Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 17:13
Static task
static1
Behavioral task
behavioral1
Sample
95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe
Resource
win10v2004-20241007-en
General
-
Target
95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe
-
Size
2.6MB
-
MD5
7dfd8ebf5512591fc9a1f79239380f6f
-
SHA1
ebe3dcdabe9e7f5f07f1f44573406172453c064f
-
SHA256
95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10
-
SHA512
d566cd4cdd428a1d554da42cd6ca17ba53539e682c220ca447c714494f5f32e4cc538f0f526df06129b73652c882d0fcd14dc166c46efba94daa84cd069288cb
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBVB/bSS:sxX7QnxrloE5dpUp6bF
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe -
Executes dropped EXE 2 IoCs
pid Process 2500 ecdevdob.exe 848 abodec.exe -
Loads dropped DLL 2 IoCs
pid Process 2016 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe 2016 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeR3\\abodec.exe" 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax6T\\optialoc.exe" 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevdob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2016 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe 2016 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe 2500 ecdevdob.exe 848 abodec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2016 wrote to memory of 2500 2016 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe 31 PID 2016 wrote to memory of 2500 2016 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe 31 PID 2016 wrote to memory of 2500 2016 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe 31 PID 2016 wrote to memory of 2500 2016 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe 31 PID 2016 wrote to memory of 848 2016 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe 32 PID 2016 wrote to memory of 848 2016 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe 32 PID 2016 wrote to memory of 848 2016 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe 32 PID 2016 wrote to memory of 848 2016 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe"C:\Users\Admin\AppData\Local\Temp\95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2500
-
-
C:\AdobeR3\abodec.exeC:\AdobeR3\abodec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:848
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD539244d9ba1a52e4aeef4259c9e698e90
SHA15ae70bc14e19c264ea60e5e0fb27e116405d7deb
SHA25640869c814345bf023b4be62cab3aa85b1b3e5352deec3c2ab2e820a3c17f81bb
SHA512a48b3d92171e906d3b39b9808ed5c00ecd68e59961be2697b3352b9016e420a51846518cbe7a08a7af03b10b952beb7e59b30f6f6ac00f6da431afea9c9920d9
-
Filesize
2.6MB
MD5ae403f060aa22cad7b0ed0009dcab246
SHA128bc0a15cf767caadeaeac040ddf4da37ef81571
SHA25619080880aeca3d3074d5394bd46ef1ba653f783c861a13a14c031ae26bea2393
SHA51204b584f990b7b67c55c742dabc8e18e4e18a15260fad82a91a4cf9fa254d75f6a193db911d63e8db0e1b933ac04a64f989f1283da281d69bff0d4814ed157e05
-
Filesize
2.6MB
MD5b65eaa6b527a3af59bd949a90da7cba2
SHA1aa021b73edff73c7f29e237a2cebaa335ba5f5df
SHA25677ab70d58e706461912632334bb6007cb4e9073e0ad34790ad1f1c0358941123
SHA5129f9d26df3c8b177995f53b7b65dcb05d886ce163a8acfb7ae256170bc5bf6ee5c20b29046e3e81a04f04ebe9e536c53ae626eff29a1cc677136491326164d7cb
-
Filesize
170B
MD5caab9aa866e9537d4b4e8f7a71b1c322
SHA1bfb3db4a64d7a43e56871b285406bf1ad3f1b788
SHA25607b637558e81b303e132a09b6ce3ae1fe5c0fc6521a45ecf9a0d05f8bdf65919
SHA512a7c257465067957f8d973dc1fcf471f2f1a01b0cca3edd252c569b390280d0b7d0d87e44f7e4f5b5d9bff1d262bdb38ef0684b619ac07494b5c9a47c41a88782
-
Filesize
202B
MD5133bc5fd613094e0373c8c12c84fb475
SHA12de9773784ae3a3bbd7a6de189a8d44345f72d5a
SHA2564dd243e7d2f0925e498a468e9dd47378ba016f8b37e872c8aaa22e9eb885b034
SHA5124d75d35da7fc0575d20b02d4b29aa8f78f2aeabc53f2fbeaf488f65bdf16feca3e38babd9b23689a0c1550f1baa7d2888931b8040270754c7425c4f511701271
-
Filesize
2.6MB
MD566f212d571e1b9aec9d49982a68c9944
SHA14d5f794f18c0240e71494cf3fdd08006d34a3fca
SHA2568618595687a8527abc16205b8ed5c96770b1aa4d621736c29b838725e16c422c
SHA5124c018ef074cacbcb00dc09192a1fb845c9a0904b329448b1e69a291e8336be67729e6e440467192cc015649be51a290689fbc25220c1c2832f1609e8ae7a53ed