Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 22:57
Static task
static1
Behavioral task
behavioral1
Sample
68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe
Resource
win10v2004-20241007-en
General
-
Target
68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe
-
Size
2.6MB
-
MD5
dba9dda9620788444587443054e95a30
-
SHA1
bc5d0c6ac4e052f310d2ad992dbd7bbc1b315e25
-
SHA256
68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87
-
SHA512
4ecf4a0fa0cf2f5ffe7a82e1a5d433e10c9220aa917f0121d0b7f00e7c723cd6c1b0f3ff1ac4bfbfb95f3d5122b8eea0dd931106454b535b91a90317733eed07
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBQB/bS:sxX7QnxrloE5dpUpjb
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe -
Executes dropped EXE 2 IoCs
pid Process 3260 ecxdob.exe 1256 devoptiec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeHT\\devoptiec.exe" 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBW9\\bodxec.exe" 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devoptiec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4948 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe 4948 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe 4948 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe 4948 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe 3260 ecxdob.exe 3260 ecxdob.exe 1256 devoptiec.exe 1256 devoptiec.exe 3260 ecxdob.exe 3260 ecxdob.exe 1256 devoptiec.exe 1256 devoptiec.exe 3260 ecxdob.exe 3260 ecxdob.exe 1256 devoptiec.exe 1256 devoptiec.exe 3260 ecxdob.exe 3260 ecxdob.exe 1256 devoptiec.exe 1256 devoptiec.exe 3260 ecxdob.exe 3260 ecxdob.exe 1256 devoptiec.exe 1256 devoptiec.exe 3260 ecxdob.exe 3260 ecxdob.exe 1256 devoptiec.exe 1256 devoptiec.exe 3260 ecxdob.exe 3260 ecxdob.exe 1256 devoptiec.exe 1256 devoptiec.exe 3260 ecxdob.exe 3260 ecxdob.exe 1256 devoptiec.exe 1256 devoptiec.exe 3260 ecxdob.exe 3260 ecxdob.exe 1256 devoptiec.exe 1256 devoptiec.exe 3260 ecxdob.exe 3260 ecxdob.exe 1256 devoptiec.exe 1256 devoptiec.exe 3260 ecxdob.exe 3260 ecxdob.exe 1256 devoptiec.exe 1256 devoptiec.exe 3260 ecxdob.exe 3260 ecxdob.exe 1256 devoptiec.exe 1256 devoptiec.exe 3260 ecxdob.exe 3260 ecxdob.exe 1256 devoptiec.exe 1256 devoptiec.exe 3260 ecxdob.exe 3260 ecxdob.exe 1256 devoptiec.exe 1256 devoptiec.exe 3260 ecxdob.exe 3260 ecxdob.exe 1256 devoptiec.exe 1256 devoptiec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4948 wrote to memory of 3260 4948 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe 87 PID 4948 wrote to memory of 3260 4948 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe 87 PID 4948 wrote to memory of 3260 4948 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe 87 PID 4948 wrote to memory of 1256 4948 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe 88 PID 4948 wrote to memory of 1256 4948 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe 88 PID 4948 wrote to memory of 1256 4948 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe"C:\Users\Admin\AppData\Local\Temp\68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3260
-
-
C:\AdobeHT\devoptiec.exeC:\AdobeHT\devoptiec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1256
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD55ccecb4bfda35edbebd7081505566219
SHA1eef3c415f356aa1b5112034a5fc8599f086d2700
SHA25631eaa458538895949e4eebedbcd3a78720febf3554f61e73b3e10b408831454a
SHA5129f947969db1c9de3e267dbefe253be876d0fa7e4b02bb46edbf103059b45c74e030ae671b5d7294c1c9ffc68cea03d59a3307862dff77903965ef0041d5ca95a
-
Filesize
2.6MB
MD556d51b3567dc903a7052a24f2e68be5b
SHA1d01e7083e0f41fd7bc3c3da2d644626812922db3
SHA256cc5af927c0248e9f368e6c26f66666c9eff5c32b6128fba6b38110ceb0d461eb
SHA51240f26921b1adef3f852de4bfb699c16a3d6e2cd16135141532cb8c0997e624a45f65c27484d9307ac6c26616582b87bc43cf3fcb92094287ca70656f31370e39
-
Filesize
2.6MB
MD5c925546af61c25da7a7cbe9eb39aaf37
SHA16d0d651a58d5782634b9d92ad7b4dbc162db67e8
SHA25692ee2a0298fa16ed68633b5aaa01a9a0f2676c7a63ea5ca88cced7db1bda3ec0
SHA512be62d0cb988f155f75c8b94039423d4d76b3c8af51c6a842e2a1b3984a784e9bc7f8391e83c8a078c7ed81477120ad1516f0dbd14cceff1e2ef8cb30df79009b
-
Filesize
1.1MB
MD5bf04fa63bb070dd2845042a04154d8a5
SHA13e199415a13f2ec61be39ab9ebb7850128187d9c
SHA2563fe58b002e3811a783bc9a694b1d3d35cb18e27f7bd5398f2c803dfe9585aa5b
SHA51218d5b0bce56c1b66cf437e27aaecdf00800356bfa9bf5716be626ca9d436d8e4d9f99cf6066e08d5f4d7b91caebf27dcae4cb46a3c86e051d75f56bdd844a991
-
Filesize
200B
MD5b39bd4f2a1188c5e35356ed0edb734f6
SHA10dfba04ba7770ca590870f12f37d6ae9774608e4
SHA25633d708e808ce4840df600ccae3ecc2c4233d909ffa5be5c72e1eec88fa0ec7b1
SHA512fa0e33b6b2d84e5fc308077c46c59a57123e104cda8335fca970755f64ea375803bb471edf9b760113f754f26d7d9201d1b02102201805a83ab99669d273b8e3
-
Filesize
168B
MD54708898b9ddb9a3949b84fb74c7c371b
SHA1a6e72ef74c0ba3019bc08f0377a59f681be9121e
SHA256a4815983fc9678799916820365c07b83f0f8c0439c62c21be2e6e49794cf83f8
SHA5129d2d8fce9fca22f21dbd6bbec6045b9942f6b859323a5701af237fd67fbb5b60871b77f4c1396a5d1fbc16f2436f932c047c5e0a2a9c9a01d49ddfb5d18fb9ce
-
Filesize
2.6MB
MD5f07147311af481dcdd76a564227f6184
SHA132d3d2e74c9de51e984c8ff3c35845671daf2921
SHA2568e9ad0a0ab8b3590fbee792a445150afd75fce6f6d27dcd8cb96780abfbbbd48
SHA512b5b709e8447e9ec49059df1b2d8ad3016b1ad42a408c5f9bff886e65cb57d4f47b217105a4f7577ca835c24612ae3f6bd7f59cc308ca168fbe5e1a40dddfda04