a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156

General

Target

a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe
Size

3.1MB
MD5

10b20e46c3cea4e5430150391ed0afe0
SHA1

d64f8ba7201d52582c1bd6dda7f8b33b141f3746
SHA256

a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156
SHA512

471fa1e717717a6626800e5dc4c7d9e1290a186dc1ff76c23dcf68ea71e6d6558c9954a909817e5d16315aea6b75a0a65d5e4038ae882a811d2298516a83421a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBsB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUp7bVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe

Executes dropped EXE 2 IoCs

Processes:

sysxdob.exeadobsys.exe

pid process

2984 sysxdob.exe
2104 adobsys.exe

pid	process
2984	sysxdob.exe
2104	adobsys.exe

Loads dropped DLL 2 IoCs

Processes:

a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe

pid	process
1180	a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe
1180	a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesPX\\adobsys.exe"	a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidW5\\dobxloc.exe"	a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exesysxdob.exeadobsys.exe

pid	process
1180	a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe
1180	a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe
2984	sysxdob.exe
2104	adobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe

description	pid	process	target process
PID 1180 wrote to memory of 2984	1180	a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe	sysxdob.exe
PID 1180 wrote to memory of 2984	1180	a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe	sysxdob.exe
PID 1180 wrote to memory of 2984	1180	a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe	sysxdob.exe
PID 1180 wrote to memory of 2984	1180	a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe	sysxdob.exe
PID 1180 wrote to memory of 2104	1180	a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe	adobsys.exe
PID 1180 wrote to memory of 2104	1180	a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe	adobsys.exe
PID 1180 wrote to memory of 2104	1180	a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe	adobsys.exe
PID 1180 wrote to memory of 2104	1180	a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe	adobsys.exe

C:\Users\Admin\AppData\Local\Temp\a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe
"C:\Users\Admin\AppData\Local\Temp\a5c566ea76c973a398fee68ea9dc0edaa27aba7e721d381e1a21cf66fb1b3156.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2984

C:\FilesPX\adobsys.exe
C:\FilesPX\adobsys.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesPX\adobsys.exe

Filesize
3.1MB

MD5
b28e4f3f846e04a2a3c1d92d8d0e9b68

SHA1
8abe5651912077a179c03644ec8ab1cc17dbac9e

SHA256
e7152e84aac8728c2927f8c80954ac1cf6eed5630bdd81715b75a6ff9fa2f638

SHA512
2380e19093727c9d2fdd6e9dd8ad567753c0923b3027a53ed013bb9c3571330b09da8c41ea1c326ef3b121f38321ea143590a60e6f29fb655399a2c13bfb73ec

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
167B

MD5
474530e2f8d1bf5e5e1b35f2592dd154

SHA1
3697a48d4b8ab1f754d5f409fe23c39be1b7eda3

SHA256
533b65184d1c5004f909f51807891605929e9ee82293c7f3ddb6bfd449122cd4

SHA512
6581719d35764d6ff0c08352cd718753c6fb538213e6d11fa12a333bcf82ac70954dee6aa9582d4647119a65a593707a5c92357a682dc14e81f180a4cae08499

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
199B

MD5
31108434259492d430555cfc5f8d648e

SHA1
af5cc908f6fcbe1340c7abf648852bb02ff3bb19

SHA256
4e6242722fe51d4ca9562f3998a90871270099bcd463cd168d548d8e0d85ba86

SHA512
632b4db16fc42608dad84758ded46e0a849d76c81c2282f7b895aadf90f39f1e22ea4781283e75668f3469bfaec636c93c7a27b6da2187efe3669d9c486b8a19

Download Submit
C:\VidW5\dobxloc.exe

Filesize
3.1MB

MD5
991d8414bb8b3133901d8087e5fd8b7f

SHA1
e52da6e54a81d3226f1e6fffe958a6fe007e94ca

SHA256
0fe063d4c85d5fb8c2f9fc580fa68a9ce5787c24debc37b0f3f7beefe6982747

SHA512
6aad897effd023382818944b762aae114e2f0e1bdc36ef247feab39eaefd9ab899c82fbaf0feb32027ea8622d84ac5429d23f950cfa9bb3817ef820dca1e0f92

Download Submit
C:\VidW5\dobxloc.exe

Filesize
3.1MB

MD5
f7a79eecd8f6bbb18084ef22df7ba6d1

SHA1
bfb48035e06f31a5ea544fa877576dc29b417608

SHA256
d0d3ab87320a0089769eabc694ac2de975a4c971e4847078b23fe29fafefa99c

SHA512
56ba5b617dabbaa80ef8ad6cb287aef3720d2f4f25df20f53695f2737e84ac84cf0fd94de82e88d23e8f8fed3c812a63ac1465d73f22268f7d22f910d1ea612b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
3.1MB

MD5
351025d801c999217160c6d502b472e9

SHA1
0c155f884eb0a11c4fc8d2a89528e168cafeb6ce

SHA256
cc35793d71cf27dad1bf6dbea2ed39582dd409b34edcfce65422be17a82ada2c

SHA512
0146e5cd0139fa589a1b1717bf0ce7a50276cca550bcb96e67e30d00eb17d3d8fb10bf3b92adad905284f55c009a4e7286c9a2ae57ae5b7e5a685510b7c12a30

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads