9eeb2929863ac93e6fd6ccc909f1a256c02f40bfefb0323e9048007b8572dfb7

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9eeb2929863ac93e6fd6ccc909f1a256c02f40bfefb0323e9048007b8572dfb7.exe
Size

3.0MB
MD5

6e10588043a7fc0bf07fab990dd60a11
SHA1

10e1b15eae5472ea514a20eb841cfbbcf0154995
SHA256

9eeb2929863ac93e6fd6ccc909f1a256c02f40bfefb0323e9048007b8572dfb7
SHA512

732d22a19d42c174d96b93537b4157dc70391816dfcfc29203a2c4fe2a06d4724ef932b7e88a84d6fc9dab20ecf63d6246add50a0cd1d971fedec82618121a74
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBVB/bSqz8b6LNX:sxX7QnxrloE5dpUpmbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe	9eeb2929863ac93e6fd6ccc909f1a256c02f40bfefb0323e9048007b8572dfb7.exe

Executes dropped EXE 2 IoCs

pid	Process
1476	sysxopti.exe
1112	adobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files8R\\adobloc.exe"	9eeb2929863ac93e6fd6ccc909f1a256c02f40bfefb0323e9048007b8572dfb7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid6M\\boddevsys.exe"	9eeb2929863ac93e6fd6ccc909f1a256c02f40bfefb0323e9048007b8572dfb7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
324	9eeb2929863ac93e6fd6ccc909f1a256c02f40bfefb0323e9048007b8572dfb7.exe
324	9eeb2929863ac93e6fd6ccc909f1a256c02f40bfefb0323e9048007b8572dfb7.exe
324	9eeb2929863ac93e6fd6ccc909f1a256c02f40bfefb0323e9048007b8572dfb7.exe
324	9eeb2929863ac93e6fd6ccc909f1a256c02f40bfefb0323e9048007b8572dfb7.exe
1476	sysxopti.exe
1476	sysxopti.exe
1112	adobloc.exe
1112	adobloc.exe
1476	sysxopti.exe
1476	sysxopti.exe
1112	adobloc.exe
1112	adobloc.exe
1476	sysxopti.exe
1476	sysxopti.exe
1112	adobloc.exe
1112	adobloc.exe
1476	sysxopti.exe
1476	sysxopti.exe
1112	adobloc.exe
1112	adobloc.exe
1476	sysxopti.exe
1476	sysxopti.exe
1112	adobloc.exe
1112	adobloc.exe
1476	sysxopti.exe
1476	sysxopti.exe
1112	adobloc.exe
1112	adobloc.exe
1476	sysxopti.exe
1476	sysxopti.exe
1112	adobloc.exe
1112	adobloc.exe
1476	sysxopti.exe
1476	sysxopti.exe
1112	adobloc.exe
1112	adobloc.exe
1476	sysxopti.exe
1476	sysxopti.exe
1112	adobloc.exe
1112	adobloc.exe
1476	sysxopti.exe
1476	sysxopti.exe
1112	adobloc.exe
1112	adobloc.exe
1476	sysxopti.exe
1476	sysxopti.exe
1112	adobloc.exe
1112	adobloc.exe
1476	sysxopti.exe
1476	sysxopti.exe
1112	adobloc.exe
1112	adobloc.exe
1476	sysxopti.exe
1476	sysxopti.exe
1112	adobloc.exe
1112	adobloc.exe
1476	sysxopti.exe
1476	sysxopti.exe
1112	adobloc.exe
1112	adobloc.exe
1476	sysxopti.exe
1476	sysxopti.exe
1112	adobloc.exe
1112	adobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 324 wrote to memory of 1476	324	9eeb2929863ac93e6fd6ccc909f1a256c02f40bfefb0323e9048007b8572dfb7.exe	88
PID 324 wrote to memory of 1476	324	9eeb2929863ac93e6fd6ccc909f1a256c02f40bfefb0323e9048007b8572dfb7.exe	88
PID 324 wrote to memory of 1476	324	9eeb2929863ac93e6fd6ccc909f1a256c02f40bfefb0323e9048007b8572dfb7.exe	88
PID 324 wrote to memory of 1112	324	9eeb2929863ac93e6fd6ccc909f1a256c02f40bfefb0323e9048007b8572dfb7.exe	89
PID 324 wrote to memory of 1112	324	9eeb2929863ac93e6fd6ccc909f1a256c02f40bfefb0323e9048007b8572dfb7.exe	89
PID 324 wrote to memory of 1112	324	9eeb2929863ac93e6fd6ccc909f1a256c02f40bfefb0323e9048007b8572dfb7.exe	89

C:\Users\Admin\AppData\Local\Temp\9eeb2929863ac93e6fd6ccc909f1a256c02f40bfefb0323e9048007b8572dfb7.exe
"C:\Users\Admin\AppData\Local\Temp\9eeb2929863ac93e6fd6ccc909f1a256c02f40bfefb0323e9048007b8572dfb7.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:324
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1476
- C:\Files8R\adobloc.exe
  C:\Files8R\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files8R\adobloc.exe

Filesize
1.1MB

MD5
e6cc30cb3b86bd15867eccf9c98c53b4

SHA1
2ba8c02f2f251108fd2f295501b72dab2ea9f24e

SHA256
6c2c612274cf0d4a72d6b388a08aac7080f58bf0bb97ed21b5f6cb9c7cc25ff2

SHA512
eeb3fdac2bda2bd8ee6c1b9e0680ab1c2af05a255aaaf41576cccbce9b7bd8fd221b8cbd0201dd4c7e1c756e2fdb8c47169103d35e8c307233877c1d74ccf039

Download Submit
C:\Files8R\adobloc.exe

Filesize
3.0MB

MD5
a7647ef157f333df8fa3b85238e0495b

SHA1
335e80bdef45bc01264f27374a548ab9a63cab17

SHA256
b2ac941cd0b85e924fadeca627ec0331390797494017ff6ac3e16b3ed6d9d724

SHA512
ea4ce7613ae3be43865d918b6df4a16d955739a3531a22bb1540786cd063052fb6ea36f6f10d44503cfd1976cd2d5b959725b52334cbe0e335daad093cab3d6e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
e6f734a5561a5b47d6d7d945753794d6

SHA1
5541b9fe654dc2c9692169f68bce910cbac001bc

SHA256
aa88ed2323254b44aacb898cea659604489c5981d4c92e029eba70a244290999

SHA512
613a45b22f2e261e8f4fff090d48f8ccdbdbf4b2af9d71fac7760f0050424f96bcc1e4ecb6e6ca058c028cb96b369985eedc8f5df9d2a638a0df2340f0362543

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
64c994bb7103c7e2f5402b675fe551de

SHA1
6af8fc1298ec8d19a70f2d432e63c113614e70ea

SHA256
97bdf488c25f117b047cfcb2412360c3ba1edad90ca7f3357efd2f4f60c064d2

SHA512
d778f04a58c325270abd7812b8e5a8e1aad6f8a982847c9295ec65e51e0aa719b41559aaf4a3607ed7b6a18bfc2f70ea9ec1ad8f187d15a28e56ef68972b29d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

Filesize
3.0MB

MD5
b1104452cc9a37b5c4eec221a73ea784

SHA1
b8c76e67cddbc728ddf10f381aa8acb0825532e5

SHA256
92b55e7fd5be611131be4f59ae82fbcf6cf36d9669363db1d2f8a3027090a9e1

SHA512
70a1b0219e7b2ba1eab90db91cc3a0cdb111111f9a7b7e07bd89a770f7f39ebc0dab739a68c848b7712a857e238e8bf0f3c2bd02a8df15e09c086fa5a6b656a2

Download Submit
C:\Vid6M\boddevsys.exe

Filesize
227KB

MD5
fab97463cf3f4d1404e687844122365e

SHA1
a70ea88a2db3a06fe70135ca7b2b7bcdc262e578

SHA256
8b33d5703ad9f11cb9626c2c89bd78a56769cdd16f9cd6bc13d480f61e937691

SHA512
0001da8c7a5e88e218621627c0b1c5a33128ea5c05d038034946da605893105f710f8e3ef901110324e03581f9efc48f4225eebb963bec8bc2d578f095e0eded

Download Submit
C:\Vid6M\boddevsys.exe

Filesize
159KB

MD5
69d5d8a5560a569d4b62991e3ff1e5e9

SHA1
ca80bff24ce364fa2f4c6fd68c798726c224500a

SHA256
c819e33858d1a1135119da386dc51661820900c8eb1d72966a7ee1833b7eff95

SHA512
5813a83da0e87f30293bf3a838af171225bea1d87e929a588d160008634712911192e87ee9c8860089b8d408d0f17ea963ada5f12a1f407e5d1b3b2d8b634cbe

Download Submit