\fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:228
-
-
C:\IntelprocI4\adobsys.exeC:\IntelprocI4\adobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2692
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD5f218ec25fbf44d8ada55b81c57e9368c
SHA13254b68c8ff9dd72772ec3c826687fc2f2e58051
SHA256467e21f563b16934238c7063303543443c22689335e46bb9c062de8adfa02303
SHA512a4d4e08e5dd2456e7d6dbe472cdfcec7bd18be974c39e1035955ed3d4dd06043ef6abf9551cd150c97e10652878ffcf1e8241e72ad729ce1a9c525863a8a35c9
-
Filesize
2.6MB
MD5d25a0d589f05aa2faa1e3ca18ee95ecd
SHA16dd264a94e254e327b7f4aa60d44d8de8766f1f1
SHA2564aa1f77f9829dfb30fdaf267b9125491f0e2f2c0dfaf8964bd5ab7ee5d498267
SHA512704b209ef3297074bb29985047b6717d775d0664c940724c170226dfa48399616b5effe977db7a63c48f0beb299c872fe91fd83d304184ae5944bae4c5b449da
-
Filesize
702KB
MD599b860ef898581c0df73a09ed1ed4383
SHA1d9c2069289960fffe3da8bbec7b3dff102ca7626
SHA2564ee55fa9ba95749b8c8d2787271dd9c04b5761649c744ae92a442be44c39aad0
SHA512448221e29f01b576706b41e10993c09d3684970b42142a8be9518fe0c07bdab08e436e2112b153fc7953bf4d2d13212b8a01828060bbf9c33fb0c15321e958bd
-
Filesize
110KB
MD5617f6035143ed9a9e5fbe494b6347852
SHA1ca6e57b8091658caeaf7a40ab489835de57d7a0f
SHA2560ab44d450e2fdae9c18f60e79ab8adc6af3de6f9021f5ec9a66e69700024c022
SHA512fde3221c872cdef5574fb602d2a5379fdccdd0d2323cbecc99cb0fd829e866b731d58158f250f5199f6edddb393a83d4431c61c3e5028d49873e1988c31e73b1
-
Filesize
206B
MD532e3bb1132edf9b48bccb68db803a9b5
SHA1a42d4136b8102fb5ffb461632ef9b40d706924ea
SHA2561ed33c0f47389c43f37b03ec240f070cda8537c7baae96807d6915b5db8b542e
SHA512a79c09309cb880331e422d71483c6da7077f0152bdc8f438fd4e28f4bffc3387102d434e8821118f7d66a3554c81a6fd65c70cc94a8a714fd9f816493452c784
-
Filesize
174B
MD5204db9a1e5cb38e1961a41ead5004190
SHA170d48904ad898a9e045331cad19b791eb4b5d154
SHA256ebadd7d7aeeb2aa911a5429d55cca4cb12eeb4c61af125974c8d07970a83112e
SHA5123140679162d2372678261d7a4f8e14207f9c3c2b4f60b810e2d9360be5c6cf1ec8c08c2b8b2aa3bac84aaf090b79d3a309f58766bb90301a99189b6ce6bfb1a0
-
Filesize
2.6MB
MD518b46e25b316a14138dc58cf784d06c0
SHA1334f5af7ed0c780c69d1fdeae315d086c1d3c139
SHA256e8a5f75e9f59b97c601bc487ae8051bc2438131b1da4a1636fa60f1c13edc4f2
SHA51234c62cd20028ab5e7b03808114ba2e12a1fbc25258e54b8a764b2952b37120a3b12a3135013355d0cf7b606798ae5be7e8d2c636d40f7655b99a7fec8bbf58ca