Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:27
Static task
static1
Behavioral task
behavioral1
Sample
09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe
Resource
win10v2004-20241007-en
General
-
Target
09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe
-
Size
2.6MB
-
MD5
f275dc4fd58a355191f68c8f70d280e2
-
SHA1
3e915e33e978db0d5b8597f60b1b845ecdadcf88
-
SHA256
09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc
-
SHA512
0fc2b4f95577f4970622cf397c9302e2f59f03a8fc98a86129516b41d67c535857a5ace0082c5aa844dcb2bf50f934d9d61f8f3b514e961fd51cb5c76c87a57d
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBDB/bSq:sxX7QnxrloE5dpUpIbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe -
Executes dropped EXE 2 IoCs
pid Process 2120 ecxdob.exe 5048 adobsys.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotE2\\adobsys.exe" 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZLT\\bodxsys.exe" 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3736 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe 3736 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe 3736 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe 3736 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe 2120 ecxdob.exe 2120 ecxdob.exe 5048 adobsys.exe 5048 adobsys.exe 2120 ecxdob.exe 2120 ecxdob.exe 5048 adobsys.exe 5048 adobsys.exe 2120 ecxdob.exe 2120 ecxdob.exe 5048 adobsys.exe 5048 adobsys.exe 2120 ecxdob.exe 2120 ecxdob.exe 5048 adobsys.exe 5048 adobsys.exe 2120 ecxdob.exe 2120 ecxdob.exe 5048 adobsys.exe 5048 adobsys.exe 2120 ecxdob.exe 2120 ecxdob.exe 5048 adobsys.exe 5048 adobsys.exe 2120 ecxdob.exe 2120 ecxdob.exe 5048 adobsys.exe 5048 adobsys.exe 2120 ecxdob.exe 2120 ecxdob.exe 5048 adobsys.exe 5048 adobsys.exe 2120 ecxdob.exe 2120 ecxdob.exe 5048 adobsys.exe 5048 adobsys.exe 2120 ecxdob.exe 2120 ecxdob.exe 5048 adobsys.exe 5048 adobsys.exe 2120 ecxdob.exe 2120 ecxdob.exe 5048 adobsys.exe 5048 adobsys.exe 2120 ecxdob.exe 2120 ecxdob.exe 5048 adobsys.exe 5048 adobsys.exe 2120 ecxdob.exe 2120 ecxdob.exe 5048 adobsys.exe 5048 adobsys.exe 2120 ecxdob.exe 2120 ecxdob.exe 5048 adobsys.exe 5048 adobsys.exe 2120 ecxdob.exe 2120 ecxdob.exe 5048 adobsys.exe 5048 adobsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3736 wrote to memory of 2120 3736 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe 87 PID 3736 wrote to memory of 2120 3736 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe 87 PID 3736 wrote to memory of 2120 3736 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe 87 PID 3736 wrote to memory of 5048 3736 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe 88 PID 3736 wrote to memory of 5048 3736 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe 88 PID 3736 wrote to memory of 5048 3736 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe"C:\Users\Admin\AppData\Local\Temp\09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2120
-
-
C:\UserDotE2\adobsys.exeC:\UserDotE2\adobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5048
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5ec3143025916fc8ad37c9e673ad7fc61
SHA1dd35affaeae1fe228649d00c09fc25256e978078
SHA25699dd6274207e9e7059323ef0d2aab2353290728c378eb9caf1ff8ab792a13972
SHA512d4740d81373cbfdcea9b49abce3b9b0ba71e5e741e3783d47773e7ab42675e52e9022ecea21d8352d7764b05316bf4844448d4119eaf6e506211a8e14dda03b3
-
Filesize
18KB
MD57b3af07912640805489e8c5cf4d13cdd
SHA1ebbf740092a005c3977c248e866e368bd740fabe
SHA256796cd64f663a3cf7a7152674d09a6e15ce855b7bcc484e09032d93e380273de8
SHA512f38bc3460dcba201e04314f8585733c0305f097921a1c45a98e6211fcaa629f95a25f4bb5248e9228ee4cfb91a86eb34bb42b10cb8f1733aa492b0f8ec1da96d
-
Filesize
2.6MB
MD5d0fe65c282ef3f766a00c468798f5446
SHA1001eb1af754fc73fe4c0cad3199d7b6b762c26e7
SHA256a8edc7f142fdc17bfb7b403cff7f211ba71fcc7c063815e4860b5b43a90365bb
SHA5122d621e86047e6e705660b5afcc24adca02cef834d7a2532c56975863434f09ee6433026e49a169061dd2d3168d5783aee9e04755893605a91b6775223c5984ff
-
Filesize
201B
MD5ce0c498349d8df71f6531ed484efa923
SHA1bd74867684c8b1e21bdeaae662a2f708711b000c
SHA256bc0a4465c1f0a8450b4c3e27aa5bc2c9c599f5978501dd729c88869ddd8f3736
SHA512f6bc3381925d1640351c5e40433cc67e9f69246cfb14066d1ab1cf515a07c00fec2b57b0318bcd68aaed783b228af6e3c360ee6bc9e29c1783199e1cfec4d9dc
-
Filesize
169B
MD53c0e30121450fe1019dc3d76bd6d00b5
SHA11fc7c4082a18eaaeadd5700afc71f7bf6fd0185c
SHA2561891170a2825f9bef1620d189052803192ac79baa8abf84ce5a33facd648bd0e
SHA512d8966ea5280eb3be6868c648745104f30ebfbbca556fbf718330c17f7975e217d3636892de9f0c393f117aba9f6dba209590ae2dd074fdf3fc9a14db9e32a028
-
Filesize
2.6MB
MD587926f62d416e5aa2aff2d9005d31c73
SHA1f84b207f12bfe782be63ed8ff4dc3f0a60611c26
SHA256c11e17cdc0ed3d051973558703a97f2a318ecfc1b010a3d6967a3f7b591a9a48
SHA512d1f3290b4b4e6e708c895d38eaac9efcbad77d8c871f0a49725f039ba42a19c1b89a0f21fd570f8fcb466e80227878b8637accd71482f524baee1e0dfd6b98cf