Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 12:19
Static task
static1
Behavioral task
behavioral1
Sample
e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe
Resource
win10v2004-20241007-en
General
-
Target
e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe
-
Size
2.6MB
-
MD5
5d1714a9bfb70a428bc441e42d1a9700
-
SHA1
2befcff7614059fce1be59ef2bf5b678bd30ff11
-
SHA256
e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0
-
SHA512
a2065f35ffb787e160b3527e1b1af1eb59dd5527d9c86aa5c716484c67a476b25ac84c41560f6d7a0e134a18ea455cff121997964fbee9a90bd3835638226949
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBNB/bSq:sxX7QnxrloE5dpUpObV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe -
Executes dropped EXE 2 IoCs
pid Process 2696 locadob.exe 2784 adobec.exe -
Loads dropped DLL 2 IoCs
pid Process 3016 e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe 3016 e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesFA\\adobec.exe" e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBFC\\optidevloc.exe" e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3016 e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe 3016 e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe 2696 locadob.exe 2784 adobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2696 3016 e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe 31 PID 3016 wrote to memory of 2696 3016 e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe 31 PID 3016 wrote to memory of 2696 3016 e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe 31 PID 3016 wrote to memory of 2696 3016 e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe 31 PID 3016 wrote to memory of 2784 3016 e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe 32 PID 3016 wrote to memory of 2784 3016 e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe 32 PID 3016 wrote to memory of 2784 3016 e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe 32 PID 3016 wrote to memory of 2784 3016 e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe"C:\Users\Admin\AppData\Local\Temp\e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2696
-
-
C:\FilesFA\adobec.exeC:\FilesFA\adobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2784
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5b653131fedf698436e569718ef262593
SHA1c2c02d060d088dc4182e9e584d544623f4a278f2
SHA256a565b9954b25da2bfc627323e6e73ff18b98f58ccee59a6f1b8c937c7bf36281
SHA512e759765f550aa75dbf7a0513e6fd3fbb5c69e8bb83ed269a5cecc744d654ad3b785058a72a5190bae6bd254378847b42438ed0977c7e9d92a51259de6d4a57d4
-
Filesize
2.6MB
MD57ad0bed9a1fc387b319abf0219aa4657
SHA1d95b00034d89b1143157f286c4ea7f4e56f77e0f
SHA256e871ef45e9a99bec4827519709907edcd776c4159da9906e6e706b184da0da60
SHA512a44152864dca94e6362370d8ff2d89d855d734cc5686a17f64f1504cf1bdbe9a38fe42997e87a9bdee5946d626c995680bdef6d2c0b98bef356406532e3798cb
-
Filesize
2.6MB
MD57d75799469f8abc715fd891a9a7fb06d
SHA1eab6f28766adcd1b29418d5fa68262505fcd3dd1
SHA256730fc6b5bdd0b94d23ec69c89a27a7f01a8bce61853a009577b8bb5fb3edd1d0
SHA512de807ae60b22e9dac1161dff74fba02963be1ba65d0fb7939039bbac13de7f8e9a2956d3e3cb917664f2c4bda53d8697634fe27f87a1870e7ce7b03c2ed51c4b
-
Filesize
170B
MD514b3992cce671a73a0c560447b8636b4
SHA1207c7f5c315337c8dd9db6154477eaced7b2564c
SHA256e4bf3376ba33103fb3f10104a14023c82845de5c99c7b2c50b88e3536e343fab
SHA51255d50a7438cf71f9d73a342834a9d7f0d5a5c2b1101085f53cd7db91ad5c8fe9d8f777b823624d5ec810213ab805e36f41d81dc8b26de80c58e58827d30ad521
-
Filesize
202B
MD56c033df2c2703423e81821e17ff1c4b4
SHA13aac19f2e69c81cf1f53bb7981acc8d553ca116d
SHA25687fbabe400e7c0e41a61c55ad0b366ac5547501f176453ef33ca3646c80a6821
SHA5122ab50b8dfc85efc5c50d0654becd0c153d3ecdc645c216f9d9535e65310cafd711e9d95a3a0cac3a4d6a0ef38634e3d62b70a7d9a9d47d82fd06df121c1af56b
-
Filesize
2.6MB
MD55f910f81543631aaa34176a845d6e05c
SHA1326e311bebe86d878ca7d6f1e773bba52b6c1a86
SHA25660142e28861dc585d0d2a5ab70b7807fdd2ffcc4f787bd8b9ceb7495da271455
SHA512bb9c31afceeb09a02db361a62b9cb186c4f6c005b09cd117894bdfa442ce12fed34291070d42307bfbf321e34054b6307a5452d2230cba2404365813015ec6d9