Analysis
-
max time kernel
149s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 07:04
Static task
static1
Behavioral task
behavioral1
Sample
f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe
Resource
win10v2004-20240802-en
General
-
Target
f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe
-
Size
2.6MB
-
MD5
33857aaf491139fc1ccf53db39555e6d
-
SHA1
9530de07d75bf6a2122ac7dcd0ee58fad0aa2ce8
-
SHA256
f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47
-
SHA512
bd8a14e1823d16adaace2f0c648b6f5ffa9b848232185ae295e7560683743c5ac7a2590d9db8034553afd38bed82f2f2f8e7a7df7215fd3fdf64b5e93a8aa64b
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBIB/bS:sxX7QnxrloE5dpUpLb
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe -
Executes dropped EXE 2 IoCs
pid Process 2204 ecdevdob.exe 2264 xbodec.exe -
Loads dropped DLL 2 IoCs
pid Process 2268 f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe 2268 f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe8V\\xbodec.exe" f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintEL\\optidevec.exe" f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2268 f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe 2268 f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe 2204 ecdevdob.exe 2264 xbodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2204 2268 f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe 30 PID 2268 wrote to memory of 2204 2268 f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe 30 PID 2268 wrote to memory of 2204 2268 f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe 30 PID 2268 wrote to memory of 2204 2268 f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe 30 PID 2268 wrote to memory of 2264 2268 f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe 31 PID 2268 wrote to memory of 2264 2268 f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe 31 PID 2268 wrote to memory of 2264 2268 f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe 31 PID 2268 wrote to memory of 2264 2268 f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe"C:\Users\Admin\AppData\Local\Temp\f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2204
-
-
C:\Adobe8V\xbodec.exeC:\Adobe8V\xbodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2264
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5dd6714b84eea143e14a55da1af4e9d15
SHA15c1260255f6637b4a30f3d6f689a18622ececf89
SHA2560ba4fa6987f167a5c380e2e83afea63a16e425bbc752695cb8d4260b9ad94abe
SHA51228fe060131f5df4567be3149f853340499277dac03a1217f4cb717dbf334765c136746d65e45b6d9f56c3481bd730700768729b1d9d228d980df416fbe02b581
-
Filesize
2.6MB
MD5b415c2e93a8786a1d5cc3a323a218afe
SHA197e8c1634e3430999262d6cd10608ceec7fa37b5
SHA256c42d61cc7eb19c01457bc2a4190d0e2e6bacc52b21901c3c004a6676af3837d2
SHA5122c62ba493eba77a3d1e0edf0271bf21f4d11f592fbcefb54e7c26cce96f8bd2bf4c79dd845b630357f75d6c25e7f37b68bc196a518da234d0be7cbd1d877e2cc
-
Filesize
2.6MB
MD57bf8c86160101265338d76fb524ada3f
SHA1097bf26caa3236d790a46c1dfb97df381cddb828
SHA256945d08f5a7b754c397be0c2c06041b0a2ab873cefb0621b5916c5d35da9c106a
SHA51290cf0803a2a2d7b2b13ef22d30973b32efd3ce65891e5c0c6aac7ff088470e7f81cffced1868281d49d6e9613b5523660269077ce01e317d18f7b177e4a027a3
-
Filesize
170B
MD5b977c61a8fb8af6a51d3c6531c014f5f
SHA1b64201e0c7f2a31f0234898836c69a5ac7b4fdff
SHA2569e9dfaadc9f5ae1a60f30d4ffad570004b5f13a60b1b61c801b3ba5c066faba1
SHA512d8e30fdc00f46a4eb3bd632480525aebf412f9bd1b68f4e267425ebe5d64163106205dc398b92b2224b8c91e9ef987213bfe7da97cf1c8e9250befa9cd3deb59
-
Filesize
202B
MD5fb6bdebe8286e03299783d382aca9a86
SHA192106c47f3f763c2553fb0a5392b578107b63a24
SHA2564a603c03a9f8e5fd1d81b4672dbaa26de8c42c941c59d57135e8f7f408909552
SHA512ba277d3dcdaa30e4a750e9b3da935cba64de3bb9e59234e211d76c1d65f52940fa23f40cd39ebc23d2788d43caa775a30b2f1e09a72da8775d49d0e8efc476fb
-
Filesize
2.6MB
MD58a28d0e44b48692b977d78a3455d3a4d
SHA1b8b92cfaa7636ca9b6249148dd3667ef29e55a69
SHA256382b5e6426b7765c3e99b5815decaea3c09a39818508be060646bb083c166708
SHA512a391e95f0da8112db283200acd890de50490c42ab4c94eedd00b1e32845c472b2e89dc2fc2697fb93142e27d26796a933ba73893fce95886e67bf088eb1f540f