af62d97c8122a8904f6c94de3759cc4d0ab5d252015eec946724bda170eba9f7

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af62d97c8122a8904f6c94de3759cc4d0ab5d252015eec946724bda170eba9f7N.exe
Size

2.6MB
MD5

b2968c63b0bd11b6424cb9c2602d3210
SHA1

a01d9fd15b38454d33ae8f3423d610406b295325
SHA256

af62d97c8122a8904f6c94de3759cc4d0ab5d252015eec946724bda170eba9f7
SHA512

f2aedb05a50703054b15c2ca29f1a8f8bade515ac4743f4946aad5881c265bf1daa6a816182f22ff35671e455412aa7a1eb344a1a7d6a6a26b6ec830d16bf313
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bS:sxX7QnxrloE5dpUpIb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe	af62d97c8122a8904f6c94de3759cc4d0ab5d252015eec946724bda170eba9f7N.exe

Executes dropped EXE 2 IoCs

pid	Process
2840	ecaopti.exe
1756	adobec.exe

Loads dropped DLL 2 IoCs

pid	Process
1604	af62d97c8122a8904f6c94de3759cc4d0ab5d252015eec946724bda170eba9f7N.exe
1604	af62d97c8122a8904f6c94de3759cc4d0ab5d252015eec946724bda170eba9f7N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv6Z\\adobec.exe"	af62d97c8122a8904f6c94de3759cc4d0ab5d252015eec946724bda170eba9f7N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint0N\\dobasys.exe"	af62d97c8122a8904f6c94de3759cc4d0ab5d252015eec946724bda170eba9f7N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af62d97c8122a8904f6c94de3759cc4d0ab5d252015eec946724bda170eba9f7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecaopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1604	af62d97c8122a8904f6c94de3759cc4d0ab5d252015eec946724bda170eba9f7N.exe
1604	af62d97c8122a8904f6c94de3759cc4d0ab5d252015eec946724bda170eba9f7N.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe
2840	ecaopti.exe
1756	adobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 2840	1604	af62d97c8122a8904f6c94de3759cc4d0ab5d252015eec946724bda170eba9f7N.exe	28
PID 1604 wrote to memory of 2840	1604	af62d97c8122a8904f6c94de3759cc4d0ab5d252015eec946724bda170eba9f7N.exe	28
PID 1604 wrote to memory of 2840	1604	af62d97c8122a8904f6c94de3759cc4d0ab5d252015eec946724bda170eba9f7N.exe	28
PID 1604 wrote to memory of 2840	1604	af62d97c8122a8904f6c94de3759cc4d0ab5d252015eec946724bda170eba9f7N.exe	28
PID 1604 wrote to memory of 1756	1604	af62d97c8122a8904f6c94de3759cc4d0ab5d252015eec946724bda170eba9f7N.exe	29
PID 1604 wrote to memory of 1756	1604	af62d97c8122a8904f6c94de3759cc4d0ab5d252015eec946724bda170eba9f7N.exe	29
PID 1604 wrote to memory of 1756	1604	af62d97c8122a8904f6c94de3759cc4d0ab5d252015eec946724bda170eba9f7N.exe	29
PID 1604 wrote to memory of 1756	1604	af62d97c8122a8904f6c94de3759cc4d0ab5d252015eec946724bda170eba9f7N.exe	29

C:\Users\Admin\AppData\Local\Temp\af62d97c8122a8904f6c94de3759cc4d0ab5d252015eec946724bda170eba9f7N.exe
"C:\Users\Admin\AppData\Local\Temp\af62d97c8122a8904f6c94de3759cc4d0ab5d252015eec946724bda170eba9f7N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2840
- C:\SysDrv6Z\adobec.exe
  C:\SysDrv6Z\adobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint0N\dobasys.exe

Filesize
2.6MB

MD5
17bf4109ac000dae68cf89dfcd6fb748

SHA1
4c474c091c9ed4ff9f9814939bfecfe1cb9d26e3

SHA256
5c63a9d6d55406e8c386436e52861e1735aeda8e34cf9481213c1645deca2a1e

SHA512
f72d84422771bd0c7228c75f0493f13be780f26f96e2c150bd42f1911e69534fdde4fa65d498502004e5fea5cb2916714f80acf97e1f9ab9d9f9af145c760cab

Download Submit
C:\Mint0N\dobasys.exe

Filesize
2.6MB

MD5
892a105fc14ded741b455caef0c96867

SHA1
0059f98abaac6d0b6c64a853a6ddaf371837285f

SHA256
fb29ed3ef2320f54c2e5d48ca7482721390e9331b8159e392818e91139478893

SHA512
01bde05c0d0b98b753a281b38909e90e5c12b8a2ebf6484588bf1333b477e9cce75de4970973bd27e4aff3566785ac357fb44979093deca8d1969b30193132d4

Download Submit
C:\SysDrv6Z\adobec.exe

Filesize
9KB

MD5
069c7d5ebc20ead441519fc2807acdfc

SHA1
94eb49acfddc6450c4810d85271299b49f964a2a

SHA256
af2d7152258913747132a41b113c445005357f268ca6a717b1a8a42c3ac7052f

SHA512
91dd10db98a2c08140dabc8a5cbe76768d1878b4cbf579f7f2c7fc0466e81b35f6a33d4dc31c97b393de15d2bb730f141974d3a6784c8f6a2748d67bc75433e9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
cad413c5b6fa0ea7353a996ae427c3ba

SHA1
942ce1ae961141f43c2d6a18a9df31cb6ad01057

SHA256
fba4707c825345be1870041243453455b29629db1f78d315b4fa10af57567cf4

SHA512
5f6fc1fc0b71d7e11f389b94540c18029292b64ef2a53835171a276a408cb7195d08b8e8bcddde44d7bac703cdfff4b81f34b6077e5e103a1d75d02f6299387e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
ac9873de0da13a93bb02b03f36bc988f

SHA1
012cbe873095a99df80e3496e3e548b747b7e5b8

SHA256
dbf0f6c023657e43f924caa5f75048f62dcbfac1d6b7001dd7329ebb945c7b25

SHA512
984f83e231c1c7d30e29dd7c77dbc537ccbd054f3adcb256773f68278fd2373feb92b2eeaa0b26ab15018db087c65cace78b6dac084fd0eb6aee601a204a1801

Download Submit
\SysDrv6Z\adobec.exe

Filesize
2.6MB

MD5
12a3d996ca4ddb4491156756d15bb9b9

SHA1
7dc9cd5e65a3563124045834a22506f6eaf11f51

SHA256
5e09782585fbe2236a5a183778b702de1549809f405985f1fd53ac8d5749fae2

SHA512
976f58b025d5ba8f31a203377ee066e50512634e9de2651b0036c7592d2322f9cc4fb3d364ca018872642aa7536871b15abe02b9681f007809d9003d12905aed

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

Filesize
2.6MB

MD5
5f610e6c587ecd6aaa3855712adf17d7

SHA1
810332f9e1f66c59d6411233708046c7084ab77c

SHA256
14e7b28736b7cdfe12e9f3d26fad4376cad8ead11867120a8edee37deb41c9d2

SHA512
a486509f97113a1e9e13fe2ff261966047c6ea4b09b13570f863effb90e90988121ebc5bfef2878bfa95b4b1b10fb485c34c96592ded6580c3735a4895fc31d5

Download Submit