37c817cad9f19011264dcedd3f1abdf0da725a33eb79167879fa52d2b9fefbf7

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37c817cad9f19011264dcedd3f1abdf0da725a33eb79167879fa52d2b9fefbf7.exe
Size

2.6MB
MD5

0b0472b6e2af847c5469af9e25bf8abc
SHA1

e7a6449c55b709c94368a1851d746f68b718f041
SHA256

37c817cad9f19011264dcedd3f1abdf0da725a33eb79167879fa52d2b9fefbf7
SHA512

a29e04cf84c6233cae4af0fb70f09df2d783753864eda467d29538e3b7af375aeb1ed3712b161edfafaf18a1270059365b49bbc9bb243affec32c6761c0d9ae8
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBlB/bS:sxX7QnxrloE5dpUpWb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	37c817cad9f19011264dcedd3f1abdf0da725a33eb79167879fa52d2b9fefbf7.exe

Executes dropped EXE 2 IoCs

pid	Process
4000	ecdevbod.exe
1872	adobsys.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocKZ\\adobsys.exe"	37c817cad9f19011264dcedd3f1abdf0da725a33eb79167879fa52d2b9fefbf7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB6J\\boddevsys.exe"	37c817cad9f19011264dcedd3f1abdf0da725a33eb79167879fa52d2b9fefbf7.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37c817cad9f19011264dcedd3f1abdf0da725a33eb79167879fa52d2b9fefbf7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevbod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1992	37c817cad9f19011264dcedd3f1abdf0da725a33eb79167879fa52d2b9fefbf7.exe
1992	37c817cad9f19011264dcedd3f1abdf0da725a33eb79167879fa52d2b9fefbf7.exe
1992	37c817cad9f19011264dcedd3f1abdf0da725a33eb79167879fa52d2b9fefbf7.exe
1992	37c817cad9f19011264dcedd3f1abdf0da725a33eb79167879fa52d2b9fefbf7.exe
4000	ecdevbod.exe
4000	ecdevbod.exe
1872	adobsys.exe
1872	adobsys.exe
4000	ecdevbod.exe
4000	ecdevbod.exe
1872	adobsys.exe
1872	adobsys.exe
4000	ecdevbod.exe
4000	ecdevbod.exe
1872	adobsys.exe
1872	adobsys.exe
4000	ecdevbod.exe
4000	ecdevbod.exe
1872	adobsys.exe
1872	adobsys.exe
4000	ecdevbod.exe
4000	ecdevbod.exe
1872	adobsys.exe
1872	adobsys.exe
4000	ecdevbod.exe
4000	ecdevbod.exe
1872	adobsys.exe
1872	adobsys.exe
4000	ecdevbod.exe
4000	ecdevbod.exe
1872	adobsys.exe
1872	adobsys.exe
4000	ecdevbod.exe
4000	ecdevbod.exe
1872	adobsys.exe
1872	adobsys.exe
4000	ecdevbod.exe
4000	ecdevbod.exe
1872	adobsys.exe
1872	adobsys.exe
4000	ecdevbod.exe
4000	ecdevbod.exe
1872	adobsys.exe
1872	adobsys.exe
4000	ecdevbod.exe
4000	ecdevbod.exe
1872	adobsys.exe
1872	adobsys.exe
4000	ecdevbod.exe
4000	ecdevbod.exe
1872	adobsys.exe
1872	adobsys.exe
4000	ecdevbod.exe
4000	ecdevbod.exe
1872	adobsys.exe
1872	adobsys.exe
4000	ecdevbod.exe
4000	ecdevbod.exe
1872	adobsys.exe
1872	adobsys.exe
4000	ecdevbod.exe
4000	ecdevbod.exe
1872	adobsys.exe
1872	adobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 4000	1992	37c817cad9f19011264dcedd3f1abdf0da725a33eb79167879fa52d2b9fefbf7.exe	86
PID 1992 wrote to memory of 4000	1992	37c817cad9f19011264dcedd3f1abdf0da725a33eb79167879fa52d2b9fefbf7.exe	86
PID 1992 wrote to memory of 4000	1992	37c817cad9f19011264dcedd3f1abdf0da725a33eb79167879fa52d2b9fefbf7.exe	86
PID 1992 wrote to memory of 1872	1992	37c817cad9f19011264dcedd3f1abdf0da725a33eb79167879fa52d2b9fefbf7.exe	87
PID 1992 wrote to memory of 1872	1992	37c817cad9f19011264dcedd3f1abdf0da725a33eb79167879fa52d2b9fefbf7.exe	87
PID 1992 wrote to memory of 1872	1992	37c817cad9f19011264dcedd3f1abdf0da725a33eb79167879fa52d2b9fefbf7.exe	87

C:\Users\Admin\AppData\Local\Temp\37c817cad9f19011264dcedd3f1abdf0da725a33eb79167879fa52d2b9fefbf7.exe
"C:\Users\Admin\AppData\Local\Temp\37c817cad9f19011264dcedd3f1abdf0da725a33eb79167879fa52d2b9fefbf7.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4000
- C:\IntelprocKZ\adobsys.exe
  C:\IntelprocKZ\adobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocKZ\adobsys.exe

Filesize
8KB

MD5
4f22d799849ad951d457b82eff37db75

SHA1
4e1063fe8d636bd72f9cd680c689c23c67188ea6

SHA256
6d731a85e1aa5373ae56b774f79879aaae0bf7acee2d491ffbe549dc72920948

SHA512
9906f7f210918aad8326adf8876fb1a50517812f1d6dc706f0ad6c14c9363ea1c2bdf15f1589563e9483925b76a4a315f4db9d27af6ab0674f200275d3b25f9a

Download Submit
C:\IntelprocKZ\adobsys.exe

Filesize
2.6MB

MD5
b5d374538d2752a5797b5a4a7e12a2c0

SHA1
45adda626032715e4d095272804cfd0068ab3a5d

SHA256
51df730d7e0cc682a3e5d35dd5a5fad15704ef91b5cfcb91ae67c6c2b1539b60

SHA512
b16cd7eb23091c8dc7ac7a72bdfc8c2e93a9767d210d78071831e6d2f89d5e9de512f560e703b90d3dd38931e183ca0f30040a5d836596bba5166a8a8d14261b

Download Submit
C:\KaVB6J\boddevsys.exe

Filesize
2.6MB

MD5
e704ff03514f276303442692bd105bb8

SHA1
28fcce522bb2b2c47d1a72f8762744f73872a896

SHA256
afe3cf8a417c0dbb55a2cfc35bae145faca46c7ab7d259750f9c7fa31c5b0e89

SHA512
255baca4069011e989dfae856e8d66f31863a2f9ffd6cc8bf69740d0052df2e75cc513ab7e865625ee40b348976ef50eea85c776d2a720a60b419ba768b0c126

Download Submit
C:\KaVB6J\boddevsys.exe

Filesize
178KB

MD5
a990ac71037b0de5ae4653d9345be900

SHA1
1eaaf5d46ef19be783368b3c9cba6d35cdd7d5bb

SHA256
80c8f037b2960351c8c3b01979b5ca4d6e61cf8ca712a1092087c08a5c807d7b

SHA512
1ae49451408c196289e815384f1566c851d7144ad2f50b7768fcc53ad1e13553ba4d64b8c1925b49692d320467e12a50dc2c55fc0e71807a7530d20b86033bc2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
645133286b1cfd86f3b794adc392d602

SHA1
048ced9c75bd04f0dc8192b43245f4176538ee51

SHA256
fb5282e847e6b7bebf46c7941e11c7e29583d2dd4a3270f88133741dd6672395

SHA512
7f6b50acd285198aea0bccdfe0b6601dca25f6e5df5124229f8bc5bfb512dcca1575b657cd9fa4089695efefe0c2e9d6d139136ade66683ad9a426f946b1a90b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
175B

MD5
fd7b7d2f500252a8c01320136097abb5

SHA1
23703eb0ad6ef136ad823e55096fa4d0609b044f

SHA256
cd5f0f05075a1e33096346a378e70c3f836373dfa22aa7f91c5f68a802ec25d5

SHA512
2e710e9bec000cd32324d39b6fbd78cdcd6d55bb5f3841ce4c849b7e2f25adac7faf50bbc13135d8202e7be7b5dd8e9652d451ac9257d7abe1cb24b52ee98044

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
2.6MB

MD5
31855204faba7305d00440284df1ac77

SHA1
21c84870d4f32474e5d6925862380560c37d368c

SHA256
2bbf941d5e268e617df5213ef137f6d0fe6aa54480e67870b1340b6186fc3bb8

SHA512
f9006b691fb2388dac3fcabf5af15cabc596d388f220177a11ffb8a2fb92ee88d30c513d11ff68433aea614683d146dc6c53d992b6394ca62f8ea86055fc327e

Download Submit