Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 13:06
Static task
static1
Behavioral task
behavioral1
Sample
8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe
Resource
win10v2004-20241007-en
General
-
Target
8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe
-
Size
2.6MB
-
MD5
33b4e30ee96a5727bc4493aeabd22780
-
SHA1
e3afcfbe56f525706e317b6eb6d0a14c7da21f04
-
SHA256
8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39d
-
SHA512
b4ad73297d7a865b0b50f6e4ee51281e7279ffd47d3baf0af658cefd80b2b94d1c99993e6757a87a06e099f2ca801a20e1e35e6dbe5172df2c025c509e528e73
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bS:sxX7QnxrloE5dpUp6b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe -
Executes dropped EXE 2 IoCs
pid Process 2380 ecadob.exe 2928 adobsys.exe -
Loads dropped DLL 2 IoCs
pid Process 3012 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe 3012 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc5J\\adobsys.exe" 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidBD\\optidevsys.exe" 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3012 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe 3012 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe 2380 ecadob.exe 2928 adobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2380 3012 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe 30 PID 3012 wrote to memory of 2380 3012 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe 30 PID 3012 wrote to memory of 2380 3012 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe 30 PID 3012 wrote to memory of 2380 3012 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe 30 PID 3012 wrote to memory of 2928 3012 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe 31 PID 3012 wrote to memory of 2928 3012 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe 31 PID 3012 wrote to memory of 2928 3012 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe 31 PID 3012 wrote to memory of 2928 3012 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe"C:\Users\Admin\AppData\Local\Temp\8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2380
-
-
C:\Intelproc5J\adobsys.exeC:\Intelproc5J\adobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2928
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD53d5c84c24686972025ee87acc32ad3a6
SHA14de5f1319439ac0d1105eb0ebcfbb690ca3b6341
SHA25642a36be27ed499edae722cacb0b6a81765681fde1c6d49c4c0e454a7031b4b90
SHA5123cb5698c886a345aad4ffdadbdb9c3fb2bd1dc6705e64e37f768b0934672c7b4f78f8d2b7370200c8a936557336f6494d63219f91851555fe760bac2711ad7e8
-
Filesize
173B
MD51ece35dff22c942e1517309fc8a1080d
SHA1f81922f4be9d12b31df53f6aef2cb8cf148b1856
SHA256e9b6b9c4c0972c518ea5187086024a445e4b89dd3c13fd08ac6bd4184e8c2f81
SHA512c0a27c17114039997b5a766282e49f4c8f5b8bb3295760d93d46cb92fb36f93d90523d3f623a94944941b23e2174b74d65670df4edbfe0a36429cdba071821f2
-
Filesize
205B
MD5e89a51b58b07ab63a4e38c2595f6f92e
SHA14699b4ff3bd19d2aab06240d8c657c98ed4ba669
SHA2560c53ef48746dbdee36566bb00f4263eb0844f93df916ab5adb7a984b178d607d
SHA512c9aec1c1fc2929106c4499e133ed2afbfe6d05bd30ca619d8aaa2169cca2ecd97799ca2ba640967bb21eaef128a724a8bf071336886c9bea5cc4fa2a74b96718
-
Filesize
2.6MB
MD5f07d3f14adc0450b64283432c54bab78
SHA161a67708af12fd67b4ac16c0c3a3a7dbd1f42d13
SHA2563e6279b65573dee22f56caaa4ed806d89d437ebfee211d7b9725575c3e367106
SHA5122661f5aabe7110f193fc47f8974ce70d49ff5692f50aaa3cca6a91214fd5d8a44f6e985b37f6a837570b206ca5fc9271ac7a494f9d8d5f9f2c20840a66862880
-
Filesize
2.6MB
MD5a345d6b9ec5d20633f324e23e3c60efe
SHA13471650b7c3fe05a5b294af0fac495754bed625d
SHA2564221d731e8417255c653f8395b258c397b283732ff8477e4b45cbc20bb8ac151
SHA5128211814d27432a59846a013d3d554f8d0cc5e20e647d8ba9db5c255db9b73abf85ce5161f5c8a12748b906e2befc8fcdc8985bca6024c0b5706fde97fc560c69
-
Filesize
2.6MB
MD5ca1cb27809f92ee0eccbaf8576f847f8
SHA100fa815d54e9183d65994536c6104579cace2be6
SHA2563c0764e7f27fa0ef272e972dd7f16ba750cbddc3ff0f5f499c8f5cc73118dca2
SHA512093028c0b9ae72eca569e1df3dc22b266cbffe3b44fd03c1ecfdf6d4ad3fae98a054eea89d582964604cf90cfdc91a151afc462cb1aac1f0d126ccf6e25d2122