8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 00:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe
Size

3.9MB
MD5

ed764b747155333b729aaac05d2cec86
SHA1

bdf9648877683043e5f3567f8858a813156ce184
SHA256

8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed
SHA512

3e1c9313024e211cac7838638e5a402a07a60f49db7e5d84182db2fb5181df8b559c500c89c99a092e1b3430055ffcde18992b5c922af669bef5b00ee9d3c958
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBpB/bSqz8:sxX7QnxrloE5dpUpybVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe	8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe

Executes dropped EXE 2 IoCs

pid	Process
2096	sysadob.exe
2380	devdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1312	8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe
1312	8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocQ0\\devdobsys.exe"	8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid95\\optidevsys.exe"	8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1312	8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe
1312	8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe
2096	sysadob.exe
2380	devdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 2096	1312	8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe	28
PID 1312 wrote to memory of 2096	1312	8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe	28
PID 1312 wrote to memory of 2096	1312	8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe	28
PID 1312 wrote to memory of 2096	1312	8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe	28
PID 1312 wrote to memory of 2380	1312	8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe	29
PID 1312 wrote to memory of 2380	1312	8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe	29
PID 1312 wrote to memory of 2380	1312	8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe	29
PID 1312 wrote to memory of 2380	1312	8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe	29

C:\Users\Admin\AppData\Local\Temp\8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe
"C:\Users\Admin\AppData\Local\Temp\8cc5362c591c5110f4cbc362e716ef8571feb28c6f50871f9e3baad9927134ed.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2096
- C:\IntelprocQ0\devdobsys.exe
  C:\IntelprocQ0\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocQ0\devdobsys.exe

Filesize
3.9MB

MD5
501ea41dcc5154bf8c35a6fc31dac2cc

SHA1
6e87e62c80f507c1b7beb7fc8cc85470a9e7066b

SHA256
f3635d063144df72326b7fe431f301ff8d70ded894c53b22d774d762f12c2a3d

SHA512
a036c8a0349209c3f23df27d82764703909d48af08bbec9702fb0dce17344884adcc2835d49d9c5426f8f05caba48a57df54ff462b59667d53c7813a17564e5d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
176B

MD5
b88d0ab625398d17b0aba6f18964ad0f

SHA1
b30e945ca80c2e1805dbadbe8381129a17d9bc10

SHA256
65151c82bef73a4081b6085dcc988b45824c27f978a974ff0fd167dbb3bbf402

SHA512
bccf85d92eaa4f5a3168cf72c97d3188a7bda83e551c837f66e21f91118a4d242289bcdcdd75a74e213f917bdf661ffb09c2c67b63a80540e29bd9224e75a6d5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
36540c1ddd4d5293339dd3bae83466fc

SHA1
589101cc087400ffd1a9bc2e27674ee9e1538c49

SHA256
1f334134c89bc2c38a7dc0c9ed99eea1b307e32bb6eccc5030e8164e728d5b9f

SHA512
1884094807e779ef2abd931206c3bfce4a9cd4e01e7a53f0eb6db15881c68acfb4488d40ea34ba0c281f42968aa24d7c61dbb8d4977525b6509b511e0d4a0719

Download Submit
C:\Vid95\optidevsys.exe

Filesize
3.9MB

MD5
da26866b711807335cb9fb43e167409d

SHA1
4d3c776d0a1a8004e2c3d57109d7ad0c71e8fc26

SHA256
87e2ced3ff2c8ac371c273557793b79a944ec58614d8960ee9a48ff8441be4fc

SHA512
0de061dfa16df3626cc611cd6d23e8830c6bcaba0f66ad7c20cd4dfd2761867bd720a771e0e6015f55f0bc73a46bbb2ef21ed97e1689cadabd48fe69a0d6d77f

Download Submit
C:\Vid95\optidevsys.exe

Filesize
3.9MB

MD5
7f7e654b89156dcf962271d9a682ef56

SHA1
99ccb7d16e5006717fcb807d3ebb489153cfc4f1

SHA256
e6111f56b8f5d99e932e1f98d81629d217ae76eb45982a4d0c1006b2aa3a8277

SHA512
086e71a156575b6ecfda609830333702c2e2f18708fe152d71f140a2d9b89b21fdb4fd6a5fa505ce590290a28655ceef22dcf00d052c0e569c39191ae1892fee

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe

Filesize
3.9MB

MD5
86acf12ca3900141ccbf28b510d509b7

SHA1
18bdc74463a52b6ae4cc54b10891ecb175c29bdb

SHA256
8628cd50b4134c682d91cfc9a1fe0b6fd9c3c1d76e35cd044318b4849a4c3bbe

SHA512
245f0a42867c51394117094300c0bdaf93cbbf8281dc976005a7921af8600551ef658bc8053b57c39554e0c5693727462ac92615943b29b358d8ca3fd3783322

Download Submit