Overview

overview

9

Static

static

3

e08732a0b6...0N.exe

windows7-x64

9

e08732a0b6...0N.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    24/08/2024, 00:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e08732a0b630c169dc6054b22e44a830N.exe

  • Size

    2.6MB

  • MD5

    e08732a0b630c169dc6054b22e44a830

  • SHA1

    c8d3a7195afadee55e0e73c82bf6d8ea71f1843e

  • SHA256

    312c5e997c8d1a8fb9ff4b9c574b8e5e32253325e4f8dc72774cf4838ae0b18c

  • SHA512

    dafc8f029b4b338bd0f69575ec5a97e5f416b8e27ef93f208b07c2612f26fe58a4d39764509d65e44a6f625ccdb6e67d3c2ed7508d61d5d22fc90874b743f0ca

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bS:sxX7QnxrloE5dpUpDb

Score
9/10
credential_accessdiscoverypersistencespywarestealer

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e08732a0b630c169dc6054b22e44a830N.exe
    "C:\Users\Admin\AppData\Local\Temp\e08732a0b630c169dc6054b22e44a830N.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2684
    • C:\IntelprocY6\adobec.exe
      C:\IntelprocY6\adobec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2940

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocY6\adobec.exe
    Filesize

    2.6MB

    MD5

    31240ebe62df965892e3d1e2a7badeb5

    SHA1

    45a39d948836e60863da223606382f23fda3327c

    SHA256

    1e8b81148d7d90a817b4a20da52395b89a4d835c272dca21a38e348f5ed1d520

    SHA512

    af46c9f8d394beb619a2a8b8a348ffb8c0a5584d91a7ac495da527b7d9fdb3b3af59a84416f992c91d64c1f514830ccf43906cfdab1fd22b96a31d13372620c4

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    171B

    MD5

    a504126a17b4db119525005ecc1880b2

    SHA1

    8ba3b1e1325f9423be378f1143e6d476a2c2ccc9

    SHA256

    22de358953e7401185e1acaefa60b85caee7f8768f1758f0d7178f636829f019

    SHA512

    08dccc1f32c944c054f8d508ae79c0dcf09f63c62338f63913c1ca2f0b67739d85ecabe2aa7cda3c451960ce4a3526171c25f3a50f13e54af262f8543b91bfda

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    203B

    MD5

    5e444eb39cc3de515c8ed68318f50326

    SHA1

    1b7aa7bb11819536bf5a79c3fa91bc6e8500a530

    SHA256

    0bbec0ad34080c29c2000de3a0029f74468416a8d225a0f439008b3c7f66ee5c

    SHA512

    f8aa17156783d106cf9995e2a7bb2a34aefc1470b657d8d47d5c9006b4e381dae98045a7abc25d6c6928032bbaf548d069c5fa6969022cb0a6203638d828ada8

    Download Submit

  • C:\VidE6\optixec.exe
    Filesize

    1023KB

    MD5

    c2d428bd09c72902d4d724b83e83eb52

    SHA1

    a8ae7c4d9420c96389153367b7e28570ac31a18a

    SHA256

    98c8bb9c1f3296fbbc3f0f29d598b18fa61bb0dbea3c3b0e8dcad9c62217ec5b

    SHA512

    51c6cb05790baf207a9cc832a18c1508cd61bc27634557f960d069c0114c16d96e2fd7b400d06d92f610a60c83c91cd8d101d74750a3e80b07aef94cbe8eec9b

    Download Submit

  • C:\VidE6\optixec.exe
    Filesize

    24KB

    MD5

    541fec65455d5b34bd07a7b314994d2c

    SHA1

    55079bcde6bbc149b17389609709433e60bfb3d4

    SHA256

    a426abba53e984d2d5760dc5deb76e09ebbb0d0d03e5cd262861f7afb8f71d4c

    SHA512

    da54133de62360679354767fa7c44ea7c6e60cadc731344357b797e71a220936653e216b468a97b415fa4082ee2e3120ff9ebb80aac7b9a7238c6b8da7769b1e

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
    Filesize

    2.6MB

    MD5

    229cc05321afc2a8bddc20f035bd65ec

    SHA1

    1f807e29749634b017b7089fe521d544502f2f78

    SHA256

    7bc23b560c1ce88bb320c152ef3e4251990541bd044c9a6fd399a92b6cc5cc1c

    SHA512

    2527b11615d562d4911c3c00d905259987411ab7c787a46082fd95f85458c20d6f8b320e223fbb0a788b6e9535c448f2393481f7304b760397cb9df568bd5288

    Download Submit