Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 13:29
Static task
static1
Behavioral task
behavioral1
Sample
acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe
Resource
win10v2004-20241007-en
General
-
Target
acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe
-
Size
2.6MB
-
MD5
6c649a12d61a5f3889c77d89f4aa7976
-
SHA1
7dff6159d926f37bd63ff8628c26e682bfef485f
-
SHA256
acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699
-
SHA512
2de6e0dd6219de9ddcdb94ec539519aac987298784f49ab958bc1119ed91f4cef3e23c49ba911335d3a794f44391ed382cbd14dc19148465a976a0236e31db40
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB5B/bSqt:sxX7QnxrloE5dpUpebVt
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe -
Executes dropped EXE 2 IoCs
Processes:
ecadob.exedevdobsys.exepid Process 2056 ecadob.exe 2332 devdobsys.exe -
Loads dropped DLL 2 IoCs
Processes:
acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exepid Process 2536 acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe 2536 acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocPY\\devdobsys.exe" acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBBM\\boddevsys.exe" acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exeecadob.exedevdobsys.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devdobsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exeecadob.exedevdobsys.exepid Process 2536 acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe 2536 acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe 2056 ecadob.exe 2332 devdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exedescription pid Process procid_target PID 2536 wrote to memory of 2056 2536 acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe 30 PID 2536 wrote to memory of 2056 2536 acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe 30 PID 2536 wrote to memory of 2056 2536 acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe 30 PID 2536 wrote to memory of 2056 2536 acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe 30 PID 2536 wrote to memory of 2332 2536 acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe 31 PID 2536 wrote to memory of 2332 2536 acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe 31 PID 2536 wrote to memory of 2332 2536 acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe 31 PID 2536 wrote to memory of 2332 2536 acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe"C:\Users\Admin\AppData\Local\Temp\acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2056
-
-
C:\IntelprocPY\devdobsys.exeC:\IntelprocPY\devdobsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2332
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5f9a4288fd482fb077412b3534d46fa7a
SHA1733b4a3f9b4ab3efdfd6040fe01a66b3d3beda7e
SHA256bc3ce9900a875cdd4887aa518e5c37ef3413f7262facd6557223290194f01ff5
SHA512b6b2f2059e88f14bb5dd8bc841b7a2147813abfe44435b2f6a129a4ed7766b362634334c11b7b728768f0236e8ba5623ae475d3691ac8812e49d9af34617706d
-
Filesize
2.6MB
MD5882fbe35b80e55ea56238f8bf34ef21e
SHA196190792374fc976b2cc7a32ef9283901b0d365a
SHA256d267027755dbfe289030b58ff850e6670de8934bebd6ad325468a05f80326746
SHA51243dc916f41494d9f101ffe8b4f8e1e0db02b794730a047dd5a0f7534efba800814694549a4d02ec03cc3655cdc33556a353ea3e622ed73660befe2f9c9f368c5
-
Filesize
175B
MD5072bb19ae9212a926c42cf0de529f0f7
SHA15f93461997d3094f4207eb0227fb41d1f654e793
SHA256a4cb861a4f407f2c3c27c5d5de5d9cf9f8b70ae33c684a6ca860f92840e07ce8
SHA5123bea77ae2db85c9ae67dc42737c07c3b5a964c26f7de43aa3bf659d74a2b8965a88f957ba880e28a07e2196072c61c5536f567356daf4521005c3bbe1545f597
-
Filesize
207B
MD567d36e89de2dd323c91b113e2f962e4f
SHA1b619cd837f9c06e517dddfc8a9962e19998fa2cd
SHA2560a98b91a54540354ef5c8b03a8ec81764a9f936014728346c39e57f149681a25
SHA512996bd897635c6e9a692f33183b304e7181a118b87fb0ae85e1d0e073df6f9c0cb0c597d07327faf4dba1ce308bbf62884cb938dc79d6ce172a67cfca32fb4f50
-
Filesize
2.6MB
MD54ad3510a2d7a001f054951f118210e89
SHA17313c496f6b20c098ecfbef58580439aae9d18f4
SHA2563df8c76a1d839427c2a69ee0d63a725d652ddaa98bd2ffedb8953bc667cb60bd
SHA51260ea8a289c7dd7383b06bf4daa49163be6d42f1ed1261b4d9321eab615ad40349e0eb5e2699e09fcb452ee77c5e9824bd764ad5501cdace9f15222b3fde625c9