f704a54a67095f57e497c48930adc443fcb54ed3ea79e4a944e357fab793531f

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f704a54a67095f57e497c48930adc443fcb54ed3ea79e4a944e357fab793531f.exe
Size

2.6MB
MD5

71c3d2fd2921150d3eae1c4952e3212c
SHA1

ea51c94091300f5bd32c0d50f166a4935b6ec2cb
SHA256

f704a54a67095f57e497c48930adc443fcb54ed3ea79e4a944e357fab793531f
SHA512

b014cbd23722ae4fe7535cc187ec1d7a677e296f46b205bc2003dcd119b8b0052260e69b6c12b90b13bdaa39c0a3bba298942537a30cc4bc55c8e14f37d1e0c1
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBwB/bS:sxX7QnxrloE5dpUpTb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	f704a54a67095f57e497c48930adc443fcb54ed3ea79e4a944e357fab793531f.exe

Executes dropped EXE 2 IoCs

pid	Process
820	sysadob.exe
2600	devoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2588	f704a54a67095f57e497c48930adc443fcb54ed3ea79e4a944e357fab793531f.exe
2588	f704a54a67095f57e497c48930adc443fcb54ed3ea79e4a944e357fab793531f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeHM\\devoptisys.exe"	f704a54a67095f57e497c48930adc443fcb54ed3ea79e4a944e357fab793531f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxR6\\dobxloc.exe"	f704a54a67095f57e497c48930adc443fcb54ed3ea79e4a944e357fab793531f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2588	f704a54a67095f57e497c48930adc443fcb54ed3ea79e4a944e357fab793531f.exe
2588	f704a54a67095f57e497c48930adc443fcb54ed3ea79e4a944e357fab793531f.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe
820	sysadob.exe
2600	devoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 820	2588	f704a54a67095f57e497c48930adc443fcb54ed3ea79e4a944e357fab793531f.exe	28
PID 2588 wrote to memory of 820	2588	f704a54a67095f57e497c48930adc443fcb54ed3ea79e4a944e357fab793531f.exe	28
PID 2588 wrote to memory of 820	2588	f704a54a67095f57e497c48930adc443fcb54ed3ea79e4a944e357fab793531f.exe	28
PID 2588 wrote to memory of 820	2588	f704a54a67095f57e497c48930adc443fcb54ed3ea79e4a944e357fab793531f.exe	28
PID 2588 wrote to memory of 2600	2588	f704a54a67095f57e497c48930adc443fcb54ed3ea79e4a944e357fab793531f.exe	29
PID 2588 wrote to memory of 2600	2588	f704a54a67095f57e497c48930adc443fcb54ed3ea79e4a944e357fab793531f.exe	29
PID 2588 wrote to memory of 2600	2588	f704a54a67095f57e497c48930adc443fcb54ed3ea79e4a944e357fab793531f.exe	29
PID 2588 wrote to memory of 2600	2588	f704a54a67095f57e497c48930adc443fcb54ed3ea79e4a944e357fab793531f.exe	29

C:\Users\Admin\AppData\Local\Temp\f704a54a67095f57e497c48930adc443fcb54ed3ea79e4a944e357fab793531f.exe
"C:\Users\Admin\AppData\Local\Temp\f704a54a67095f57e497c48930adc443fcb54ed3ea79e4a944e357fab793531f.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:820
- C:\AdobeHM\devoptisys.exe
  C:\AdobeHM\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeHM\devoptisys.exe

Filesize
2.6MB

MD5
793b394a9df0066f8fd01b31ea1a900b

SHA1
238a746becfa15f87061120a99f4e33dd723fdbb

SHA256
8d88f1d452e233599ae1a6c4b3989640d1ae44fafb45c94ca88c9b10c30cf14a

SHA512
87764acc760152cd2a8954c4f3e532d2c084214c9cf6a847e1fab8ba196a83e1b30d97aa98117503add38c2e4219023c5c5d8faa090927674078a6837ef72ae4

Download Submit
C:\GalaxR6\dobxloc.exe

Filesize
2.6MB

MD5
2ef183307aeb9d6ba4ce3309927118a5

SHA1
e2dca900e8726fd930e1518635fbd97e7de94a21

SHA256
bb56e32d66870677a4747610a5dffb5013d1d7ea5aecc51db1181a6fade9934b

SHA512
d1e1f0c726727ee828a0fc83d6d9e59acb60722a5e80e7e3ee20eb38e4262b94f51e4b5347b1a49fb2ccfc39d6987ab761e5cf696f5013b8de5299e621b13c41

Download Submit
C:\GalaxR6\dobxloc.exe

Filesize
2.6MB

MD5
3f516ff273cc30004d4f77e75ad0de4b

SHA1
b195f980a9a185186aaf6381a2d24821e2ce29c1

SHA256
4f33af601b7e1ec8a339e4d58ed601fd2d3f460dfad7dd2534ea73fce584ad9e

SHA512
3a67b5ca7a3e81557388cd04a63f6ead82944e285c082775cc0080cc5f4ff49d25a8826fec7184ed7f5409beba6a8ea9fe4726f50fce07b310aa5f18cd0c7ff7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
d920626d821f1a90f47fbb1a23eba083

SHA1
1a0ab15339fb38bd6712bfb2a3f879b45ef01f54

SHA256
67cd9cfa210b10158e68c72a08e6e0cf41feb0414ac17c6fe90c145ae2eab585

SHA512
23a5878d58438812d3dcde0013f3cac463d90722023bc0e9da168c5e029d299ca90689997be0ea8626713c809de98292294d2600d99daed119c47f58a0cd1409

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
b0f01d5b1bfa96d3607155e973c1b501

SHA1
a40d221aff4af6220a9531ba807f75798975508e

SHA256
265aa1d6bc544f588b6cbe6e46a0cf11788ba83badeefdbdd07ae29beff66042

SHA512
2bcbc289ecb39c1f935539c5dd8df58fd13803c5330394ecd81b9206eb364d7dcfaf4edefbd4fb87aa2a2014d994d9b143134805e8dd369a3690684b318437e4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
2.6MB

MD5
d1915aedc202ce793a909fb8346d46c8

SHA1
c1a895cb2857466f3d036f4387aa4acbe4d7c558

SHA256
5c093e530620be7bd1c27b34b1f13a67f248ce7ca8c69bd852c99cfe6ccc2911

SHA512
25d345cf1b0c7ef51604b14e38166aa183a27be6d1b96349af5f000b63b690eb948c0581bfc48d55aafbf31f9640d82dcc3be346df94a901f84e89f8dcb3ed8d

Download Submit