Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 21:18
Static task
static1
Behavioral task
behavioral1
Sample
599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe
Resource
win10v2004-20241007-en
General
-
Target
599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe
-
Size
2.6MB
-
MD5
8cd708d12f6a6e34ff0a7bd37917ca30
-
SHA1
ceaaac2eea1454143243b411916c12411ac09cc0
-
SHA256
599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47af
-
SHA512
f4b9ca0d5ae58d63952432650beabb4abd354db7d7b265fd02ba39016519ca23aa602b3314f98aabfcc4edb8797612f7e1813f034d9628a06184f09abdb21960
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBxB/bSq:sxX7QnxrloE5dpUpabV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe -
Executes dropped EXE 2 IoCs
pid Process 2016 ecdevopti.exe 1752 adobsys.exe -
Loads dropped DLL 2 IoCs
pid Process 2340 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe 2340 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocBN\\adobsys.exe" 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB6U\\optiasys.exe" 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2340 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe 2340 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe 2016 ecdevopti.exe 1752 adobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2340 wrote to memory of 2016 2340 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe 31 PID 2340 wrote to memory of 2016 2340 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe 31 PID 2340 wrote to memory of 2016 2340 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe 31 PID 2340 wrote to memory of 2016 2340 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe 31 PID 2340 wrote to memory of 1752 2340 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe 32 PID 2340 wrote to memory of 1752 2340 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe 32 PID 2340 wrote to memory of 1752 2340 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe 32 PID 2340 wrote to memory of 1752 2340 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe"C:\Users\Admin\AppData\Local\Temp\599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2016
-
-
C:\IntelprocBN\adobsys.exeC:\IntelprocBN\adobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5181f83a25ac338cff30fabe819f4365c
SHA1bae04098deb4a60366f053fe2a3fcb491415471b
SHA2565ff70e549556b681068bb416cf3f35b4e1d4c6b26a91ba46965f60aa453ab314
SHA5128a43c4333b475d1efe9ff499b7d9fb84788f8a1c0d60507f3df7cfdf4aa2880d56ca2d9092af154279220aab22f0e4bc41f236fe37685443c32414c490bdc472
-
Filesize
2.6MB
MD510423e1e915265a1a52b32f82e1fdcc6
SHA162f28b1e825738f1725083536559e5189111f86e
SHA256095510c32197172938698b5375e7b294caa4ab7ef157825ccb359e9ad0c7cd5d
SHA5127234a2bfe0d4e2636c9d8a4faf8ee0caa94bb9f32e54e5759fa8d3e1fdbf557d48ae93115a7e03da56bd9aa4b56cb4a01f98306c53d10a6de45d91b940220dc9
-
Filesize
2.6MB
MD5e7ab8feffd1a944e9635f1e0d3d4b19e
SHA104aadef208dd9aacd5185c3a0f51fb8ae24cd4c0
SHA256d3a577ad10686ff911aa14c51a5c45d39c69f815ff5efcb4169914ed20f4b831
SHA512d886a129b63681f701d1f1f5c56d355a29627faa78b8533be568dec855fd535efdb7d981ee18b3f3a40e0d670ecfff4598a339766ef9f319eb6bdbaf7478267e
-
Filesize
175B
MD5ef3c6c0a4b1a8298e050d7e9838412d0
SHA15422de6a3f7a7edbccba03deffd62d2652eac39f
SHA25614be82aef4f3fc3033ab6ac02dbf7c0bb68e211e99829cdde15a4d040c0be14b
SHA51239202397343aaa412dc05763305830e2767d9b60a72dc3d899c4141947567fff60cfdf9fd1526a2f5241a3c9a0db558006cb6ade0a11835cc01f6e522eadfc16
-
Filesize
207B
MD5dd2af84d82a63d3664b0f150de86d646
SHA18c633a373bcd2774c8d5a9d2b2a4ab7fc24cf564
SHA25659352b91c386b781a5b3674faad5312ba7eb8f8ea6072a569e0d8ee8e6c14d0b
SHA51299637e87286c54b9a9acdd96aee10e87d62b35f87f9453c6cccb7738fd225d26d13a1063c59c347ab1ff474a1949697086da6ad7b3bc8fa593bf9fd318b4c061
-
Filesize
2.6MB
MD512124c663d28acd34197072e6e2eb0b2
SHA16f240f794acb888adbb588bebd6971349e6aedcd
SHA25636ace00ec8c210cf280a9ff80a56383bffdf7a816d09ca1b482191551fa7f8dd
SHA5124c70632b38c27e9f852906abb644146eef93da4e7a8b01597f321d127a9e53dac0d2fcb6816078d746c62e96e3495e7483bb0aa96bb4124b776483c2dc1a84db