Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:16
Static task
static1
Behavioral task
behavioral1
Sample
904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe
Resource
win10v2004-20241007-en
General
-
Target
904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe
-
Size
2.6MB
-
MD5
4ecf927a8c12c4d60767427b6b9111f0
-
SHA1
2933bd81f9cc63cf5518db0c9dde7a7993d7d7bf
-
SHA256
904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcf
-
SHA512
d32326242a1291482c3f25a66f98640f31e04f7e1e9fb18ebcf77615ed00805d733a2e565d54bf0b6509e9274fc0f98978f04520423bc61ec0e7fd7d82d0747a
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBdB/bSq:sxX7QnxrloE5dpUpGbV
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe 904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe -
Executes dropped EXE 2 IoCs
Processes:
ecdevbod.exeadobloc.exepid Process 3448 ecdevbod.exe 1600 adobloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc4X\\adobloc.exe" 904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBC9\\bodaec.exe" 904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exeecdevbod.exeadobloc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exeecdevbod.exeadobloc.exepid Process 3516 904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe 3516 904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe 3516 904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe 3516 904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe 3448 ecdevbod.exe 3448 ecdevbod.exe 1600 adobloc.exe 1600 adobloc.exe 3448 ecdevbod.exe 3448 ecdevbod.exe 1600 adobloc.exe 1600 adobloc.exe 3448 ecdevbod.exe 3448 ecdevbod.exe 1600 adobloc.exe 1600 adobloc.exe 3448 ecdevbod.exe 3448 ecdevbod.exe 1600 adobloc.exe 1600 adobloc.exe 3448 ecdevbod.exe 3448 ecdevbod.exe 1600 adobloc.exe 1600 adobloc.exe 3448 ecdevbod.exe 3448 ecdevbod.exe 1600 adobloc.exe 1600 adobloc.exe 3448 ecdevbod.exe 3448 ecdevbod.exe 1600 adobloc.exe 1600 adobloc.exe 3448 ecdevbod.exe 3448 ecdevbod.exe 1600 adobloc.exe 1600 adobloc.exe 3448 ecdevbod.exe 3448 ecdevbod.exe 1600 adobloc.exe 1600 adobloc.exe 3448 ecdevbod.exe 3448 ecdevbod.exe 1600 adobloc.exe 1600 adobloc.exe 3448 ecdevbod.exe 3448 ecdevbod.exe 1600 adobloc.exe 1600 adobloc.exe 3448 ecdevbod.exe 3448 ecdevbod.exe 1600 adobloc.exe 1600 adobloc.exe 3448 ecdevbod.exe 3448 ecdevbod.exe 1600 adobloc.exe 1600 adobloc.exe 3448 ecdevbod.exe 3448 ecdevbod.exe 1600 adobloc.exe 1600 adobloc.exe 3448 ecdevbod.exe 3448 ecdevbod.exe 1600 adobloc.exe 1600 adobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exedescription pid Process procid_target PID 3516 wrote to memory of 3448 3516 904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe 90 PID 3516 wrote to memory of 3448 3516 904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe 90 PID 3516 wrote to memory of 3448 3516 904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe 90 PID 3516 wrote to memory of 1600 3516 904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe 91 PID 3516 wrote to memory of 1600 3516 904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe 91 PID 3516 wrote to memory of 1600 3516 904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe"C:\Users\Admin\AppData\Local\Temp\904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3448
-
-
C:\Intelproc4X\adobloc.exeC:\Intelproc4X\adobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1600
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD56f1ff0d2d096ae4842d2b69bf1ce2a21
SHA19fc3c1aaad44c01b9b0bae3b479cc35c2239d9fc
SHA2562556aeb88ea8c5c1e04ce755c136f6630d517ada3210fd1d7db0ae2e005dae45
SHA5124ac8f0e846c1c744536e5fe9858768797fe573d3074b4f380bca9f6cecb1815251e931a4ab946853b71ee460618ea8bf3dac651fe8f4ceadbddc2c7f2d739611
-
Filesize
3KB
MD5b85ef880820ad2f02706b10170e533fb
SHA171378239fb161e35c8f79d7a951d7d09d4f45b33
SHA256824b6d312a2dde817fb21948332f4b59c54118a25d0c2deb5bfc92aa1a9daa78
SHA512f430b5b60b9ef1cf4efe9787c7b0f161b12f4212956a065e1f0b6a07907600fe307c8323482f6e6d85953fe9576ba09e3b9876d9c27e916f7ee62a9c3665a6d3
-
Filesize
202KB
MD5f4680eb1f15a20b303fe8bf5487d4fb6
SHA1894249b35def4fea40aa3ee62aadf36676366a16
SHA256d7f08c7c904af30e72a91fe6ac96fa50c8cd9a28678e6013a172752f1c2b37e5
SHA512529ca9b99a64e91b6940b160d1f303f9e8ab42790784c4f342c32db0549d1d0c5f3ab04893d064d1b839bea4ef44aa35a5d1c5b368284f1bb12820c805913a4c
-
Filesize
204B
MD5f8ab6d8faf85ee56838f737e91d39fc7
SHA17e06cead2ff139961875dc7ffaa17faf78426905
SHA25644ab223fd74758dd23b5a1694f1191040fdc8d664d611ec67ec11c48813dffca
SHA512ed9cff55984dc9c99cf194da98ef236457480be4ca94f97714a78af1a932b05c5d1eb9c2ec4294181158d8a2cfb9da0e73f203e378839efd306013ddf495cff1
-
Filesize
172B
MD5b2b1c316e726793f9019748527d2bbfd
SHA1e71bc8817d9e59d6e8a46cda70c2c8a7e9d9b949
SHA25613670891a0d80dbea94274b8b3558d50650bd84fe6e01f049ad57e473204f480
SHA5121aa5318b9b19e9851ab3484fec254b0aff1dcb0a89431c1c73b22f82cc36793e7b4b7ba4a73a8298a4ca838abb5f6ca1e3909e2897d6e5097d31ac9c1e22dda1
-
Filesize
2.6MB
MD54129f842e4774654cbf876304d32990c
SHA14a1023185d9bd2e65a57658531d89af71c5dfd83
SHA25601dcb93fa1a596fc866046f4217a4a094d99130617092e6c5d0bf80ed7af8c34
SHA512143ba8d18d69f758f8376aab4daa88b9dd92ed289d939c67ecd234144af6e137fdca582e70ea64acb1f1ecacd97c6aefbcaa14eba13efd369e61420e0437e006