38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24

General

Target

38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe
Size

2.7MB
MD5

9582d1056e9446b70745b23e1815749f
SHA1

49b46b339f00c7f5a49ad5154c85da1aaf95713e
SHA256

38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24
SHA512

4a210f2709c748e555a3492f090ca696d69b3042f99cc2db9f541e80e59858542625be4aade09d0152aaf892a9207fcb4ae675de8deea8878f6ff3d96255a2e9
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB29w4Sx:+R0pI/IQlUoMPdmpSpg4

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe

Executes dropped EXE 2 IoCs

Processes:

Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exeadobsys.exe

pid process

4652 Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe
3552 adobsys.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe
3552	adobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotVO\\adobsys.exe"	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZBX\\dobxsys.exe"	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeNETSTAT.EXE

pid process

4260 ipconfig.exe
4164 NETSTAT.EXE

pid	process
4260	ipconfig.exe
4164	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exeAdmin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exeadobsys.exe

pid	process
1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe
1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe
1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe
1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe
4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe
4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe
3552	adobsys.exe
3552	adobsys.exe
1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe
1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe
4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe
4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe
3552	adobsys.exe
3552	adobsys.exe
1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe
1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe
4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe
4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe
3552	adobsys.exe
3552	adobsys.exe
1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe
1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe
4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe
4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe
3552	adobsys.exe
3552	adobsys.exe
1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe
1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe
4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe
4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe
3552	adobsys.exe
3552	adobsys.exe
1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe
1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe
4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe
4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe
3552	adobsys.exe
3552	adobsys.exe
1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe
1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe
4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe
4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe
3552	adobsys.exe
3552	adobsys.exe
1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe
1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe
4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe
4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe
3552	adobsys.exe
3552	adobsys.exe
1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe
1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe
4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe
4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe
3552	adobsys.exe
3552	adobsys.exe
1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe
1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe
4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe
4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe
3552	adobsys.exe
3552	adobsys.exe
1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe
1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

NETSTAT.EXE

description pid process

Token: SeDebugPrivilege 4164 NETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	4164	NETSTAT.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exeAdmin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.execmd.execmd.exe

description	pid	process	target process
PID 1080 wrote to memory of 4652	1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe
PID 1080 wrote to memory of 4652	1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe
PID 1080 wrote to memory of 4652	1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe
PID 1080 wrote to memory of 3552	1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe	adobsys.exe
PID 1080 wrote to memory of 3552	1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe	adobsys.exe
PID 1080 wrote to memory of 3552	1080	38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe	adobsys.exe
PID 4652 wrote to memory of 2728	4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe	cmd.exe
PID 4652 wrote to memory of 2728	4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe	cmd.exe
PID 4652 wrote to memory of 2728	4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe	cmd.exe
PID 4652 wrote to memory of 4604	4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe	cmd.exe
PID 4652 wrote to memory of 4604	4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe	cmd.exe
PID 4652 wrote to memory of 4604	4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe	cmd.exe
PID 4652 wrote to memory of 4432	4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe	cmd.exe
PID 4652 wrote to memory of 4432	4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe	cmd.exe
PID 4652 wrote to memory of 4432	4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe	cmd.exe
PID 2728 wrote to memory of 4260	2728	cmd.exe	ipconfig.exe
PID 2728 wrote to memory of 4260	2728	cmd.exe	ipconfig.exe
PID 2728 wrote to memory of 4260	2728	cmd.exe	ipconfig.exe
PID 4604 wrote to memory of 4164	4604	cmd.exe	NETSTAT.EXE
PID 4604 wrote to memory of 4164	4604	cmd.exe	NETSTAT.EXE
PID 4604 wrote to memory of 4164	4604	cmd.exe	NETSTAT.EXE
PID 4652 wrote to memory of 1792	4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe	cmd.exe
PID 4652 wrote to memory of 1792	4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe	cmd.exe
PID 4652 wrote to memory of 1792	4652	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe
"C:\Users\Admin\AppData\Local\Temp\38b6bdb203f62e238ea881ebf68ce7a0f0392bd1e4f24ac833336788118cba24.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1080

C:\Users\Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe
C:\Users\Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig > C:\Users\Admin\ipconfig.txt
3⤵
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\ipconfig.exe
ipconfig
4⤵
- Gathers network information
PID:4260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c netstat -a > C:\Users\Admin\netstat.txt
3⤵
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\SysWOW64\NETSTAT.EXE
netstat -a
4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c dir C:\*.txt /b /s >> C:\Users\Admin\grubb.list
3⤵
PID:4432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c dir C:\*.doc /b /s >> C:\Users\Admin\grubb.list
3⤵
PID:1792

C:\UserDotVO\adobsys.exe
C:\UserDotVO\adobsys.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3552

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZBX\dobxsys.exe
Filesize
2.7MB

MD5
a4c35a67091fbb52592c72257a2c7d06

SHA1
234bd60f0a02e14ffe389f640f29c538ce3eec7f

SHA256
ec538bd8d69c09453bc140908571cd912f0cc67ea6e9d98a53b13ceec77ae201

SHA512
8f9949293ebef16a86ffe546cf43ed870f0b262d8459148762d7e7bbf5d6245a136ad302c30b1291d7d62c9683072f74042d4c08a28d182726d9dfb0839b904c

Download Submit
C:\LabZBX\dobxsys.exe
Filesize
1.2MB

MD5
93f54cbd6c37ff9da89d7ff5132abbb5

SHA1
194ce37fd0132456a95962778a81c7aba783c945

SHA256
8fb575f4b369624829db92dbfe3854311e7343bea72c78303fcacab40c843c90

SHA512
7253f75034f7cc42e010cae04e9445715b1102456a27258384e9f2f6a3f444fabd779218ae027066b38d13519aa391a36be0c69f4f1cf763d71266e5db44052e

Download Submit
C:\UserDotVO\adobsys.exe
Filesize
2.7MB

MD5
2ef2c1e59f056b95d2d5c549ee5139b5

SHA1
2f7219fac4feca254701898cf9cdbdb9b6261890

SHA256
3eccd48a201fe74a8c12084dc2d7e19c0429545deaee62cdd85ca22ea2f2b88c

SHA512
ec34a4fdd8be4be4499597e02df499dc1c76a2de76a788cff38996e921099bc9ad0cbe2836aade2c9db15c6e2f87792d6fc49255c163b7cf607d537741a9bd72

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
202B

MD5
6ff892e6dae8ac97b6fa34c9c6047a70

SHA1
4deb2c7ef58b273bbdf3e3576d2215b3a7d7e20d

SHA256
48d643137b1013d33fd94e67a9c1465a1581c1485e50e3579cfa6e25406e267f

SHA512
a3287caf582706e91a2c2f6c8a9a447690c863ab35302d1eb57ba4834293557ceea19aae82324c48c1afde8d405545f77f09bb80991bec02f69b2668f8d53095

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
202B

MD5
f79c7841eb0eda5f39c5816fdf85665c

SHA1
6f5fe0e221cec8571b4c42b3ac42c0fb1fb91cd2

SHA256
5d774971a7192a30f89dd12e818d1b66abf2673c66c20f706b5442f193e391d0

SHA512
99cd17fad9fab204fbb02abd003621c68efd0a2fc52ae29913e5d743d8744cf9a9a1e4dfebef354a3e4867565b6e1eebd03f24ac3d4eab53f278d3787eedd47d

Download Submit
C:\Users\Admin\grubb.list
Filesize
40KB

MD5
6c3e5e3ac301582f78d4a0c264ad6fc4

SHA1
d34c46783fff21da53f4e729ebcf0d1dba6240da

SHA256
0c0926401431e392046361c407832eb9ebf65b9a970c66909a6738beed7c5a66

SHA512
6c26f7e88f3ccfbff8ecc606dfffc0c614f3575dfa3cf84a5e34dd7a01e3e80e1298c428ad01e21d7286c586371f566c28dc3b22c2d41b1a2b1f72e930fffe94

Download Submit
C:\Users\Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`ecaopti.exe
Filesize
2.7MB

MD5
282347b895e38026713b3307c16b8300

SHA1
c6be6f81d830044f0066789fcbd24e6f723aff5b

SHA256
cbd59decf2480f2fe8cf288b81eb611fe10e4822cfda4f4e5e5656bc043c65d3

SHA512
e1d7c911b39411e1863ca51fe51663288aabde6b7220eba512834423f2069d493337563f20355229291f3df96f1eec61b9c0083565898ac01aaa8c08947415ef

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads