5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
16/08/2024, 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe
Size

3.1MB
MD5

2ffa18d49924b3e47adca70c2f624470
SHA1

e954bb0f912d094a976eb20861bc68f4e7dd0774
SHA256

5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345
SHA512

185d27bab7f0e1a9080612941ca32e47d3de7bcddc2b0fb57aa2f771009e70ec07cf519f7572195221313c7a3284abe574016ff1656e152f141ed83be98d2f89
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bSqz8:sxX7QnxrloE5dpUpRbVz8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe

Executes dropped EXE 2 IoCs

pid	Process
2884	ecadob.exe
1608	adobec.exe

Loads dropped DLL 2 IoCs

pid	Process
292	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe
292	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesBO\\adobec.exe"	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidS6\\dobasys.exe"	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecadob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
292	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe
292	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe
2884	ecadob.exe
1608	adobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 292 wrote to memory of 2884	292	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe	28
PID 292 wrote to memory of 2884	292	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe	28
PID 292 wrote to memory of 2884	292	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe	28
PID 292 wrote to memory of 2884	292	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe	28
PID 292 wrote to memory of 1608	292	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe	29
PID 292 wrote to memory of 1608	292	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe	29
PID 292 wrote to memory of 1608	292	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe	29
PID 292 wrote to memory of 1608	292	5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe	29

C:\Users\Admin\AppData\Local\Temp\5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe
"C:\Users\Admin\AppData\Local\Temp\5eef1c5383a77f0dca93c5c231ca0bda4d39cd6d3a2200e7ccad64d6e2478345.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:292
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2884
- C:\FilesBO\adobec.exe
  C:\FilesBO\adobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesBO\adobec.exe

Filesize
3.1MB

MD5
3be9e8cb3f7fcfbc1bcdc83d2e933be8

SHA1
acc1f1d3f401dd5a2fc7ae0d7b1ad6bdd1cf49b1

SHA256
3f6933a2aa17786178b245c998cac25b4f2bf18ef74603d8bbdb04040a9a61fe

SHA512
db3c3cc3d4336f8989c2a58701141a8736ef98b77f1113d40ca8e26cb534acb09eba2e477c5e5e19cdfa747286b680ceed4c5d17522c5c598e0a1343187422c4

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
165B

MD5
19625c9c9891c3fd5bc26459f3d5fed5

SHA1
7e671ff2af6153eec955089a5cdbe20c07c64ed2

SHA256
74171fc22660e515ec19235cc0c2505706b0571c8beb8a271a84143533c7a511

SHA512
e16c1baf1d69253b38d09766e4cc79fd0304c2432b178dee9179121a2223b7840d06ed5e79185c7f9d52c3f7134cb1bab4485b91fe9b512bf268687d7869d0b2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
197B

MD5
591422eb80992d6ec19d6f41071786cf

SHA1
531de5fed713da32aa5d16f422bc0d4b2010c156

SHA256
83e0f8eb8a7b97190d7c5e1ac844c3e352fb63e6adf36a9d29dea14132e2cb78

SHA512
6e61acd2ff815e7ffdc0ea661a4bed86068ff739338d0a1d905e24849118d88b616fe4210874fa3064017e8fea38a144377868cbdaae61e44b4886371623fc94

Download Submit
C:\VidS6\dobasys.exe

Filesize
3.1MB

MD5
2e2b62e43cc086c0a044d8d8c3902f95

SHA1
53ea04e53bb1b4a3b9173abb906f10c5bcb627b1

SHA256
723c83120393091e1a6f6d11adaec753da36349e9113bb8c518a8e60bf8afeb4

SHA512
fdf8ce74c4bc9706cc676cc197f45213958c8a4854772381636dd7d025d60d3af48c51a93772f66b3c2cebae8028c4a0505b835f05b46dcad49ad2ed90b2c41e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
3.1MB

MD5
f046ad54bbabd2d0301b7193f8721f12

SHA1
68aa98e3d727b422a2189f738503630bab93f106

SHA256
e40d6c6677b1e61a795f53fb3a3a0181e65f26822011bfff59b91e3f709b187b

SHA512
4d20c2ec9351a1da61c7d551ce57ec56ae9d69bdb945c70c828c097004b4a751bc3a7fc0d95be61e0f6a1d4e8cbf2ef392df3230a1cc6505d925bba6b865f5af

Download Submit