fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe
Size

2.6MB
MD5

5499a17af6f5fa676c67767d371d5726
SHA1

bec05aa2bcf12f94ba03facc1538d7b774cfbc20
SHA256

fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f
SHA512

2fc31691f4f23858ba7d8cf11bf2bfda46c6f15d0420694a06f9c4d637fc7c7e417acc8cd991d61e7cfb44afa79c5ce91a14f6a143e3ce78d3c3b30600ad6873
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bS:sxX7QnxrloE5dpUp3b

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe

Executes dropped EXE 2 IoCs

pid	Process
228	ecdevopti.exe
2692	adobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocI4\\adobsys.exe"	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZVQ\\dobxloc.exe"	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1180	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe
1180	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe
1180	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe
1180	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe
228	ecdevopti.exe
228	ecdevopti.exe
2692	adobsys.exe
2692	adobsys.exe
228	ecdevopti.exe
228	ecdevopti.exe
2692	adobsys.exe
2692	adobsys.exe
228	ecdevopti.exe
228	ecdevopti.exe
2692	adobsys.exe
2692	adobsys.exe
228	ecdevopti.exe
228	ecdevopti.exe
2692	adobsys.exe
2692	adobsys.exe
228	ecdevopti.exe
228	ecdevopti.exe
2692	adobsys.exe
2692	adobsys.exe
228	ecdevopti.exe
228	ecdevopti.exe
2692	adobsys.exe
2692	adobsys.exe
228	ecdevopti.exe
228	ecdevopti.exe
2692	adobsys.exe
2692	adobsys.exe
228	ecdevopti.exe
228	ecdevopti.exe
2692	adobsys.exe
2692	adobsys.exe
228	ecdevopti.exe
228	ecdevopti.exe
2692	adobsys.exe
2692	adobsys.exe
228	ecdevopti.exe
228	ecdevopti.exe
2692	adobsys.exe
2692	adobsys.exe
228	ecdevopti.exe
228	ecdevopti.exe
2692	adobsys.exe
2692	adobsys.exe
228	ecdevopti.exe
228	ecdevopti.exe
2692	adobsys.exe
2692	adobsys.exe
228	ecdevopti.exe
228	ecdevopti.exe
2692	adobsys.exe
2692	adobsys.exe
228	ecdevopti.exe
228	ecdevopti.exe
2692	adobsys.exe
2692	adobsys.exe
228	ecdevopti.exe
228	ecdevopti.exe
2692	adobsys.exe
2692	adobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 228	1180	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe	87
PID 1180 wrote to memory of 228	1180	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe	87
PID 1180 wrote to memory of 228	1180	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe	87
PID 1180 wrote to memory of 2692	1180	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe	90
PID 1180 wrote to memory of 2692	1180	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe	90
PID 1180 wrote to memory of 2692	1180	fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe	90

C:\Users\Admin\AppData\Local\Temp\fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe
"C:\Users\Admin\AppData\Local\Temp\fc4a3f39e45857670fb51f3c5e6a71a30d499dc8d8deb5134e15becf4fd3731f.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:228
- C:\IntelprocI4\adobsys.exe
  C:\IntelprocI4\adobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocI4\adobsys.exe

Filesize
17KB

MD5
f218ec25fbf44d8ada55b81c57e9368c

SHA1
3254b68c8ff9dd72772ec3c826687fc2f2e58051

SHA256
467e21f563b16934238c7063303543443c22689335e46bb9c062de8adfa02303

SHA512
a4d4e08e5dd2456e7d6dbe472cdfcec7bd18be974c39e1035955ed3d4dd06043ef6abf9551cd150c97e10652878ffcf1e8241e72ad729ce1a9c525863a8a35c9

Download Submit
C:\IntelprocI4\adobsys.exe

Filesize
2.6MB

MD5
d25a0d589f05aa2faa1e3ca18ee95ecd

SHA1
6dd264a94e254e327b7f4aa60d44d8de8766f1f1

SHA256
4aa1f77f9829dfb30fdaf267b9125491f0e2f2c0dfaf8964bd5ab7ee5d498267

SHA512
704b209ef3297074bb29985047b6717d775d0664c940724c170226dfa48399616b5effe977db7a63c48f0beb299c872fe91fd83d304184ae5944bae4c5b449da

Download Submit
C:\LabZVQ\dobxloc.exe

Filesize
702KB

MD5
99b860ef898581c0df73a09ed1ed4383

SHA1
d9c2069289960fffe3da8bbec7b3dff102ca7626

SHA256
4ee55fa9ba95749b8c8d2787271dd9c04b5761649c744ae92a442be44c39aad0

SHA512
448221e29f01b576706b41e10993c09d3684970b42142a8be9518fe0c07bdab08e436e2112b153fc7953bf4d2d13212b8a01828060bbf9c33fb0c15321e958bd

Download Submit
C:\LabZVQ\dobxloc.exe

Filesize
110KB

MD5
617f6035143ed9a9e5fbe494b6347852

SHA1
ca6e57b8091658caeaf7a40ab489835de57d7a0f

SHA256
0ab44d450e2fdae9c18f60e79ab8adc6af3de6f9021f5ec9a66e69700024c022

SHA512
fde3221c872cdef5574fb602d2a5379fdccdd0d2323cbecc99cb0fd829e866b731d58158f250f5199f6edddb393a83d4431c61c3e5028d49873e1988c31e73b1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
32e3bb1132edf9b48bccb68db803a9b5

SHA1
a42d4136b8102fb5ffb461632ef9b40d706924ea

SHA256
1ed33c0f47389c43f37b03ec240f070cda8537c7baae96807d6915b5db8b542e

SHA512
a79c09309cb880331e422d71483c6da7077f0152bdc8f438fd4e28f4bffc3387102d434e8821118f7d66a3554c81a6fd65c70cc94a8a714fd9f816493452c784

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
204db9a1e5cb38e1961a41ead5004190

SHA1
70d48904ad898a9e045331cad19b791eb4b5d154

SHA256
ebadd7d7aeeb2aa911a5429d55cca4cb12eeb4c61af125974c8d07970a83112e

SHA512
3140679162d2372678261d7a4f8e14207f9c3c2b4f60b810e2d9360be5c6cf1ec8c08c2b8b2aa3bac84aaf090b79d3a309f58766bb90301a99189b6ce6bfb1a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
2.6MB

MD5
18b46e25b316a14138dc58cf784d06c0

SHA1
334f5af7ed0c780c69d1fdeae315d086c1d3c139

SHA256
e8a5f75e9f59b97c601bc487ae8051bc2438131b1da4a1636fa60f1c13edc4f2

SHA512
34c62cd20028ab5e7b03808114ba2e12a1fbc25258e54b8a764b2952b37120a3b12a3135013355d0cf7b606798ae5be7e8d2c636d40f7655b99a7fec8bbf58ca

Download Submit