6125c0bc6e882c126e62e2e167ed7dbd95be7a657a28222b5c0adf441dfc5c97

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b96389758a306664ea250dcd695713e0N.exe
Size

2.6MB
MD5

b96389758a306664ea250dcd695713e0
SHA1

295944fdf2f79898c3b78dc86d2a27f4d68893fb
SHA256

6125c0bc6e882c126e62e2e167ed7dbd95be7a657a28222b5c0adf441dfc5c97
SHA512

a8a0d35a72cd6946f1df07dfd97cfa4485e331157883a59bed4204abcc47edcd403bc07744b34c0dd60a5a84fb79eb402b15a39d6f9e68e09aa49956a971ec39
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB6B/bS:sxX7QnxrloE5dpUpxb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	b96389758a306664ea250dcd695713e0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2908	ecdevdob.exe
1636	adobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2552	b96389758a306664ea250dcd695713e0N.exe
2552	b96389758a306664ea250dcd695713e0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvFI\\adobsys.exe"	b96389758a306664ea250dcd695713e0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidSC\\dobxec.exe"	b96389758a306664ea250dcd695713e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b96389758a306664ea250dcd695713e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2552	b96389758a306664ea250dcd695713e0N.exe
2552	b96389758a306664ea250dcd695713e0N.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe
2908	ecdevdob.exe
1636	adobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2908	2552	b96389758a306664ea250dcd695713e0N.exe	29
PID 2552 wrote to memory of 2908	2552	b96389758a306664ea250dcd695713e0N.exe	29
PID 2552 wrote to memory of 2908	2552	b96389758a306664ea250dcd695713e0N.exe	29
PID 2552 wrote to memory of 2908	2552	b96389758a306664ea250dcd695713e0N.exe	29
PID 2552 wrote to memory of 1636	2552	b96389758a306664ea250dcd695713e0N.exe	30
PID 2552 wrote to memory of 1636	2552	b96389758a306664ea250dcd695713e0N.exe	30
PID 2552 wrote to memory of 1636	2552	b96389758a306664ea250dcd695713e0N.exe	30
PID 2552 wrote to memory of 1636	2552	b96389758a306664ea250dcd695713e0N.exe	30

C:\Users\Admin\AppData\Local\Temp\b96389758a306664ea250dcd695713e0N.exe
"C:\Users\Admin\AppData\Local\Temp\b96389758a306664ea250dcd695713e0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2908
- C:\SysDrvFI\adobsys.exe
  C:\SysDrvFI\adobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvFI\adobsys.exe

Filesize
2.6MB

MD5
5e023d2219cdb4dd3913a15397a5d4a5

SHA1
4990866688837e758effad2aa3f16171756c8c63

SHA256
2ded9d656efc4674736aa9ce791cf48b7a8b0bcbe3f6dff892fef0ff39cbfb71

SHA512
d0b976d69af2288109dfb611e9d61e00c77a67de090ddca8b73370ef0af52b9c29541a521c03765a16fa9215cfbeae353d8664d2b30920153a5192a5986d8bf8

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
2a8fc72dfc816a8519622c6504703d54

SHA1
fd0a09e5a699790911a68302be9784a273eb5d9c

SHA256
f68f0e4064e5d406fad8396d3a71aa0f0d710ad61aca01e0796a1e2a5854dfe2

SHA512
6b3b3318b62d6d8773fd07cca72ca2193e2b98544b4a5dc22ef166170d2ca721c47dc91e42ce52afb9cf773d87d99c09f69ff0a1d33e1f94b7459bc2dec6f0b5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
aeac1b10b8ca28d34863b5d3e4380347

SHA1
25aa67fa11a0c276c1f3aa0733fa1372892aea9f

SHA256
cb2ab6fec011a9e08a69eab3d838887030a0cde613dde7be35c58649db129d7d

SHA512
5ddd6361da86bddf863161ee8cc79692e98bd40d08cdf4532130773deed10fda6bc2441f5d047dcccbd40a94407f3ee0f03feaf7563a790c79a53dfaeffffda0

Download Submit
C:\VidSC\dobxec.exe

Filesize
2.0MB

MD5
2456e825ceeedb20f71206165d49e947

SHA1
890f9632fef2a6bf43a9dfd735746c09de658961

SHA256
bed445e013cfb98c10918a7d597b299d1361eedd9c130606df15e64bf7cc7606

SHA512
970e403d499e2e6ce89292e5e79ed790e0a90bd1db7ff84e7bb8662441954b77395552a9eff23069355d32fb3163ba55b4761c48c45bc8f4ad37465dad63e20e

Download Submit
C:\VidSC\dobxec.exe

Filesize
2.6MB

MD5
537bba9d223060a1c16f8584da18120d

SHA1
d48082beafdc967ad887269720db1a83003da1bc

SHA256
9df12b0d4cdcb970322835bb3fbcceefc4c400eaacbb13639055968e88cdde55

SHA512
d2902ca99405d140f8539ce1bcf570ca2a51cfbcb0aa60e483a556e03edd3eef59af3e8b62a7d93d16baa0f7da275ba56337d6042c37404c7eb871d07031c13e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
2.6MB

MD5
56106f3592d679bc39b9a2e584074128

SHA1
4ee6a7df0feaa94fab3192f70e815a8a52c9fedd

SHA256
72cc4a4db46223cc618b638a3478771f3ca86c10886e5a238febc6bf15131404

SHA512
c3bb32e1e6118f97f19e77b49c262cd0799610444f38ea7c043db29e212a1234e08567f22e21a0e3c4e2665233467fd88aec5a3d5b587c65fff2a8cbe3fbbe2d

Download Submit