ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bb

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe
Size

2.6MB
MD5

f37d7c6251df1089e5b218e13a7c1240
SHA1

7ecc11246dbc4cb83d4619490ba0489ff04aae65
SHA256

ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bb
SHA512

d2eef1b3a8be07518cb6ddf3836e6da5373e49d996d6611a7738606ebeb1ffce80c4941e8fc7cfcdec1500300c53d061475ddd88108ba6ecb9665167db5f6b4d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bS:sxX7QnxrloE5dpUpab

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe

Executes dropped EXE 2 IoCs

pid	Process
2764	ecdevdob.exe
2828	adobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2664	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe
2664	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc8Q\\adobloc.exe"	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint4I\\optialoc.exe"	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2664	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe
2664	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe
2764	ecdevdob.exe
2828	adobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2764	2664	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe	30
PID 2664 wrote to memory of 2764	2664	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe	30
PID 2664 wrote to memory of 2764	2664	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe	30
PID 2664 wrote to memory of 2764	2664	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe	30
PID 2664 wrote to memory of 2828	2664	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe	31
PID 2664 wrote to memory of 2828	2664	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe	31
PID 2664 wrote to memory of 2828	2664	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe	31
PID 2664 wrote to memory of 2828	2664	ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe	31

C:\Users\Admin\AppData\Local\Temp\ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe
"C:\Users\Admin\AppData\Local\Temp\ee45fedc1dbfdd8a3eeb6bbb16d40fc4414caef92de074de3f122565a8c147bbN.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2764
- C:\Intelproc8Q\adobloc.exe
  C:\Intelproc8Q\adobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc8Q\adobloc.exe

Filesize
2.6MB

MD5
c9e1162f66f28fea226744ab872d90eb

SHA1
884c343067742f0373b4a5ce5e9f5633972bc74b

SHA256
b71b94e0d78bd9324517e3ca740849bd5a165a86025d4580a7a430d30a1d9460

SHA512
d41ad07f642f497a8d92aa98ab1fb963c8e926fbd52a983fb4c6be84a6217dbd40e61076e64f8abe6174033521691a83ae708689f5f7afd53edd78d0d49002c4

Download Submit
C:\Mint4I\optialoc.exe

Filesize
2.6MB

MD5
b94ac10d2247d2528ea5232ed4e1cb4b

SHA1
52a34ec17003728aaefc921a455b254929003951

SHA256
237aec33f764722ce1b87d006e5ff73a51c09a4ad1926463a3855a9a784fd689

SHA512
652b623628d1339e73bc77838c13c3076c3942ff1628713253beabf7fb20447f56254c06db300df356a470cf4277dc86aad9282bf2bf69580538e9092a0fe5fa

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
27c479c99428b8bf0d71220a0e52cd31

SHA1
5a2592636f79cb00f375a24fb7112a0cb1a4978e

SHA256
2c1bfff0ecf67a2605050aa4efe33cfbce6438738d735235460f4de8a3a92a77

SHA512
ce682ea6fd0b519deb74323fd296725514690324ab76693a53e0d0c278ce5c2fdbe61779ca755171233a09f2368edbaad09170220e7b3b4a04e1e24ba6233a8c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
4553ca632820bad7f139188baddb846e

SHA1
88683cce45b61c9165b3623df4da016870de325b

SHA256
87dac863ba654387e855faa231037e5b1bf63921c74273886cdbf1a831626ecc

SHA512
663fabe25b0d9dce94bd5c34883228d81d79116594a4235cc073e33275f769acc1a8f03035731fdcdb06669e37354e4ead9a0559828abfa348e4bfaf3bca04e3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
2.6MB

MD5
4742b61c976813a46e63820d24de6042

SHA1
4f5ed4c67c015a9140bc7c33588299947ef49940

SHA256
17b56e300339e56e144c2dadf1761cd74eb9debe05e065ca175221090827d807

SHA512
fa27912376ebe61b4c4cab07f444d7a4781cdc8fca51af6baf072d9805496f925c57e9df6f7b3a57ef2f87f84a062f295cbed01aaa7073e194f657e17dbb838d

Download Submit