Analysis
-
max time kernel
119s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 16:34
Static task
static1
Behavioral task
behavioral1
Sample
7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe
Resource
win10v2004-20241007-en
General
-
Target
7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe
-
Size
2.6MB
-
MD5
3fa5ecad405ce4b1ed6f6fbb4fcd1350
-
SHA1
7dbf377d4e7a50197cebbe5a1b8f8d8eb77f31e9
-
SHA256
7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098
-
SHA512
a9cabf8b3751830cc894959bcb8bbf06deda309e0aabcd3b85de04afe8100afa500d1e6e22dcdbbf67692de30fff246c86c6f411d52a1850dd8cfa5e3ed127a5
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bSq:sxX7QnxrloE5dpUp2bV
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe -
Executes dropped EXE 2 IoCs
pid Process 2260 ecdevdob.exe 3060 adobloc.exe -
Loads dropped DLL 2 IoCs
pid Process 2004 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe 2004 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc9F\\adobloc.exe" 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidJB\\bodasys.exe" 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2004 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe 2004 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe 2260 ecdevdob.exe 3060 adobloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2004 wrote to memory of 2260 2004 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe 30 PID 2004 wrote to memory of 2260 2004 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe 30 PID 2004 wrote to memory of 2260 2004 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe 30 PID 2004 wrote to memory of 2260 2004 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe 30 PID 2004 wrote to memory of 3060 2004 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe 31 PID 2004 wrote to memory of 3060 2004 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe 31 PID 2004 wrote to memory of 3060 2004 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe 31 PID 2004 wrote to memory of 3060 2004 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe"C:\Users\Admin\AppData\Local\Temp\7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2260
-
-
C:\Intelproc9F\adobloc.exeC:\Intelproc9F\adobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3060
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5fb702db1f93f18f3f868d49e519e4d16
SHA1ef3c93e210e8c74c937da11755cbe276667655b0
SHA256cce86bee7152a770f171c3753b52ea6e273730100bd5c032a7b479e2b575a99f
SHA51204589e24768f33c132d0f9b86b6b3646d07d59fc2ffb78b9a4fdcba824329f769e124880d9461e52a04d829a81f0156f3a029f005f50df7cf97f2325669a3b60
-
Filesize
172B
MD53d12847dacefcce53dcac7d1348acd3a
SHA151b185ac0fce96138225762a37ed5e1a079f6079
SHA256d3c285170f05ece82fd7f468fe0ab84e748157fff4d585df8e447acb1f41eb5c
SHA51208d40f930c7403b91006232f97106daa939a12f67833d177068b76d7fcb53e53171e1a6d273a92bd3ca784d58ce094d304c859d2f7b4ce7e64929cee5f9ca50a
-
Filesize
204B
MD54c1657d99fa370c250848f3191bb827a
SHA1d0223d52f5cf12ce2ad81efb4f43f8efb2d32404
SHA256c4e6f6d95af03567a3a023bee01b52b2247de737cc6768fbb25462058bd5b5c6
SHA51294303e5fbd22a806ee161c96b4cce3d5603e8d0f2fbb223584a3a22b4b51d55ac66e13b58c1480d844d58b2ce2df6fc3c4160658519af1c9a08bb61c1ce3586d
-
Filesize
2.6MB
MD5f6b60415fcb2a411d24a5696e80c5d74
SHA12c7825a4d2e6235f4fcfb5196f80235cf56b32a3
SHA2561ff4f566f12e848fc49f9770b1acd6cc066b778ac720a0648d0c9199a4790621
SHA5128195e8a86469d9cf3872151e4baeccfab7a39bc730fe074eeddf33afbe1da8d9a4ee267d6831daa828b6de1d183f526770f47a83787462225a5fea2e69ddf6f4
-
Filesize
2.6MB
MD5e1de8b30297d5a3d1f7db8715ff53bce
SHA188d32c76dd4cc1fa65d86093caf7285abf5df9a8
SHA256e2269e993847747d80d2fe7df02621c696dae5528200689c220bc58e1b39440b
SHA5129857ef146fd40c866a005c8f0d4fe5907402b164a1e0520602a74de41808a6f600a86fb6ef4d04bf19d4df8e0506087cfc48a0e6913e2da902e6aa3e1d2c91ca
-
Filesize
2.6MB
MD5ed8ebaf280635d5cc4b194b3465d252d
SHA1bd63bd627dcb73a4b6e67e2cea27ce63f461b9b3
SHA2563162862d447752b51a58c54affd46fe4a86adaa121d5e3fb66d0bf74112abaf7
SHA512c1f064cb4921e91444ead25d79c51000eb71343e25c23139261e10d0d6c24554b1e2c6911a679fc278b76ef46b34c08307c953f140c7deb938ca6b4faa85d1db