aa4562b293c9126d076d83723b89798e695f9423a4eeba10d4c90a92020c9542

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdc3b4f2b1652a2c42bddbc6e4bee990N.exe
Size

2.6MB
MD5

fdc3b4f2b1652a2c42bddbc6e4bee990
SHA1

62d4e19aa1b8384f1eaa7bdeb7fe42e3be5e15ec
SHA256

aa4562b293c9126d076d83723b89798e695f9423a4eeba10d4c90a92020c9542
SHA512

be2cd7d53fb09ab9e8ae34584329efdcb986822559e54ac8433e8ddcb1eb5498cafae6d87c8e7be3f50b79db367bfbb0981cfbc4b3d067b10e98de9b7cb77f42
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bS:sxX7QnxrloE5dpUprb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	fdc3b4f2b1652a2c42bddbc6e4bee990N.exe

Executes dropped EXE 2 IoCs

pid	Process
2380	ecabod.exe
2964	adobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2528	fdc3b4f2b1652a2c42bddbc6e4bee990N.exe
2528	fdc3b4f2b1652a2c42bddbc6e4bee990N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv93\\adobsys.exe"	fdc3b4f2b1652a2c42bddbc6e4bee990N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidUI\\boddevloc.exe"	fdc3b4f2b1652a2c42bddbc6e4bee990N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdc3b4f2b1652a2c42bddbc6e4bee990N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2528	fdc3b4f2b1652a2c42bddbc6e4bee990N.exe
2528	fdc3b4f2b1652a2c42bddbc6e4bee990N.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe
2380	ecabod.exe
2964	adobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2380	2528	fdc3b4f2b1652a2c42bddbc6e4bee990N.exe	30
PID 2528 wrote to memory of 2380	2528	fdc3b4f2b1652a2c42bddbc6e4bee990N.exe	30
PID 2528 wrote to memory of 2380	2528	fdc3b4f2b1652a2c42bddbc6e4bee990N.exe	30
PID 2528 wrote to memory of 2380	2528	fdc3b4f2b1652a2c42bddbc6e4bee990N.exe	30
PID 2528 wrote to memory of 2964	2528	fdc3b4f2b1652a2c42bddbc6e4bee990N.exe	31
PID 2528 wrote to memory of 2964	2528	fdc3b4f2b1652a2c42bddbc6e4bee990N.exe	31
PID 2528 wrote to memory of 2964	2528	fdc3b4f2b1652a2c42bddbc6e4bee990N.exe	31
PID 2528 wrote to memory of 2964	2528	fdc3b4f2b1652a2c42bddbc6e4bee990N.exe	31

C:\Users\Admin\AppData\Local\Temp\fdc3b4f2b1652a2c42bddbc6e4bee990N.exe
"C:\Users\Admin\AppData\Local\Temp\fdc3b4f2b1652a2c42bddbc6e4bee990N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2380
- C:\SysDrv93\adobsys.exe
  C:\SysDrv93\adobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrv93\adobsys.exe

Filesize
2.6MB

MD5
298746e26fb6be7940c2075d2b93a262

SHA1
a37ac92ea0402d0ea76329272e6c8dc456ff570a

SHA256
25d092f46df694d26fef21f43a9782b80e0f412e692309495df3b943eb526626

SHA512
3fe70e1af344bea96e0a74827f4e9317c625e3fd18a2f0f744ffcbcc0b98b8c9d0a985947c7b7f95c9ff6f1ce11b5b23198e14dc9be4c09246acdf983d1e6514

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
413e58fca09fda17c017488aff5bee16

SHA1
5ad76cf43f961a1cbfc488f859ef956c3b514847

SHA256
9004a51570d1a20ad58b2535e7782aee9ad003a1321a6ae8212ead98087656d9

SHA512
dce0c5fd9dfeb012184374a877efc345624345bb17308123801ff1d47dec3ec99214f3e08fe78257ad0b14a056d86cfc73d77ad2f981658ba03068e6f3542bd1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
f422b49528241b0342fb6d9044294251

SHA1
8870ca1f638f45a236cca3ca461771db9843ef5f

SHA256
00e2f4566e946ddd9a57cd3d0c93a32a5234407e1afcb5de74666d8b8d940ca0

SHA512
e7261eab7ce65e9815c9a6f60a02fc81752b8b115af66234375a58368079d96f71b239f8e0c2ce8da3741778fce92447337fd3ed785b4d6ca2dbbe1a81678254

Download Submit
C:\VidUI\boddevloc.exe

Filesize
2.6MB

MD5
886badb5cb783d8453b929ed61340a28

SHA1
736a29a0327082305cb9168bbb626fc97f7be904

SHA256
8150aa6ff3dbd1f4cd6b9cca9c1664329b571420f69fcdd2542e21fb70d1bef5

SHA512
6eeae321c11c0e1f4ad6b3c2f1a7093e5fd9701b52df01436f9864d388dcc1415e2b1510a4ff2ee3d3aa3245dde80d02fa62a028d52b374e8b73a3d6ace5ef02

Download Submit
C:\VidUI\boddevloc.exe

Filesize
2.6MB

MD5
5e248b29294bbc1bbe9cf91bc1d3dd0c

SHA1
b2ce4d8c665fd850a0363dde74eab91e46cf40e9

SHA256
e3734bb4c0fa1a6b6f604a96320f34a1d29086d85ce9c226014453c28841c1be

SHA512
6bfc69005869d0e6c6c1e136136a2ff32e6e69defc50d6c28ab67f03f6ef667ce33121bd24faba46d781f5e1fc85218973390621bce31e462bad9d33d5bb4e8e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

Filesize
2.6MB

MD5
5fb357ffa65b3402ee9d976968c689f0

SHA1
7e0e70b8a016aaedba6b44fca47b973a9eacdd37

SHA256
7ac6969dca4c0da4197b8afc5449661230df2041e641f4ab4774d45b5ca6b4df

SHA512
77781122ee02787b796f6ee73a51b7041d4b46e0957e0db58099705b3d9d3782acd1954b922216583f576ca0caedc5d2d974b5b5201c0bd270b24a1114407377

Download Submit