8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1

General

Target

8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe
Size

4.0MB
MD5

4ba714688c93c8d3f0adfcd0eb7fcd1b
SHA1

2e88c41f8d27b1eefed07d2eb3c38a142a2a0d12
SHA256

8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1
SHA512

901b6d1611aa2b5d3c265f4da63e4c371c854c9117822bec386488a45fdea9ec7179d5ecf8933ea2bcc29fb3caef3a96bc660801987cbd3db3b476e1bf6dc2d0
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBMB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpHbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe

Executes dropped EXE 2 IoCs

Processes:

sysadob.exedevdobsys.exe

pid process

2100 sysadob.exe
2236 devdobsys.exe

pid	process
2100	sysadob.exe
2236	devdobsys.exe

Loads dropped DLL 2 IoCs

Processes:

8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe

pid	process
1196	8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe
1196	8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe96\\devdobsys.exe"	8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintNS\\dobxec.exe"	8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exesysadob.exedevdobsys.exe

pid	process
1196	8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe
1196	8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe
2100	sysadob.exe
2236	devdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe

description	pid	process	target process
PID 1196 wrote to memory of 2100	1196	8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe	sysadob.exe
PID 1196 wrote to memory of 2100	1196	8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe	sysadob.exe
PID 1196 wrote to memory of 2100	1196	8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe	sysadob.exe
PID 1196 wrote to memory of 2100	1196	8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe	sysadob.exe
PID 1196 wrote to memory of 2236	1196	8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe	devdobsys.exe
PID 1196 wrote to memory of 2236	1196	8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe	devdobsys.exe
PID 1196 wrote to memory of 2236	1196	8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe	devdobsys.exe
PID 1196 wrote to memory of 2236	1196	8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe	devdobsys.exe

C:\Users\Admin\AppData\Local\Temp\8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe
"C:\Users\Admin\AppData\Local\Temp\8043432d8bce3f9790f99b528b8fc27d2f7d0dd8d4bb02e0ac2aaffbb4fa7de1.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1196

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2100

C:\Adobe96\devdobsys.exe
C:\Adobe96\devdobsys.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2236

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe96\devdobsys.exe
Filesize
4.0MB

MD5
002ff967f871e0ea5aa751405a3bf718

SHA1
f3c45f69ac77edb038447a5ee25cfba40d6659cd

SHA256
cea8ffdf0083fef5411dda0803b5dd2ca470dcff25f96e344e1333d80a247389

SHA512
f6a247549ae80588f902c6f3e1cbd7790f7f82f75290f7c468ca212fb27e1ca1e0e006f5c471908b0934c1546ed5927a5ba526dce069c4971b3ec5c29333bf99

Download Submit
C:\MintNS\dobxec.exe
Filesize
4.0MB

MD5
4a68d14ba432fa4940c9adf118c1b322

SHA1
58c4790bee2c37bd39de4475899414155e65faf1

SHA256
cea35101a589efc1e293148ebfc7d82b35e9f2c27de2012066c7246301783e72

SHA512
c76731f4c2e7cb9ddd98d580a56a32b1bf7dffc7c62d57066c02b920cd371d903ee85a5caab718ec7c03c42ca2f7cb0e1c2cfe19e080a2b56d398ed755424223

Download Submit
C:\MintNS\dobxec.exe
Filesize
211KB

MD5
6b1f757f4294b549e493f2a43ce6f561

SHA1
41efc9c7d40accc9b752a463948c1294fc3e1577

SHA256
c6b1bf02a67c696ea9b2eebae67d54bb5143db913201075e3d3d9eb8774cc4bf

SHA512
41fb0d888008be32e99cf8c5d34e4a31c3c05e61f5f2b249f6e025846b5e11bd8bbc57f508528bc232aeda41905282c50bad3a24dcd4a56f9e93fe8a8c2c5c45

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
169B

MD5
5f3a5ed164750b392f7ca50eaa48d718

SHA1
05c6502fe9327d461e9977914367dc8f16d0728f

SHA256
a6c9563336f6732c0113a51d9903da8cf0bc055ea68421645165f68637c27f8d

SHA512
9cc3c54981ad2b2a2e2e7181943ff2571b4e1ae1ca67237e0c9863d2fd13622ab0844a773943ce2f9bcd99603c0f738a60adbe846c0172e04671dd390afed224

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
201B

MD5
94baef2e63417150cfea35023336314d

SHA1
7cf8e47c93c394529bbe0ce64747500453f17ba2

SHA256
9cf8c64d7fc30ad8440b8ff13dc3e76a03970d6df9053de2d459272328b0c085

SHA512
e09eb8fbe7a97bfad5c0df2d0c6c3fb38e2b03310365fd43499f6118ef5386971541e1ecfa3f9e4ca984dd19a180890a131388d2048d07964d100dcc4c59f432

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
Filesize
4.0MB

MD5
99035d567295df6d604c5a759486e48b

SHA1
33d6683a51731fda4775fab2abdfaa3dcc2f3cb4

SHA256
a2f16b3fe30603bdd77d118cc3f504d422da67a8375f64a9ff7b0991f27a4912

SHA512
58f3efe539dfe1f567694488f0a3724d5dbaef37cb30695fed8d7f2d2cd813ba9eeae49fc1340e49f0c3737ae9cd839240614388acf5d528ad5d00ba1fbf97cc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads