5ee20e869e152cdbd4a8a8ebffd71ff58f9d77b20b12467d13f0d53141071423

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ee20e869e152cdbd4a8a8ebffd71ff58f9d77b20b12467d13f0d53141071423N.exe
Size

2.6MB
MD5

e2d44cef0dbefaf78b8b724877c26a90
SHA1

7d08b4c6f0cc70ce1a7ae4af7f02cc376c309083
SHA256

5ee20e869e152cdbd4a8a8ebffd71ff58f9d77b20b12467d13f0d53141071423
SHA512

a9df8181a9c7ccede3898d06f44d8926274c64d9fd53ed63ca6b1ec614201e628b8b4271793def8a8c41601782b7ffe00f0314d972e019bf75208cc8209c053a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBaB/bS:sxX7QnxrloE5dpUpFb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe	5ee20e869e152cdbd4a8a8ebffd71ff58f9d77b20b12467d13f0d53141071423N.exe

Executes dropped EXE 2 IoCs

pid	Process
2480	ecdevdob.exe
2320	adobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2580	5ee20e869e152cdbd4a8a8ebffd71ff58f9d77b20b12467d13f0d53141071423N.exe
2580	5ee20e869e152cdbd4a8a8ebffd71ff58f9d77b20b12467d13f0d53141071423N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocSK\\adobec.exe"	5ee20e869e152cdbd4a8a8ebffd71ff58f9d77b20b12467d13f0d53141071423N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ39\\optiaec.exe"	5ee20e869e152cdbd4a8a8ebffd71ff58f9d77b20b12467d13f0d53141071423N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ee20e869e152cdbd4a8a8ebffd71ff58f9d77b20b12467d13f0d53141071423N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2580	5ee20e869e152cdbd4a8a8ebffd71ff58f9d77b20b12467d13f0d53141071423N.exe
2580	5ee20e869e152cdbd4a8a8ebffd71ff58f9d77b20b12467d13f0d53141071423N.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe
2480	ecdevdob.exe
2320	adobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2480	2580	5ee20e869e152cdbd4a8a8ebffd71ff58f9d77b20b12467d13f0d53141071423N.exe	30
PID 2580 wrote to memory of 2480	2580	5ee20e869e152cdbd4a8a8ebffd71ff58f9d77b20b12467d13f0d53141071423N.exe	30
PID 2580 wrote to memory of 2480	2580	5ee20e869e152cdbd4a8a8ebffd71ff58f9d77b20b12467d13f0d53141071423N.exe	30
PID 2580 wrote to memory of 2480	2580	5ee20e869e152cdbd4a8a8ebffd71ff58f9d77b20b12467d13f0d53141071423N.exe	30
PID 2580 wrote to memory of 2320	2580	5ee20e869e152cdbd4a8a8ebffd71ff58f9d77b20b12467d13f0d53141071423N.exe	31
PID 2580 wrote to memory of 2320	2580	5ee20e869e152cdbd4a8a8ebffd71ff58f9d77b20b12467d13f0d53141071423N.exe	31
PID 2580 wrote to memory of 2320	2580	5ee20e869e152cdbd4a8a8ebffd71ff58f9d77b20b12467d13f0d53141071423N.exe	31
PID 2580 wrote to memory of 2320	2580	5ee20e869e152cdbd4a8a8ebffd71ff58f9d77b20b12467d13f0d53141071423N.exe	31

C:\Users\Admin\AppData\Local\Temp\5ee20e869e152cdbd4a8a8ebffd71ff58f9d77b20b12467d13f0d53141071423N.exe
"C:\Users\Admin\AppData\Local\Temp\5ee20e869e152cdbd4a8a8ebffd71ff58f9d77b20b12467d13f0d53141071423N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2480
- C:\IntelprocSK\adobec.exe
  C:\IntelprocSK\adobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocSK\adobec.exe

Filesize
2.6MB

MD5
b6e5b97ffabece9e94b81be95c9cba63

SHA1
197a65cd96ff36cc83095b60dacc4bab82b0f21f

SHA256
0bdb2c8092c6774f3de2f057827caf91a054b6d61372888f19389e1e286f3b13

SHA512
a43bd2c8e69df1ab45d7e857c6023a6f3687b445ccb2277057fe83495e5b983a4aaaef8fed216e1db85ec649033b8ea8c693e72acedff2b886fcc456316a9e82

Download Submit
C:\LabZ39\optiaec.exe

Filesize
2.6MB

MD5
7ee703db2eabf0f9beed514a74bcf798

SHA1
5d3c4b7a4d94056e9985c761b69c3bf887d581a6

SHA256
806a67fe9aa7b4531d61376d2caa6e94b129f493f5dbd3acd3efc0863d1b12a5

SHA512
e4368734d7cb0e610acacd36519900ba99179fb08356b10c28c6fe477fac31174c1fb60a3ab336c555f88b807a4a2b95418f8587e468c847b523f78c5c85e816

Download Submit
C:\LabZ39\optiaec.exe

Filesize
2.6MB

MD5
37c97e85b18e36942e5f9e21e197669a

SHA1
0533aabae26c1ef0d938bf606aaf061417a9916b

SHA256
722ac0ef278714a80172c2de8d0fc207077f52b36b7ee3907a4ddcf979393cea

SHA512
53d77a6396950f43221d4af069cbc25ce4c01ec215d761a3a7a078bbe71e1d7d13b31ce730ddd3fc3aa858e98f58cc2d43fa26de8e988a34f8cc473f48a3cb00

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
d91f2ae795f557fa52784b72f36606c9

SHA1
62a799f3b788ece5dc2ee665901ce780deb2ad49

SHA256
1dfe9e2bcbc859745741269085ee4341b39ff69b383ac279a89b97bd79c824ea

SHA512
df1502b9326f0b52e55b0b2ea224454f872d7848844130097e8ad298e955da490d42232cdfdb202a5a251658ba95d7389c223105c5ee0c65a9f71e28ce5df7ec

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
9e5ddf03b1692fc7d6bc5155c5152898

SHA1
7b0773211d92e9a3cd1dd7f4038b473872f27bc6

SHA256
33c07c926f1370f6a38cff20e68a3019be4ade480bbd8521faaf8f839a8d3095

SHA512
206157ab31a383f9c708d504b8e20642ac2a47df499641c16b29bc32830673c424fbeffde78132a5fa7ee0af386545b34cfb6a40398e7838a0da85243d750b71

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe

Filesize
2.6MB

MD5
06933e686fa4de95a1aaf3c722472f0f

SHA1
b2eb3d176979f66a78c408b8d1a47428f5b8ed21

SHA256
7d7abb9a28111c46598fd4a61736fa89405457568df383a1f7503b3a3c28fd3c

SHA512
c4199010c2e2709582cd2c6a74504cb80f17842cb60cd4dbcacee97205c771cfa43fcddc0a6d29d3e97a9f3c6af59aea75187f1ae44a0cc8c0d1311134ffcc4b

Download Submit