Analysis

  • max time kernel
    120s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 13:06

General

  • Target

    8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe

  • Size

    2.6MB

  • MD5

    33b4e30ee96a5727bc4493aeabd22780

  • SHA1

    e3afcfbe56f525706e317b6eb6d0a14c7da21f04

  • SHA256

    8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39d

  • SHA512

    b4ad73297d7a865b0b50f6e4ee51281e7279ffd47d3baf0af658cefd80b2b94d1c99993e6757a87a06e099f2ca801a20e1e35e6dbe5172df2c025c509e528e73

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bS:sxX7QnxrloE5dpUp6b

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe
    "C:\Users\Admin\AppData\Local\Temp\8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2380
    • C:\Intelproc5J\adobsys.exe
      C:\Intelproc5J\adobsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2928

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Intelproc5J\adobsys.exe

          Filesize

          2.6MB

          MD5

          3d5c84c24686972025ee87acc32ad3a6

          SHA1

          4de5f1319439ac0d1105eb0ebcfbb690ca3b6341

          SHA256

          42a36be27ed499edae722cacb0b6a81765681fde1c6d49c4c0e454a7031b4b90

          SHA512

          3cb5698c886a345aad4ffdadbdb9c3fb2bd1dc6705e64e37f768b0934672c7b4f78f8d2b7370200c8a936557336f6494d63219f91851555fe760bac2711ad7e8

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          173B

          MD5

          1ece35dff22c942e1517309fc8a1080d

          SHA1

          f81922f4be9d12b31df53f6aef2cb8cf148b1856

          SHA256

          e9b6b9c4c0972c518ea5187086024a445e4b89dd3c13fd08ac6bd4184e8c2f81

          SHA512

          c0a27c17114039997b5a766282e49f4c8f5b8bb3295760d93d46cb92fb36f93d90523d3f623a94944941b23e2174b74d65670df4edbfe0a36429cdba071821f2

        • C:\Users\Admin\253086396416_6.1_Admin.ini

          Filesize

          205B

          MD5

          e89a51b58b07ab63a4e38c2595f6f92e

          SHA1

          4699b4ff3bd19d2aab06240d8c657c98ed4ba669

          SHA256

          0c53ef48746dbdee36566bb00f4263eb0844f93df916ab5adb7a984b178d607d

          SHA512

          c9aec1c1fc2929106c4499e133ed2afbfe6d05bd30ca619d8aaa2169cca2ecd97799ca2ba640967bb21eaef128a724a8bf071336886c9bea5cc4fa2a74b96718

        • C:\VidBD\optidevsys.exe

          Filesize

          2.6MB

          MD5

          f07d3f14adc0450b64283432c54bab78

          SHA1

          61a67708af12fd67b4ac16c0c3a3a7dbd1f42d13

          SHA256

          3e6279b65573dee22f56caaa4ed806d89d437ebfee211d7b9725575c3e367106

          SHA512

          2661f5aabe7110f193fc47f8974ce70d49ff5692f50aaa3cca6a91214fd5d8a44f6e985b37f6a837570b206ca5fc9271ac7a494f9d8d5f9f2c20840a66862880

        • C:\VidBD\optidevsys.exe

          Filesize

          2.6MB

          MD5

          a345d6b9ec5d20633f324e23e3c60efe

          SHA1

          3471650b7c3fe05a5b294af0fac495754bed625d

          SHA256

          4221d731e8417255c653f8395b258c397b283732ff8477e4b45cbc20bb8ac151

          SHA512

          8211814d27432a59846a013d3d554f8d0cc5e20e647d8ba9db5c255db9b73abf85ce5161f5c8a12748b906e2befc8fcdc8985bca6024c0b5706fde97fc560c69

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

          Filesize

          2.6MB

          MD5

          ca1cb27809f92ee0eccbaf8576f847f8

          SHA1

          00fa815d54e9183d65994536c6104579cace2be6

          SHA256

          3c0764e7f27fa0ef272e972dd7f16ba750cbddc3ff0f5f499c8f5cc73118dca2

          SHA512

          093028c0b9ae72eca569e1df3dc22b266cbffe3b44fd03c1ecfdf6d4ad3fae98a054eea89d582964604cf90cfdc91a151afc462cb1aac1f0d126ccf6e25d2122