Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 15:02
Static task
static1
Behavioral task
behavioral1
Sample
d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe
Resource
win10v2004-20241007-en
General
-
Target
d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe
-
Size
2.6MB
-
MD5
38c782e87792354ca420f178655dfaf0
-
SHA1
55a9e267dda831d2f8fa98094e6ef04442c51bb2
-
SHA256
d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604f
-
SHA512
acb6c699271127b8f9d38604f28388f924f8f7b93d0ec4e3280a42d6c0f7229c225ff4224d52c46510c8abfe17bf663d02103d4b561847ab20a226f64340f220
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bSq:sxX7QnxrloE5dpUpBbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe -
Executes dropped EXE 2 IoCs
pid Process 3256 ecdevbod.exe 4768 adobloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc4X\\adobloc.exe" d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBC9\\bodaec.exe" d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1300 d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe 1300 d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe 1300 d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe 1300 d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe 3256 ecdevbod.exe 3256 ecdevbod.exe 4768 adobloc.exe 4768 adobloc.exe 3256 ecdevbod.exe 3256 ecdevbod.exe 4768 adobloc.exe 4768 adobloc.exe 3256 ecdevbod.exe 3256 ecdevbod.exe 4768 adobloc.exe 4768 adobloc.exe 3256 ecdevbod.exe 3256 ecdevbod.exe 4768 adobloc.exe 4768 adobloc.exe 3256 ecdevbod.exe 3256 ecdevbod.exe 4768 adobloc.exe 4768 adobloc.exe 3256 ecdevbod.exe 3256 ecdevbod.exe 4768 adobloc.exe 4768 adobloc.exe 3256 ecdevbod.exe 3256 ecdevbod.exe 4768 adobloc.exe 4768 adobloc.exe 3256 ecdevbod.exe 3256 ecdevbod.exe 4768 adobloc.exe 4768 adobloc.exe 3256 ecdevbod.exe 3256 ecdevbod.exe 4768 adobloc.exe 4768 adobloc.exe 3256 ecdevbod.exe 3256 ecdevbod.exe 4768 adobloc.exe 4768 adobloc.exe 3256 ecdevbod.exe 3256 ecdevbod.exe 4768 adobloc.exe 4768 adobloc.exe 3256 ecdevbod.exe 3256 ecdevbod.exe 4768 adobloc.exe 4768 adobloc.exe 3256 ecdevbod.exe 3256 ecdevbod.exe 4768 adobloc.exe 4768 adobloc.exe 3256 ecdevbod.exe 3256 ecdevbod.exe 4768 adobloc.exe 4768 adobloc.exe 3256 ecdevbod.exe 3256 ecdevbod.exe 4768 adobloc.exe 4768 adobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1300 wrote to memory of 3256 1300 d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe 87 PID 1300 wrote to memory of 3256 1300 d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe 87 PID 1300 wrote to memory of 3256 1300 d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe 87 PID 1300 wrote to memory of 4768 1300 d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe 90 PID 1300 wrote to memory of 4768 1300 d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe 90 PID 1300 wrote to memory of 4768 1300 d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe"C:\Users\Admin\AppData\Local\Temp\d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3256
-
-
C:\Intelproc4X\adobloc.exeC:\Intelproc4X\adobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4768
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD58fe1ba40f9c97ba155bb0a2c673bb5d1
SHA1b783b067d8c1f9bc2618babf486ac0cf346b2856
SHA256c8d5611539f064ebdfd0e9c7a83d908047a3a2e1f9939caf818998414a5ea1cb
SHA51229122daf46e11a17253f64e110fea247a8b07a58efa7f1f4b8eb4775f75c5d025ac394194771454d84bf88c981a53be0353a7f1962c24a3e55abdf8d5fee4788
-
Filesize
2.6MB
MD56cbb35f729029522107489be5b65c7fc
SHA1c034e51adb3b36da130487f6751c50e260654b1b
SHA2565c02c3fd083c2c3c788aeeae3cb1a99a405094074ac82b842c61f4ea660e6061
SHA512a58b941e57ce366974c64ff210c4a9a02559053ccc0cf5ccb55c380b119cc5538a74f298d9aa5eba512d9abc5a7e331b38ccfba6b49150f79ddcf57db73d522b
-
Filesize
7KB
MD520ec6effd447fb35f7db816f8c616148
SHA1c8c9edd9f30b93dc161fc035c69b57e7af305dce
SHA25643b6a06c6d792569dc3a4b802a1882bcef34d458cb6c626267bf303fc8dc3fa7
SHA5126a01a317698e30eec8ab65c628488a1e6108d6eb9dd6bdef9a769d497807ace3b68a23452d40d010b95f19759903bb9bc1910e8d7e46fa618aaa3fbf6a80fecf
-
Filesize
204B
MD5f8ab6d8faf85ee56838f737e91d39fc7
SHA17e06cead2ff139961875dc7ffaa17faf78426905
SHA25644ab223fd74758dd23b5a1694f1191040fdc8d664d611ec67ec11c48813dffca
SHA512ed9cff55984dc9c99cf194da98ef236457480be4ca94f97714a78af1a932b05c5d1eb9c2ec4294181158d8a2cfb9da0e73f203e378839efd306013ddf495cff1
-
Filesize
172B
MD5b2b1c316e726793f9019748527d2bbfd
SHA1e71bc8817d9e59d6e8a46cda70c2c8a7e9d9b949
SHA25613670891a0d80dbea94274b8b3558d50650bd84fe6e01f049ad57e473204f480
SHA5121aa5318b9b19e9851ab3484fec254b0aff1dcb0a89431c1c73b22f82cc36793e7b4b7ba4a73a8298a4ca838abb5f6ca1e3909e2897d6e5097d31ac9c1e22dda1
-
Filesize
2.6MB
MD56815b175b20c15c35ce583a6e786c9a0
SHA1903fded3d9f648528e9f828226478c316305e77d
SHA256c54225be5740cc2e3deb0a8288abf171f79a9c6a4ca2bd887e42827fccdaad7c
SHA5128ff2ab0b77b370940ab8a8d6c24bbe7bd86e7725618a0698f3ca58ca4ec21f957dad6231cf7af841e710e037d66182ee92e2590d95890330ad7bea4a918ff8c7