adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe
Size

4.0MB
MD5

83859f706991a080c25d6e18466050ea
SHA1

d2e7df8152b76046c4a689e18a023ec3c3196df3
SHA256

adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93
SHA512

103c0645874ecc5a07cec6525d0efffdabd773a5414c9d43fd681be64f503558e03bf5e8e6492534b5eafe6df8beb4c5e02534ab1179ca77244e62652c5a3df1
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBOB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpJbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe	adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe

Executes dropped EXE 2 IoCs

pid	Process
3808	locdevdob.exe
3616	adobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe4J\\adobsys.exe"	adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax8O\\boddevloc.exe"	adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4888	adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe
4888	adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe
4888	adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe
4888	adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe
3808	locdevdob.exe
3808	locdevdob.exe
3616	adobsys.exe
3616	adobsys.exe
3808	locdevdob.exe
3808	locdevdob.exe
3616	adobsys.exe
3616	adobsys.exe
3808	locdevdob.exe
3808	locdevdob.exe
3616	adobsys.exe
3616	adobsys.exe
3808	locdevdob.exe
3808	locdevdob.exe
3616	adobsys.exe
3616	adobsys.exe
3808	locdevdob.exe
3808	locdevdob.exe
3616	adobsys.exe
3616	adobsys.exe
3808	locdevdob.exe
3808	locdevdob.exe
3616	adobsys.exe
3616	adobsys.exe
3808	locdevdob.exe
3808	locdevdob.exe
3616	adobsys.exe
3616	adobsys.exe
3808	locdevdob.exe
3808	locdevdob.exe
3616	adobsys.exe
3616	adobsys.exe
3808	locdevdob.exe
3808	locdevdob.exe
3616	adobsys.exe
3616	adobsys.exe
3808	locdevdob.exe
3808	locdevdob.exe
3616	adobsys.exe
3616	adobsys.exe
3808	locdevdob.exe
3808	locdevdob.exe
3616	adobsys.exe
3616	adobsys.exe
3808	locdevdob.exe
3808	locdevdob.exe
3616	adobsys.exe
3616	adobsys.exe
3808	locdevdob.exe
3808	locdevdob.exe
3616	adobsys.exe
3616	adobsys.exe
3808	locdevdob.exe
3808	locdevdob.exe
3616	adobsys.exe
3616	adobsys.exe
3808	locdevdob.exe
3808	locdevdob.exe
3616	adobsys.exe
3616	adobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 3808	4888	adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe	91
PID 4888 wrote to memory of 3808	4888	adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe	91
PID 4888 wrote to memory of 3808	4888	adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe	91
PID 4888 wrote to memory of 3616	4888	adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe	92
PID 4888 wrote to memory of 3616	4888	adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe	92
PID 4888 wrote to memory of 3616	4888	adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe	92

C:\Users\Admin\AppData\Local\Temp\adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe
"C:\Users\Admin\AppData\Local\Temp\adfc7d2f64c6e137d7c5b2e71fddcdb6778159f0e70a577e3bfcd20dba811f93.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3808
- C:\Adobe4J\adobsys.exe
  C:\Adobe4J\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe4J\adobsys.exe

Filesize
4.0MB

MD5
3d44954647e4847ef97686bd02082aa1

SHA1
f16649466a32db4617e37eccb645af13da8a4dc0

SHA256
f17c687e362789e9d9d21fff8b9ad09bd4968142265c511a01fd018b6db8c23d

SHA512
96fe6a5e72ccad143e197a5b9fdb4d7eee8e6e3e630235ffe1a535a11f8b5975509c7883a176a3a8152fd418c6cc3251a0c43d978247ca0704898d1a011f1330

Download Submit
C:\Galax8O\boddevloc.exe

Filesize
2.1MB

MD5
de70b05ad90f01d595058b10f9ef435b

SHA1
adb1e406331274fcebf2cf71a58f8113ab899c7e

SHA256
06b4cca1a73a79c5010b31878abcc81aa773625701007e34977c4c9f8e1ad6df

SHA512
5de5dd91d4202e1e17b4d7e7838889f24a43d2fef7cea5f46245c385510c79b15c76a4cfd3befd46673930f59698358c604917d28d73bbde1342a9cf3791ff82

Download Submit
C:\Galax8O\boddevloc.exe

Filesize
4.0MB

MD5
a22d920560d6d5181ec17f0450479db8

SHA1
e70aa5f81fddd265e6a0d6f7caa8c53de67fbd06

SHA256
556378ce49ebccf1b9ea359481510e3766f400bb2770080568529f0a05dfb479

SHA512
49f6e3370f9c052f3a3a85d532ee4582bdb35cee798bdd5d29dd7abc1bb1b105b12acf26eea7e18ff53af30842dea26f2d6c80abcc1bf80937029dbf0649c435

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
224dbe948bb25bda5047a50bd90e1e57

SHA1
56d2c65da5c1a1dbd6e871d229ddd236de0e57c2

SHA256
c781ce6c99c58408fcff70de4f323ac6e7c04a07b178e063f02036ad2468b9d6

SHA512
4fed69a0a44ecad596b35d9738aa32261f8b0bcd661c6695353b6231cb436551d9b53f958761030fde85e24674bdc26623049438cae4a1aaf3da6d1c76681dfb

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
9b9ef469ea811c74594d3c4c74a2a716

SHA1
9d3868021a8d76fa79847038869a7e38b154d119

SHA256
5cc484ea376c64ca55a0386e683e84067433e370d4861a455b5359474627e37f

SHA512
de309560dc99fd83c3488a21948725f6abf0634de94756aa71fb03b22f4b1466f1fd524914791a03a71d772cb8f43fad92971170324ae329789ecf14dba3fad7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe

Filesize
4.0MB

MD5
1737a96898eef2af015f888728a1584d

SHA1
d1d94e0303dbbf684a5d5f0417c6e4aa39f261eb

SHA256
4470d7150b1a54d297d9ab1856f4da5481020dd41923669a7ffc814b3f52a2d9

SHA512
fe3d0a7efcfba76e7e075709ae384ba9e44156a53edeb9568580819d4a7db33e7bc11fd02a4c93407a4d441fe88887467b071a36492588cd397543585010d502

Download Submit