1218159171e8b1be069c538486ec224e3bca76d7e396d4123a95074424f0e62f

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe
Size

2.6MB
MD5

dea34826f04f9e0e2843331b3a4fd645
SHA1

9acb4e68c30db027e55f134d41e145aef6a1b135
SHA256

1218159171e8b1be069c538486ec224e3bca76d7e396d4123a95074424f0e62f
SHA512

506c90e4a638942ca496f21608ebc96ca62011903d2fa5177fd3423714c20bb2b2671fe858b54f1a43859cb1d32d0f86f188e08db9d7ad4b8a63f129e2b44754
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBUB/bS:sxX7QnxrloE5dpUpLb

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe

Executes dropped EXE 2 IoCs

pid	Process
2096	ecxdob.exe
3028	adobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotE2\\adobsys.exe"	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZLT\\bodxsys.exe"	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2340	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe
2340	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe
2340	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe
2340	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe
2096	ecxdob.exe
2096	ecxdob.exe
3028	adobsys.exe
3028	adobsys.exe
2096	ecxdob.exe
2096	ecxdob.exe
3028	adobsys.exe
3028	adobsys.exe
2096	ecxdob.exe
2096	ecxdob.exe
3028	adobsys.exe
3028	adobsys.exe
2096	ecxdob.exe
2096	ecxdob.exe
3028	adobsys.exe
3028	adobsys.exe
2096	ecxdob.exe
2096	ecxdob.exe
3028	adobsys.exe
3028	adobsys.exe
2096	ecxdob.exe
2096	ecxdob.exe
3028	adobsys.exe
3028	adobsys.exe
2096	ecxdob.exe
2096	ecxdob.exe
3028	adobsys.exe
3028	adobsys.exe
2096	ecxdob.exe
2096	ecxdob.exe
3028	adobsys.exe
3028	adobsys.exe
2096	ecxdob.exe
2096	ecxdob.exe
3028	adobsys.exe
3028	adobsys.exe
2096	ecxdob.exe
2096	ecxdob.exe
3028	adobsys.exe
3028	adobsys.exe
2096	ecxdob.exe
2096	ecxdob.exe
3028	adobsys.exe
3028	adobsys.exe
2096	ecxdob.exe
2096	ecxdob.exe
3028	adobsys.exe
3028	adobsys.exe
2096	ecxdob.exe
2096	ecxdob.exe
3028	adobsys.exe
3028	adobsys.exe
2096	ecxdob.exe
2096	ecxdob.exe
3028	adobsys.exe
3028	adobsys.exe
2096	ecxdob.exe
2096	ecxdob.exe
3028	adobsys.exe
3028	adobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2096	2340	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe	86
PID 2340 wrote to memory of 2096	2340	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe	86
PID 2340 wrote to memory of 2096	2340	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe	86
PID 2340 wrote to memory of 3028	2340	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe	87
PID 2340 wrote to memory of 3028	2340	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe	87
PID 2340 wrote to memory of 3028	2340	Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe	87

C:\Users\Admin\AppData\Local\Temp\Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.Autorun.ATA_virussign.com_dea34826f04f9e0e2843331b3a4fd645.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2096
- C:\UserDotE2\adobsys.exe
  C:\UserDotE2\adobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZLT\bodxsys.exe

Filesize
334KB

MD5
4bde3229a0b2b36f86b17a76496a3fd8

SHA1
fde998eca06e080a835247f1032a92378d26d7e1

SHA256
628b8de61899e58881015e8141f76be4cc78c494e8935728f1510e1e16e3876a

SHA512
fe4754884d112efbe52234afd88aa62926c42e7d88a1c3aacdbd6aa92d1fd2858475772aceff1ac20923a0d92a505ffe7a7ac8b8db5f4df37f1077af699e483d

Download Submit
C:\LabZLT\bodxsys.exe

Filesize
818KB

MD5
8abd8c51351ea6c456c85e68f31781a9

SHA1
e7eca9803335ca1660d0954e1075eed9ee3896c9

SHA256
1f15648d33fe720acb9aea0aaf4170bdd8a5269d9c0e9edbc1b5c2ba53bd9a0a

SHA512
25fd9950e8d61f61f8383a02b1dd826891b7cd66714019c079a3b0be07db3c5ce57adcf84b541b7a7fd790517e6a08f9a7953806871203c6abce4097a4c1fd28

Download Submit
C:\UserDotE2\adobsys.exe

Filesize
2.6MB

MD5
1062abd93c79e09f7f68dd67e1abfe21

SHA1
f37b6636a59465bf1e7df71777e1eaa82218719a

SHA256
79dc1e02e5555937a18fc7e3be8ea0ae71864085aec25d14e1aace8b36fe6123

SHA512
bdd533986d04b852ebcf650521a327b807930b2fce1e38fbbc21c32d2ef36f378172cea69be59dc263f82355925392904f0e0bd234c40a5c4ad3f95782ad3ac6

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
ce0c498349d8df71f6531ed484efa923

SHA1
bd74867684c8b1e21bdeaae662a2f708711b000c

SHA256
bc0a4465c1f0a8450b4c3e27aa5bc2c9c599f5978501dd729c88869ddd8f3736

SHA512
f6bc3381925d1640351c5e40433cc67e9f69246cfb14066d1ab1cf515a07c00fec2b57b0318bcd68aaed783b228af6e3c360ee6bc9e29c1783199e1cfec4d9dc

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
3c0e30121450fe1019dc3d76bd6d00b5

SHA1
1fc7c4082a18eaaeadd5700afc71f7bf6fd0185c

SHA256
1891170a2825f9bef1620d189052803192ac79baa8abf84ce5a33facd648bd0e

SHA512
d8966ea5280eb3be6868c648745104f30ebfbbca556fbf718330c17f7975e217d3636892de9f0c393f117aba9f6dba209590ae2dd074fdf3fc9a14db9e32a028

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
2.6MB

MD5
1698dbe32960857d2ae003886d476b6c

SHA1
35c075ba235605a187e178eb697502f81a5fe2d5

SHA256
5cf31903f381e8369a666fe4eaa5553fb03a5cc969fe0cc125cb58920758108e

SHA512
f7c07b4836af54ffa15de0f5db0bc301670be7700e25b6b080005d35ef4432b73974a3ee6311b17fb59ceb44c7462536196e868c9ab31dd33f1829dff9ee22fd

Download Submit