Analysis
-
max time kernel
119s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 14:56
Static task
static1
Behavioral task
behavioral1
Sample
6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe
Resource
win10v2004-20241007-en
General
-
Target
6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe
-
Size
2.6MB
-
MD5
660feb1886398baf42ac5e6c1d7fb930
-
SHA1
edeb7f81eb514b3a68e9cc08037f2ddaa65d5a28
-
SHA256
6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23
-
SHA512
0d4b79c99462c84731facf301a593836a29ab179eaa3dc3d0ab02e4830130ed8d5f26d091f9ab16f5a3109d8ba17bf71bfc72a0d2e65addf8c4056f058e32d24
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBrB/bS:sxX7QnxrloE5dpUpMb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe -
Executes dropped EXE 2 IoCs
pid Process 2700 ecdevbod.exe 2744 adobec.exe -
Loads dropped DLL 2 IoCs
pid Process 1064 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe 1064 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxXS\\optidevsys.exe" 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZ6\\adobec.exe" 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevbod.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1064 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe 1064 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe 2700 ecdevbod.exe 2744 adobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1064 wrote to memory of 2700 1064 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe 30 PID 1064 wrote to memory of 2700 1064 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe 30 PID 1064 wrote to memory of 2700 1064 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe 30 PID 1064 wrote to memory of 2700 1064 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe 30 PID 1064 wrote to memory of 2744 1064 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe 31 PID 1064 wrote to memory of 2744 1064 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe 31 PID 1064 wrote to memory of 2744 1064 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe 31 PID 1064 wrote to memory of 2744 1064 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe"C:\Users\Admin\AppData\Local\Temp\6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2700
-
-
C:\IntelprocZ6\adobec.exeC:\IntelprocZ6\adobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD59c1b14eaf859a5c8d1197347b5ba1f9e
SHA19478eab83db7c1fb53c9c94947022329c0867665
SHA2567133cc7f5018312aeaf1df1752dd6069c72cb53093cc8fca25aae87bdae82650
SHA512390ef6bd5984bf3be90b09a9a286577982c74b282c6ae5728cda4f98af4c9b4ac84309490aaa7df536e41758af850d0c1e93d84691cabc89ac4bcc84fee5b615
-
Filesize
2.6MB
MD5c2c22aad98dc9d4bec0c8f1f518ddfd8
SHA19a40ab0480bfd4665005e238ffe8d1cbc6c99000
SHA2565657fa62d6474603973e7f543958b005259fb114dda06b5c9e785f102edb5d94
SHA5126c1c89da14b34f8fed64c4339ac093cb155e8af5a012cbc7728cde28ada30d3eab376349d05960dbf545301b3e8503d12f07a6f2cc2fff386d962dcbe8a3bb59
-
Filesize
2.6MB
MD554164f59540335c05a33967050bdecaa
SHA1a564fd69c44d5006d55115e1e42a7a220f7dab0d
SHA256c9b5f92be3df921a7033dd3364ab285b0c51e87b076dfddb40f83515fbb6ec6f
SHA5125a491d9d3a0831d4aaeb7f74a2606d09e0437c66fd9e54e4262540cfd6bbf3b00bf2cb931a056369f9ead4fa54df243accbecd16342736f070ee32ee2ed89f4d
-
Filesize
176B
MD5d7a335f972f34c9a127707baa64f6cd0
SHA11786737e1380bbc2993711b89fba8eaa31ee8d63
SHA2569f2a31b39f22748cf1d5d510fa8feae29c477dcff5ebc12a54c4306b7874f597
SHA51216ce5e53717a6b3bc54698b86da1a3674cb6665228f4648d9306892a5e15fa38ca701e564afa4e84f4750c66041880c822c15bbea06af20f20191ef825afea15
-
Filesize
208B
MD5cf667dabdedcea742fb3481fe8ce27c7
SHA1fcc43bd9e31066044376cb15b1528979fecfad13
SHA25628f9ce5b9b5c8fb76937e47fa71da4d3bba1db3a7921b529667e33e651acf879
SHA5120c33b3ca0011cfc80983e24e1709333ef5145eef53dc544f8cc92cbdbaf4d232f9d02bb201a7edabc01189824916d78ca9754fac5a9fae9f1b01f3ae29298cd5
-
Filesize
2.6MB
MD59844cf281abadfda855445b503ced7bf
SHA1df32396a511e060b3df3dbd32ef9d89a56f1c573
SHA2567790045b61f138815c64302b6a8d3cae62bd652c4e9388d66ac7a3eeb62e45f1
SHA51288717d0c50ddcce5b5265981a6e19e9f012b911770714c6e8c025551a0fde61be1f83a51c1845e50966f67ab8382d50bb29072597714141b36265837cc7544d6