Analysis
-
max time kernel
119s -
max time network
83s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 13:59
Static task
static1
Behavioral task
behavioral1
Sample
1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe
Resource
win10v2004-20241007-en
General
-
Target
1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe
-
Size
2.6MB
-
MD5
c36ab471590b1748155fd280cf12245c
-
SHA1
b2536fb5858b058629ad1fd9a3e2e1caed757f71
-
SHA256
1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2
-
SHA512
2f053d576b94cedc7a704c6ba10a50a74f462d9bc98194b04b520b1ae4a185324491fd75f9e38011f069b40cd1b24d8f87a87267cfb8748cd04037f7ae748ab9
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSq1:sxX7QnxrloE5dpUpUbV1
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe -
Executes dropped EXE 2 IoCs
Processes:
ecdevopti.exeadobloc.exepid Process 3632 ecdevopti.exe 2992 adobloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot8K\\adobloc.exe" 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid7V\\dobaec.exe" 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exeecdevopti.exeadobloc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exeecdevopti.exeadobloc.exepid Process 2344 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe 2344 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe 2344 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe 2344 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe 3632 ecdevopti.exe 3632 ecdevopti.exe 2992 adobloc.exe 2992 adobloc.exe 3632 ecdevopti.exe 3632 ecdevopti.exe 2992 adobloc.exe 2992 adobloc.exe 3632 ecdevopti.exe 3632 ecdevopti.exe 2992 adobloc.exe 2992 adobloc.exe 3632 ecdevopti.exe 3632 ecdevopti.exe 2992 adobloc.exe 2992 adobloc.exe 3632 ecdevopti.exe 3632 ecdevopti.exe 2992 adobloc.exe 2992 adobloc.exe 3632 ecdevopti.exe 3632 ecdevopti.exe 2992 adobloc.exe 2992 adobloc.exe 3632 ecdevopti.exe 3632 ecdevopti.exe 2992 adobloc.exe 2992 adobloc.exe 3632 ecdevopti.exe 3632 ecdevopti.exe 2992 adobloc.exe 2992 adobloc.exe 3632 ecdevopti.exe 3632 ecdevopti.exe 2992 adobloc.exe 2992 adobloc.exe 3632 ecdevopti.exe 3632 ecdevopti.exe 2992 adobloc.exe 2992 adobloc.exe 3632 ecdevopti.exe 3632 ecdevopti.exe 2992 adobloc.exe 2992 adobloc.exe 3632 ecdevopti.exe 3632 ecdevopti.exe 2992 adobloc.exe 2992 adobloc.exe 3632 ecdevopti.exe 3632 ecdevopti.exe 2992 adobloc.exe 2992 adobloc.exe 3632 ecdevopti.exe 3632 ecdevopti.exe 2992 adobloc.exe 2992 adobloc.exe 3632 ecdevopti.exe 3632 ecdevopti.exe 2992 adobloc.exe 2992 adobloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exedescription pid Process procid_target PID 2344 wrote to memory of 3632 2344 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe 86 PID 2344 wrote to memory of 3632 2344 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe 86 PID 2344 wrote to memory of 3632 2344 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe 86 PID 2344 wrote to memory of 2992 2344 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe 89 PID 2344 wrote to memory of 2992 2344 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe 89 PID 2344 wrote to memory of 2992 2344 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe"C:\Users\Admin\AppData\Local\Temp\1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3632
-
-
C:\UserDot8K\adobloc.exeC:\UserDot8K\adobloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2992
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD523b9af3c82fd8afb5a068bcd3e08ae51
SHA10f8a490aaa15a6c8eed665b94185710a49f46974
SHA25613adb7641b1b2c5e910453141fd0d4761f0f27dba808e3fce8e6f28ea023a751
SHA5128c4c9cfe12b8b459df21bc287da4d6e06ec33cda49e032e4193c61a4bc68cddf63653afefd2735cb408535472e13748e28b2b512e3a43f93484a9497740faee2
-
Filesize
202B
MD5e287b52e70cf2f5bd68165cdacbcfb39
SHA1ec3f4eef38c2b0d950473f94ca2d6381674b6f2a
SHA25674e280f6b13a488084568df0f0a1eaf4df9bf6915e023785915d0aef2d9f3960
SHA5123d5c642a9a4c6f9ca7f8d14123ef8c19e3d547549b260583e9066b4fb6f0c8c5440cebd973e2ae4509370700e8b6659b2974c0b645e70d2355fe6956e0a9acad
-
Filesize
170B
MD5c9746e30437a669d3615def2c0d93464
SHA1f9d8b2b966363f5e40f0b70d3c92cf7c8919c414
SHA2569bfb29a7cbea7740ba18516db524c41d2c5d753054ea6564136b76f8b2372552
SHA512737c2f9913a5a296b9ce1029f2b4eb086ee29fc17bc40c6a3df7e56c3a0dc316898b525d64ae1ea95664f38ce44e7dd4b719cd1120850c6e6a3b58034e7e32ba
-
Filesize
2.6MB
MD5ba5b380699cf75d1987acc20e57ab57b
SHA1afb20df2599d590796229ee07e30c2cef33904c3
SHA256d12733b58317ac431a012c427779d5df6a5036812658866e92c38a2f07e3fcc5
SHA512cd0b33387fc5ac15521afb1ff3b1054e0a6faed58374f6bfbf8a4561b7f8f1e697eb85d095d4056121dfae86da216b663a3e1ebafb62ce869db49c96ad451e9c
-
Filesize
2.6MB
MD5a1feffb4cb528bf0f07d30f4be398441
SHA1d23fd0af780a9db09190af0428e2ab36f6c47232
SHA256577faef1e0ba9560582a739dc644b77dcc82342c8634def81fdfb009e202d00d
SHA51252ee2ea3ae237321770408381e62a488af29741af0f0e7fb62378b81ed4aebcc7914c8282548640320e05d310f21a5e8907624e2f2f533b7c91985967f57d524
-
Filesize
437KB
MD52b50093d6627fcee545e6990d82f9c4b
SHA12e37331732f0e4ef9c52c719f672b02c5f4c8b8c
SHA2563301bdc72e896d08e5ac823ab3ba8ddc39c9f5614f5289a4f8f7d3199d7450be
SHA512814b6e92697aef4370d379a2bdc0537f3c49481e0dc1a1c620143c201433fca2cf64ed8761b8fde0da719cb7a33af7e5aa38bd61e3ac638b54b49be8797988a8