Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 23:05
Static task
static1
Behavioral task
behavioral1
Sample
d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe
Resource
win10v2004-20241007-en
General
-
Target
d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe
-
Size
2.6MB
-
MD5
af4e02c1ae0d33b078cec2d88ad2d5c0
-
SHA1
ea2627cc11ffaa4c76257382aa820d04cb804c8f
-
SHA256
d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616fa
-
SHA512
f13586399790e9bc542002393ffc77e48ffabc21ee487fc6a523f365557060306e35df5f0e2ce2738821e5d7a7c00d07cf6a41ae692acd6034ee03a3a7680bc2
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBEB/bSq:sxX7QnxrloE5dpUp7bV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe -
Executes dropped EXE 2 IoCs
pid Process 2108 ecdevdob.exe 2264 adobec.exe -
Loads dropped DLL 2 IoCs
pid Process 2440 d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe 2440 d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvIP\\adobec.exe" d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2Z\\dobdevsys.exe" d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2440 d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe 2440 d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe 2108 ecdevdob.exe 2264 adobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2108 2440 d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe 28 PID 2440 wrote to memory of 2108 2440 d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe 28 PID 2440 wrote to memory of 2108 2440 d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe 28 PID 2440 wrote to memory of 2108 2440 d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe 28 PID 2440 wrote to memory of 2264 2440 d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe 29 PID 2440 wrote to memory of 2264 2440 d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe 29 PID 2440 wrote to memory of 2264 2440 d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe 29 PID 2440 wrote to memory of 2264 2440 d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe"C:\Users\Admin\AppData\Local\Temp\d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2108
-
-
C:\SysDrvIP\adobec.exeC:\SysDrvIP\adobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2264
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5b344f683d47b9ce9a6b7419ea624da4a
SHA160e6208426015932e2514881b45b9aae02ed012b
SHA256abf5a70b7dca72f8f59c2efea5c14863d8c413f1e5ba859a2f8ebc0edad42f4f
SHA512f65dd36b9bd9c284013bfe9190f042108cf3b6ad90e1fe984673f63a7986dd8991b38c78e2a1295d0da8ee76acf48a4a0b586b68932aaaed56c9d1eb7cc34486
-
Filesize
2.6MB
MD5f0a78b1e29ccc2a158eeb19862bcc6be
SHA1df2aff6d92ce9ba2379cedcea90d91f330592b27
SHA25693a5821dba79846495d515efd307250067d0a9af35125a062ffbdaa017ea1442
SHA51283fad5f7f8582f0ba46c44bd446ed59537280262e5f66dfb66aba108c5bd1b56f6a1b3b978992680ad025774dde3404eb1a98c4bc5550961142014330dbf2bb1
-
Filesize
2.6MB
MD573e2dc40b2529d4b5937bc83e18c40a9
SHA1ce6704628714b8ffe0bc3ce3b0c485ba19b8b1f6
SHA256a810b8b2665c51b77da727b8043fdf20a627c07b8ab7fc8296dafc6802d250cf
SHA512dd1431cb6963e657392ae9fee6753046e19941810836cae43b6d3e3725eac5e0911b495c66b4dfdd1c6612c80111bb957c8d95449217fd4d279e9254fd15e8bb
-
Filesize
171B
MD54ac585dd1e95539a8a77c400bd1232cf
SHA15befdc6bff53b8a2a55879a1a775dee918b2e935
SHA256e738e9ea0187ab568187cbe791c96e139826ae7a09606d42f21ecc35ed7436a7
SHA5127de9850558c0086e0b393ce22a47561cc82746c7b3f91cf26ab076409576bea556997d15126c32ca9c2cc228a4ce3f151701221b03c20259f35fcae90bca0f6c
-
Filesize
203B
MD558952ef1fa808af00f03f5b95752a646
SHA1ad3fe5f8bd8d4d477b4f25c68e1674ffc4a42844
SHA256ce41363ac900911dfb9ceef2a5e2d4338e6cb7277d264fb0f2b453a32200c0f8
SHA512d3f481e737f9fbb29d9ed17b341a0322a759e4d3e0c9fa08bced89e1b88127c34a219f9ff0411fc12435026a7f20fa9f46109fb7d70967fad678690fd499531a
-
Filesize
2.6MB
MD54652aa636876a226355f8e175c68f2f6
SHA11baf50f018f0df14eebefee217b46872ed0c55bd
SHA256fc9036f2a9fab21be6674afe9cbef8771b1f1d42b98ee1d5ebd0cc333e12bc7c
SHA512f37f1fbcb46f77cea44d26d2654082393d9138572cd8f45d3d75264072cc1a18c1cf3a54dd8a5e10a9aa66936321d7bd1fd9ce1da0ea4e5ec5e8c83536f52d33