6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a

General

Target

6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe
Size

2.7MB
MD5

679bd9d09f638d451ca73641e5544839
SHA1

70018c405d497826a1a1ab6e31f87e83240a288f
SHA256

6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a
SHA512

cfacaf648b1b1c732c0d3e9ce7edc41fbba6a04cef6be51c1adea52c89e1c335c1bfb7a59242e8b3d2800f1f3d3a5c371c6af299d6ab4cb6f4f2b6e5c2b146b8
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bSq:sxX7QnxrloE5dpUpxbV

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe

Executes dropped EXE 2 IoCs

Processes:

sysadob.exexdobec.exe

pid process

2712 sysadob.exe
2912 xdobec.exe

pid	process
2712	sysadob.exe
2912	xdobec.exe

Loads dropped DLL 2 IoCs

Processes:

6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe

pid	process
2936	6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe
2936	6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBCV\\optixec.exe"	6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot0Y\\xdobec.exe"	6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exesysadob.exexdobec.exe

pid	process
2936	6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe
2936	6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe
2712	sysadob.exe
2912	xdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe

description	pid	process	target process
PID 2936 wrote to memory of 2712	2936	6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe	sysadob.exe
PID 2936 wrote to memory of 2712	2936	6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe	sysadob.exe
PID 2936 wrote to memory of 2712	2936	6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe	sysadob.exe
PID 2936 wrote to memory of 2712	2936	6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe	sysadob.exe
PID 2936 wrote to memory of 2912	2936	6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe	xdobec.exe
PID 2936 wrote to memory of 2912	2936	6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe	xdobec.exe
PID 2936 wrote to memory of 2912	2936	6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe	xdobec.exe
PID 2936 wrote to memory of 2912	2936	6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe	xdobec.exe

C:\Users\Admin\AppData\Local\Temp\6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe
"C:\Users\Admin\AppData\Local\Temp\6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2712

C:\UserDot0Y\xdobec.exe
C:\UserDot0Y\xdobec.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBCV\optixec.exe

Filesize
1.9MB

MD5
c29ca554b2d51bc91a74bba218cadf6b

SHA1
e54997d90f515d594c3ace31712ab3912d6f886a

SHA256
09c4c6926a63910b01f9272e813dd0c7f9a8643d777913d519aed25c24d7f5ab

SHA512
02ecf26a7b46843e90ee3041df614bc4b44477d763133efce0eef13095aa9a42f3094e933f5d24d0de1d3da4f468a7006e95d20701a3c9ba09f53b3959a17c96

Download Submit
C:\KaVBCV\optixec.exe

Filesize
2.7MB

MD5
8d1855e774afd646773913eaeac71a5a

SHA1
fb27fbed3de9f699afe54b6991127016c3bf6fa2

SHA256
813eb32a04aa5ae270bd2955c181bd907f776ec6f9b0c8324b3ba3fad6ef19d2

SHA512
3938dd6fe71c1f50f11745a925a5e03f96e35185ff4dbf06ecf48511d33d9be2ec26175e199aaffe11df77ae04947f69e3ba65e734da567a407287cedaaae6b0

Download Submit
C:\UserDot0Y\xdobec.exe

Filesize
2.7MB

MD5
cc39640bb0cb52d8c13f60606b0a3f5c

SHA1
c07abafca3646e34f80c524c8eb05c9bcb3e897a

SHA256
3a869dc5c76fd2b1aedf42455a87daf8a81149ce01692a8459ce18d3fdbecfcc

SHA512
1eb7c9868d41708d1f82e5a803736cbe22752b3bdba87c43c91cabdd935d4e028eb361d477213918d38ed322f586858e6ed9dcbc59560a6fcefe1286eb1fd5e7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
32edc75aef785dc25577d58ea2f9219e

SHA1
c43640ac682622c305f15e114701202c0976b59a

SHA256
67fc9df2d784dc8217188beaf46ebbbcfb90346520880b86e2cc6f56969ea0f6

SHA512
1a9f781aa41b2c0c517e27e9a4dd313d260546e4aa59c26e1455d9ac74aae9ad47431ff8d8487fa2e4ca92ab4ffef2ba7a39f0465ca263237453d829540e437a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
3f0a717b86d2e5cb82e953eaba6df2b3

SHA1
d217d12d9b31d61992bddb70b9b8f0518ec53e1a

SHA256
0868414a65e237ff99869e3de0e077d6a923ca3906f03a9fb6fb8c1937bf53db

SHA512
befa28fdf32084a041c84521a40bd4842c6eed8846eb267fc967db5c12cd130f20c5cc0978674b5ef85cfa94bdbd1ae7d70263b5ad36bc9fd61a1036eb84ae14

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
2.7MB

MD5
62b48fe196c078ec4bceb4a9a0ba00a3

SHA1
b990445b46da04730cc3992075d47206553c6545

SHA256
e4b6f5eb3d61d9d6bef052e2dc62041f7510084392f460842432ddc8cb48fcd0

SHA512
f0ec2d80f4b55cc605c39e945e250a8c1473a57328023432591b124928892ab6a9bb364f9e20639e1519bee1d2557772c87fa58dec4510c7864658797a4f0ff0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads