Analysis
-
max time kernel
119s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 13:51
Static task
static1
Behavioral task
behavioral1
Sample
778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe
Resource
win10v2004-20241007-en
General
-
Target
778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe
-
Size
2.6MB
-
MD5
f24829d54377deba94bd4b8fde70b726
-
SHA1
cdbc61b458a50d33cb68270e9b077a0a0af70fc4
-
SHA256
778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb
-
SHA512
4e644377691dba3b04413d3c35a1801aa207bc45cf1c04efa9971786541fd5a6629d332d2d230b16b1318d6ba49863bf21f85741767665240e8cd1f6a741adfa
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB3B/bSi:sxX7QnxrloE5dpUpMbl
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe -
Executes dropped EXE 2 IoCs
Processes:
ecdevdob.exeadobloc.exepid Process 2580 ecdevdob.exe 2728 adobloc.exe -
Loads dropped DLL 2 IoCs
Processes:
778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exepid Process 2140 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe 2140 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocMU\\adobloc.exe" 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZAE\\optiaec.exe" 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
adobloc.exe778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exeecdevdob.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevdob.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exeecdevdob.exeadobloc.exepid Process 2140 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe 2140 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe 2580 ecdevdob.exe 2728 adobloc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exedescription pid Process procid_target PID 2140 wrote to memory of 2580 2140 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe 30 PID 2140 wrote to memory of 2580 2140 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe 30 PID 2140 wrote to memory of 2580 2140 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe 30 PID 2140 wrote to memory of 2580 2140 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe 30 PID 2140 wrote to memory of 2728 2140 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe 31 PID 2140 wrote to memory of 2728 2140 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe 31 PID 2140 wrote to memory of 2728 2140 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe 31 PID 2140 wrote to memory of 2728 2140 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe"C:\Users\Admin\AppData\Local\Temp\778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2580
-
-
C:\IntelprocMU\adobloc.exeC:\IntelprocMU\adobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2728
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5a706c8baa8b0b12b7023bfd712e23f5e
SHA1e262a6a517f5ae526cfb9797ef102ad0c419ce51
SHA256ab294209a9f0f881fe9fb981fb2189a2bbfd1844d0118a468e564fda5b2ae2c4
SHA512bb82273dc085745e6a1abf1703d4c314d7ea44a4250cca6920711723214a50e2aa1e589fe367669f18d319c83af67604e434bbf0c13adb3f3f7587bb585aa56f
-
Filesize
2.6MB
MD5dab8ff3571b3172ef4ef8e579a1c9ba9
SHA1d1b6e8fc0b7f29944e3ece75e825eb91787c1b4b
SHA256f6f8daf7fa8cfa4414bcc8d256847822d893b99aa71eba3a62042e241e8cf4bb
SHA512d7c0f28ceddcacfa986a4e2785b999afde4bcb62c63406bba2b1eed682770ed28460f4606fb7b0270f54c4c85ef602f3bd432f994bb0829264e8ac2026e568b2
-
Filesize
2.6MB
MD55d94eab258146b91f8f3a3e75dfc07c6
SHA1c0aa13aa4ad0fba6bc5da7c968aad439b4103cc4
SHA256121ac97b8a7a52a72df9039f6614b6b5f12f144ac812b0afa297972f7fdc0ff4
SHA512e9ff0e9805be15e8cd9a3c2e722aba2208ea111b0895ace8d3fad165c0ea65ae0d50c39585a79af66906c5c134b0b332466e62d205345b489a146a8236a1f0ff
-
Filesize
173B
MD552e4b03353bbe09174388d71a040476e
SHA118f5a7e86d84ce9e548bf669d6c69fa9ee9c0e1d
SHA25691f56def559fa3778c6cfd79a512e06aebba0ef85a7743718ef8d97cf99919c7
SHA512ce7afce8080d17c8d4464db140d08c9154f7c9399bd4b87207ad4e05d147c4ad87af51b0a91ed05d78773e5287b0cf2d8043aa3a60d276b842ef33ac8c0db699
-
Filesize
205B
MD5b3ca6af2db8208c473c801dfaa890ea5
SHA1a8e476a3a1a09ac4dd79d86fb06f5a69516eac3a
SHA256e0ab39870c696813f6da52f288084953051a5a9addcbbbf48e7b665f8a80de57
SHA512bfe2a9c16d9b4f163eda4cfc9332adc58afe87c0fa26e073c6488eabdd97243b358c08baa9159937b984fbc1cd7f9564e5b1e30a013d896dc60c7596442daee1
-
Filesize
2.6MB
MD5482e37d03a1881a5e4dcb1efa21ab11e
SHA1137976633784ad76a06d229d67d823dd27b58736
SHA25651ddd8eb098a2f84bb9f59ca4aac5bb3b18b2b2464d6eb8485c37749a7eefccf
SHA51245266b00f66e1e83a39b243729547393efe162f97c64251ea2cef33f0d16261575ce9f473396f61b27b51ba61387315f5193aa5c4534f6c5f93f112320a16b81