7c6d170d845da0839937cbbcb77305aa93e8443a11305f27c56c9fb23149ce9b

General

Target

7c6d170d845da0839937cbbcb77305aa93e8443a11305f27c56c9fb23149ce9b.exe
Size

3.1MB
MD5

8a90897b2a16ddd04027f537510b37c8
SHA1

9b2ea23f6905dc00a492255c77cf2303e4f607b8
SHA256

7c6d170d845da0839937cbbcb77305aa93e8443a11305f27c56c9fb23149ce9b
SHA512

fc2e72bd0015f8f53f76cccf25225f110dd89e3b4aaf7c7a08d2bd8319c06566dfc9b740ecf0549ab28569227fa86e4f4f7f1e73b594daa371c4a1b5eaeda3ab
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBkB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpLbVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

7c6d170d845da0839937cbbcb77305aa93e8443a11305f27c56c9fb23149ce9b.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	7c6d170d845da0839937cbbcb77305aa93e8443a11305f27c56c9fb23149ce9b.exe

Executes dropped EXE 2 IoCs

Processes:

sysdevdob.exeadobec.exe

pid process

2944 sysdevdob.exe
2468 adobec.exe

pid	process
2944	sysdevdob.exe
2468	adobec.exe

Loads dropped DLL 2 IoCs

Processes:

7c6d170d845da0839937cbbcb77305aa93e8443a11305f27c56c9fb23149ce9b.exe

pid	process
2836	7c6d170d845da0839937cbbcb77305aa93e8443a11305f27c56c9fb23149ce9b.exe
2836	7c6d170d845da0839937cbbcb77305aa93e8443a11305f27c56c9fb23149ce9b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7c6d170d845da0839937cbbcb77305aa93e8443a11305f27c56c9fb23149ce9b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeNR\\adobec.exe"	7c6d170d845da0839937cbbcb77305aa93e8443a11305f27c56c9fb23149ce9b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB6K\\bodaloc.exe"	7c6d170d845da0839937cbbcb77305aa93e8443a11305f27c56c9fb23149ce9b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7c6d170d845da0839937cbbcb77305aa93e8443a11305f27c56c9fb23149ce9b.exesysdevdob.exeadobec.exe

pid	process
2836	7c6d170d845da0839937cbbcb77305aa93e8443a11305f27c56c9fb23149ce9b.exe
2836	7c6d170d845da0839937cbbcb77305aa93e8443a11305f27c56c9fb23149ce9b.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe
2944	sysdevdob.exe
2468	adobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

7c6d170d845da0839937cbbcb77305aa93e8443a11305f27c56c9fb23149ce9b.exe

description	pid	process	target process
PID 2836 wrote to memory of 2944	2836	7c6d170d845da0839937cbbcb77305aa93e8443a11305f27c56c9fb23149ce9b.exe	sysdevdob.exe
PID 2836 wrote to memory of 2944	2836	7c6d170d845da0839937cbbcb77305aa93e8443a11305f27c56c9fb23149ce9b.exe	sysdevdob.exe
PID 2836 wrote to memory of 2944	2836	7c6d170d845da0839937cbbcb77305aa93e8443a11305f27c56c9fb23149ce9b.exe	sysdevdob.exe
PID 2836 wrote to memory of 2944	2836	7c6d170d845da0839937cbbcb77305aa93e8443a11305f27c56c9fb23149ce9b.exe	sysdevdob.exe
PID 2836 wrote to memory of 2468	2836	7c6d170d845da0839937cbbcb77305aa93e8443a11305f27c56c9fb23149ce9b.exe	adobec.exe
PID 2836 wrote to memory of 2468	2836	7c6d170d845da0839937cbbcb77305aa93e8443a11305f27c56c9fb23149ce9b.exe	adobec.exe
PID 2836 wrote to memory of 2468	2836	7c6d170d845da0839937cbbcb77305aa93e8443a11305f27c56c9fb23149ce9b.exe	adobec.exe
PID 2836 wrote to memory of 2468	2836	7c6d170d845da0839937cbbcb77305aa93e8443a11305f27c56c9fb23149ce9b.exe	adobec.exe

C:\Users\Admin\AppData\Local\Temp\7c6d170d845da0839937cbbcb77305aa93e8443a11305f27c56c9fb23149ce9b.exe
"C:\Users\Admin\AppData\Local\Temp\7c6d170d845da0839937cbbcb77305aa93e8443a11305f27c56c9fb23149ce9b.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2944

C:\AdobeNR\adobec.exe
C:\AdobeNR\adobec.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2468

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeNR\adobec.exe
Filesize
3.1MB

MD5
e04b7a97712c12e7c0b8b6027879d361

SHA1
03398d9c8996c99dce6c057b9a824510830f70f8

SHA256
1696e256168e2e195e4a1602c37589980022252fc73ed040ae6f89bda6347af5

SHA512
0a89efaedf7dcca649829a2e3786f9c47fe756b8fd8e798f2099ff4d00afdeba0bd7525b694a5c61f9b6231338bda0e853f50095c0a3f5a2ab4d86dded4efdcb

Download Submit
C:\KaVB6K\bodaloc.exe
Filesize
1.9MB

MD5
c29ca554b2d51bc91a74bba218cadf6b

SHA1
e54997d90f515d594c3ace31712ab3912d6f886a

SHA256
09c4c6926a63910b01f9272e813dd0c7f9a8643d777913d519aed25c24d7f5ab

SHA512
02ecf26a7b46843e90ee3041df614bc4b44477d763133efce0eef13095aa9a42f3094e933f5d24d0de1d3da4f468a7006e95d20701a3c9ba09f53b3959a17c96

Download Submit
C:\KaVB6K\bodaloc.exe
Filesize
3.1MB

MD5
0449c89eeb684bcd5e91090bf68533af

SHA1
f544af2aefd752659d68df71dd260bd07f51cd87

SHA256
f237d3fe5aa6a83f123344ea4437ee0a0a5d873bea2a3f24ccae19deafe380e9

SHA512
95d470474b9949265c72793502d34ea121f9d3e314494c800d326c37b6d5c1078ddee456df81541831d0b8a4bee63dba7a06369a31d88ea255dd8e7d60008e4d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
169B

MD5
7f6bccd7f335ffb51e672763ef1d53c1

SHA1
c90d7c917bc3cc86b8f07aa6f6ca35b07877fc8c

SHA256
e8528799a6a8d33154ab69e9536a8c2a43bed7c14d98c86e85d91c96133d260f

SHA512
07cabc44dcca558a732e6fcebc56b92ca3ae67bcb9997108987468c2f6bf2ef3dda7745d2551c397bebb929b3b220fe0bddd7f59bdb247bab5a785c83473296f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
201B

MD5
bccfc7dae1c23189d697dda4c5f3d34f

SHA1
d8defe0126617cad068edc5176ece5f51a4ec69e

SHA256
ecd6c72f4cc2cb8d821161882d48b7017b3b96e7028cd852b504b2259594bf6a

SHA512
58695de166b963fc98392093202a6efee67940c67326a2c946316dfeac8aa770cde284bf3f2108609901de3e6faf0b533ce31ec32b6313a40e1e108bb5499080

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
Filesize
3.1MB

MD5
e26cc21614278fad3bab1dcd24189de2

SHA1
4844c52df7770e9c67977d56b20fce7725d2fcdf

SHA256
14afbe978d1648e1e28c03e045f2dcae5e0f3a3b4aad8b0a56eddab17ddb5563

SHA512
12f7aaa5c5df648100206bd6198e3f3b0ef79da03d76b43b66bc36f72c324abe1ae93d5b5bfef89ad26d929f5011e55e6da415dd267a0a9a6b150ff934212be8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads