Analysis
-
max time kernel
119s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 04:10
Static task
static1
Behavioral task
behavioral1
Sample
aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe
Resource
win10v2004-20241007-en
General
-
Target
aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe
-
Size
2.6MB
-
MD5
26234f25757607a2c6e9c2a664b824f0
-
SHA1
52a21524c60502ac26b5c9ff807d8546d9c1b339
-
SHA256
aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cd
-
SHA512
b8d7c5be067efcdeed501c4eda0e29b4e3f8b38a2ec12eae7a1df8857cb13a9da06dace621cc9de397943cdda6e7f01d5c155caa6714b73c3f7b5e3add792ff2
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bS:sxX7QnxrloE5dpUpFb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe -
Executes dropped EXE 2 IoCs
pid Process 1868 ecdevbod.exe 3680 adobloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv59\\adobloc.exe" aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint7A\\bodaec.exe" aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3596 aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe 3596 aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe 3596 aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe 3596 aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe 1868 ecdevbod.exe 1868 ecdevbod.exe 3680 adobloc.exe 3680 adobloc.exe 1868 ecdevbod.exe 1868 ecdevbod.exe 3680 adobloc.exe 3680 adobloc.exe 1868 ecdevbod.exe 1868 ecdevbod.exe 3680 adobloc.exe 3680 adobloc.exe 1868 ecdevbod.exe 1868 ecdevbod.exe 3680 adobloc.exe 3680 adobloc.exe 1868 ecdevbod.exe 1868 ecdevbod.exe 3680 adobloc.exe 3680 adobloc.exe 1868 ecdevbod.exe 1868 ecdevbod.exe 3680 adobloc.exe 3680 adobloc.exe 1868 ecdevbod.exe 1868 ecdevbod.exe 3680 adobloc.exe 3680 adobloc.exe 1868 ecdevbod.exe 1868 ecdevbod.exe 3680 adobloc.exe 3680 adobloc.exe 1868 ecdevbod.exe 1868 ecdevbod.exe 3680 adobloc.exe 3680 adobloc.exe 1868 ecdevbod.exe 1868 ecdevbod.exe 3680 adobloc.exe 3680 adobloc.exe 1868 ecdevbod.exe 1868 ecdevbod.exe 3680 adobloc.exe 3680 adobloc.exe 1868 ecdevbod.exe 1868 ecdevbod.exe 3680 adobloc.exe 3680 adobloc.exe 1868 ecdevbod.exe 1868 ecdevbod.exe 3680 adobloc.exe 3680 adobloc.exe 1868 ecdevbod.exe 1868 ecdevbod.exe 3680 adobloc.exe 3680 adobloc.exe 1868 ecdevbod.exe 1868 ecdevbod.exe 3680 adobloc.exe 3680 adobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3596 wrote to memory of 1868 3596 aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe 88 PID 3596 wrote to memory of 1868 3596 aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe 88 PID 3596 wrote to memory of 1868 3596 aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe 88 PID 3596 wrote to memory of 3680 3596 aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe 89 PID 3596 wrote to memory of 3680 3596 aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe 89 PID 3596 wrote to memory of 3680 3596 aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe"C:\Users\Admin\AppData\Local\Temp\aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1868
-
-
C:\SysDrv59\adobloc.exeC:\SysDrv59\adobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3680
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22KB
MD55e5f77e5a8bba3451205d15924cd85c2
SHA18dc6f4f6076d3abc71b64626f34bc06239e824c1
SHA2562cf5e62848375af5dfdbd237976b8bf53195ad0533a458694c774a09a1c5e622
SHA512865f8b9eafb8e98c518d4157321733e2b3a01e26eabd18a9260225be73c393ad11ddb23be1bcb85fe39df817842f35624262bcbe170f66b1887924be42e32d37
-
Filesize
2.6MB
MD56a5a4422d897e38676ca7d3635d9e34f
SHA183f66f85e36795555f00e12a635db152f992a6dd
SHA256f00e01c6efcd9f43909ae0a243167bb3fb93eb887e445d45f69474cf6c5d4e19
SHA512b53457bd45d6c3e3f1c910cfef4f089aeaf97bed6b51360b2f7542827b8a6c3cd96c97570cfa8c7ab03b7655d17bd92e2dc87668041de14d21460117ae1cefba
-
Filesize
115KB
MD560f138cd300f13294b0be77515a2b86b
SHA1c7cd1731bb7edf1277c0807cd911af817d3ffaa5
SHA2560a659a158e3344c256b779d2ad141f2ebfd6c34a6730fa482ef602461fd6b51a
SHA5122ab899fe5da955f3714bd50242682eba3db5363b9b495b123f671df45e912e6dd9ddef51561999d24e9f3598188ad70aa6ba89d9ffd935303be9dba3915a598e
-
Filesize
2.6MB
MD5f332e5881f656d9faa64de05baea391a
SHA1ce169cc41c22638e6c3f8dfbc27e8ef10e8ae330
SHA2562ebb9e85f0cac6961fd7fe53595b4207085dcdf668c703add5c8e631481fbea8
SHA51229735e985bc2d35652e29eccc66fe73ba628bba6b4b115bc004c1ddfdf92a8f4f513eea2028f3cfe7910076d87452fb4eaabf434abdbcb1d6ff9d9301672eff3
-
Filesize
201B
MD582a979e3c8b6b96ba66f4b5bfd5db284
SHA1672c1391e0c576ac07c01fdd71f03e36273d3cf6
SHA2565d386740237a9c712ea9b5eda20ca35ebb151a871c27d5e884b8f3e84db5e045
SHA512b8f5209f94635b1e686e8e62d3100a5c8bd5911d92fe09676aa57ce98c62ab8903c6471ba259d1e9bfc77f8710bd7d15bc957728661c29501490cbc3fe76ee12
-
Filesize
169B
MD5f83b0740c159f43712b05ffe7f6ecef7
SHA1b6bd185bb37739530514e0f56cb6e21bb7718e93
SHA256f8adbf545890e393772519492eb229a09ee54cf472d39b6526d37d2bbd119689
SHA512aab81e44282bf5ecc4f831b8f5a7c73c25c8828532641bdbae6c209ab208223caf43609258cd2e50ac05547395fd8597a0112cac3b4a14d5dcafa61d50ab361a
-
Filesize
2.6MB
MD5689397301e22151ecdc063244e072046
SHA1acddcddcb0caa4acd2a97f4fe66fc0ec9c43eedf
SHA256c0a6cc6516a7cfba3930e89ffa0645ca4769b1607b8c334cf1bd619802e5dd76
SHA512620555af1f0cbcb8274f58a5377b6f54024b99710e1b18b838da0bd9b6f1af1214ada33cbb7b3be4d5d4b2457043156c46d4f2916fd1a0693813647684b4aa8c