Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 16:51
Static task
static1
Behavioral task
behavioral1
Sample
42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe
Resource
win10v2004-20241007-en
General
-
Target
42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe
-
Size
2.6MB
-
MD5
46f26c47f98deb501b7414fcfca26350
-
SHA1
7481d679b4b396d1ab1cbae89425ca88e734f9f6
-
SHA256
42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6
-
SHA512
f853693f06d8bd30ef77308850b12b88e2387ab113c301aacea2f381fef1be6f9c9c1fe7a01dd14f732ad0bcacee7b912a73e2b07ea9010ded5ad2f7702cbd74
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bS:sxX7QnxrloE5dpUp7b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe -
Executes dropped EXE 2 IoCs
pid Process 2732 ecabod.exe 2764 adobsys.exe -
Loads dropped DLL 2 IoCs
pid Process 1600 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe 1600 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotGB\\adobsys.exe" 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2T\\dobdevloc.exe" 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecabod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1600 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe 1600 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe 2732 ecabod.exe 2764 adobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1600 wrote to memory of 2732 1600 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe 30 PID 1600 wrote to memory of 2732 1600 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe 30 PID 1600 wrote to memory of 2732 1600 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe 30 PID 1600 wrote to memory of 2732 1600 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe 30 PID 1600 wrote to memory of 2764 1600 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe 31 PID 1600 wrote to memory of 2764 1600 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe 31 PID 1600 wrote to memory of 2764 1600 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe 31 PID 1600 wrote to memory of 2764 1600 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe"C:\Users\Admin\AppData\Local\Temp\42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2732
-
-
C:\UserDotGB\adobsys.exeC:\UserDotGB\adobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2764
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD53d1d2f31661222e080c9f7b1e6269e17
SHA19369a5f43aa3f317c09e277bcbc501f6d3dd5d3f
SHA25636257a3005fd4909d2e9f05983b2cc2428edd3369559294ef721209b4dd666c4
SHA512676f76418d399a29cee8303f7882a2a4a33445b9243fbe44cc794f3a74225671b62fb3b340d068a4046a79d469e9ca9470cee4148ef2f7c48c61a27bfcd58e5e
-
Filesize
2.6MB
MD5d6d6f2b24b8a8129cbf4c07961dfe70a
SHA154a6a781c68096bf5c98734119373a2b746fb9d4
SHA25627b4e03a3a95dc840ff6b444e2b15e77190b3dff72bad8d7539263eceb3f475a
SHA512fe66d1fb078ce0d29722cb7447838200837889747e878e26ba8b5f552cd00418a029f5055545a71d9da4064badda13846698700bf309d0eb6033b9d795e1daef
-
Filesize
171B
MD5a70d0784d91df7f94a5463ca8519d0bd
SHA110eb1e255417cd954c8c1b3c8a9bf4c95d35fd05
SHA2565fbc773c364a032e99b491a10857896285cc3034f0c301fdd7560afef7cc29aa
SHA512158d9ad34cd4a5cfac3b4e471e2b4c777f11e76915ee000e244caec02fdf239094c03190e803c85343b8febb25748505806b3c7ee4b2ea54b18615c2e34e6fb8
-
Filesize
203B
MD53b3244152c6db8a506ac70010c7ef2e8
SHA155ff8a625c1a84ce127cf18869766d755bf3c40a
SHA256dd2ce19cb9df04ef881fc913c92cb0a2038d183fa8cdf37ec856204f8ddf7f3b
SHA512adae73e8db78a5a6e65b83407ad5f6812e6951b605f097a9bc3cc563f9ac89936a9372d36eb3af12355665cc275b6b109c3649f0976c8623b49e354f06894cc1
-
Filesize
2.6MB
MD533bfa39a27e5e14b82f354ba90617aba
SHA1f6253b7be63e545a8a2a21a43e9d472a87ac2983
SHA2562e158bffcbc0c472a6734bcf9b03dfabc96707228c1983b29bf463b655def2fb
SHA512c43feda25c21ba6e29c61bb28c0e3250f1c2e3880ae727ee0405a68cc4dd01ee2ad393d7d8855dd271fbc141877aa73bd1e0d27c0b12ff870ab2b6040c433b6a