Analysis
-
max time kernel
119s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 23:23
Static task
static1
Behavioral task
behavioral1
Sample
40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe
Resource
win10v2004-20241007-en
General
-
Target
40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe
-
Size
2.6MB
-
MD5
de5119a5833a00c284562514bc52aef3
-
SHA1
f2e62e9ff4d6d0c40c911b0dc404a33d18e22fc2
-
SHA256
40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf
-
SHA512
3a024ad05413ff62a08d19e7d636cbfa29148f714b8122de5dcfcea137f2b036f738fa9748e0f7c9dc258a099b75a698e3bf36dfeb5d46ebd0d91270edd050d6
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSf:sxX7QnxrloE5dpUpabe
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe -
Executes dropped EXE 2 IoCs
pid Process 2316 ecxbod.exe 1364 adobec.exe -
Loads dropped DLL 2 IoCs
pid Process 540 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe 540 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintLJ\\optiaec.exe" 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvVZ\\adobec.exe" 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecxbod.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 540 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe 540 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe 2316 ecxbod.exe 1364 adobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 540 wrote to memory of 2316 540 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe 31 PID 540 wrote to memory of 2316 540 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe 31 PID 540 wrote to memory of 2316 540 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe 31 PID 540 wrote to memory of 2316 540 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe 31 PID 540 wrote to memory of 1364 540 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe 32 PID 540 wrote to memory of 1364 540 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe 32 PID 540 wrote to memory of 1364 540 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe 32 PID 540 wrote to memory of 1364 540 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe"C:\Users\Admin\AppData\Local\Temp\40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2316
-
-
C:\SysDrvVZ\adobec.exeC:\SysDrvVZ\adobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1364
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD59a08d056ace9e50025817279219e1d78
SHA114b4c1794c5fb00d85162a3a5f0aada37fb91ea0
SHA256c7662ec3027c000a55e8faf065ccd315941ee3814a6463a2e010a79900309ad1
SHA5125ef4243676c76a080909d21fe3d5cf9a6c1e8dd85d509c57a261d98ea5dee7687b5a4ce1cffc1c3109a117808b2ba79059448c7a54332e8b37079dfc62d0c9b6
-
Filesize
22KB
MD5e8e68023b6f3a46310e33bc164b90cbd
SHA1872dcdaa4087b3b4353d1bc7bda02f9887757c12
SHA2567f7ac97652169d4d17d537e46d53c77f2395a3e963cd19980b9d9ee98af6c292
SHA5120e0535fa571bf776c9a31ebb94071022f84600c961f2c906e609e00fc3a57901626ea3495dadd10f4a36e8e33998c456037789ec04bea4471608bf45d20fd7a4
-
Filesize
2.6MB
MD599c1951de7e0d21cbd66c30e8a185fcb
SHA17fbda20aaf41bc3d9ce063b1ca98ac25b8b21f6c
SHA256ea6596a1017ddecd01afe779e1d0a44f94e4648e533b30777eae863be31b4521
SHA51282401eb19f3d42f0683141cddd0fe41e6746df18747b5ff63daf81d5644b1e032a0992b36f9c3ef1dee849f7bb03d83620da312682d6d4f15ab7f41d7afe596f
-
Filesize
167B
MD5f057c45aa54911fb3cd95e183009b9c7
SHA1b8b2fa3a6e439b7acf3134b78c7ddc79ebde3bd6
SHA2561f3507e576fa49ab0cdbffa727c70c231d53a65a7731a90218ab06ba4b4778d2
SHA512b476109fa0e1e033fd301b282a2ffb8959deb5c3f4f81dd9557e14b22fa26f4c14f23ea8bb70cdcac4a6b3383f5bb42dcfe3ccd42e1b18b63d772a6c8bd56db3
-
Filesize
199B
MD5dd4f0a89278139fdef85e82655e9b4e3
SHA187ae512d19424cc49e6fa67195309f203c46be2a
SHA2568397ce8229501c9f3da606fda44bfe5e98bcd313c5d969cfba5ef9fb209561d6
SHA51262ebe27bfbe8e5fca32b0dcd35bf0834e320bb2f3690e7ac54d1be347c8d57a43677ba091f58399090eec88de886e0e3dfbba6822b1f52be11ae7f208bfeb2ff
-
Filesize
2.6MB
MD51db421ed91eb4bb42d37f5ecbc8a651a
SHA17f88ad41dd2303fc3e6d1e3ad48643aea0dca0bf
SHA256f0dc27b4cd13d06a57d1a972de371607864e49b0c951fd480e3867541ea0fc30
SHA5121c89c0ed1d0a0b940be186232ac040b11abe73467f92761803e58530ae300dec8e75e5e6987804d975b57b3515d6aa0835ac8d24892083b2b036048c68aba04e