b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
Size

2.7MB
MD5

9f41fe3e32fe71ff439c684260203b4e
SHA1

16ffca1bfc27869f62472cfb4f5e47d9a94d8d2f
SHA256

b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996
SHA512

d84b884333bf57bdf4b8c4ad4ff717b7207761f82506cedfa80da6365e24bdcf468f924986ca024f3c3595297ee86acb72b2776fae1eb14e09bdc86d226cf1b1
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBc9w4Sx:+R0pI/IQlUoMPdmpSp64

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe
2556	adobec.exe

Loads dropped DLL 2 IoCs

pid	Process
2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesRK\\adobec.exe"	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBDH\\optixloc.exe"	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1884	ipconfig.exe
1728	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe
2556	adobec.exe
2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe
2556	adobec.exe
2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe
2556	adobec.exe
2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe
2556	adobec.exe
2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe
2556	adobec.exe
2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe
2556	adobec.exe
2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe
2556	adobec.exe
2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe
2556	adobec.exe
2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe
2556	adobec.exe
2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe
2556	adobec.exe
2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe
2556	adobec.exe
2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe
2556	adobec.exe
2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe
2556	adobec.exe
2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe
2556	adobec.exe
2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe
2556	adobec.exe
2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe
2556	adobec.exe
2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe
2556	adobec.exe
2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe
2556	adobec.exe
2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe
2556	adobec.exe
2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe
2556	adobec.exe
2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe
2556	adobec.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	NETSTAT.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2064	2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe	28
PID 2080 wrote to memory of 2064	2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe	28
PID 2080 wrote to memory of 2064	2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe	28
PID 2080 wrote to memory of 2064	2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe	28
PID 2080 wrote to memory of 2556	2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe	29
PID 2080 wrote to memory of 2556	2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe	29
PID 2080 wrote to memory of 2556	2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe	29
PID 2080 wrote to memory of 2556	2080	b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe	29
PID 2064 wrote to memory of 2380	2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe	33
PID 2064 wrote to memory of 2380	2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe	33
PID 2064 wrote to memory of 2380	2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe	33
PID 2064 wrote to memory of 2380	2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe	33
PID 2064 wrote to memory of 328	2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe	35
PID 2064 wrote to memory of 328	2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe	35
PID 2064 wrote to memory of 328	2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe	35
PID 2064 wrote to memory of 328	2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe	35
PID 2064 wrote to memory of 776	2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe	36
PID 2064 wrote to memory of 776	2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe	36
PID 2064 wrote to memory of 776	2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe	36
PID 2064 wrote to memory of 776	2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe	36
PID 2380 wrote to memory of 1884	2380	cmd.exe	39
PID 2380 wrote to memory of 1884	2380	cmd.exe	39
PID 2380 wrote to memory of 1884	2380	cmd.exe	39
PID 2380 wrote to memory of 1884	2380	cmd.exe	39
PID 328 wrote to memory of 1728	328	cmd.exe	40
PID 328 wrote to memory of 1728	328	cmd.exe	40
PID 328 wrote to memory of 1728	328	cmd.exe	40
PID 328 wrote to memory of 1728	328	cmd.exe	40
PID 2064 wrote to memory of 1200	2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe	41
PID 2064 wrote to memory of 1200	2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe	41
PID 2064 wrote to memory of 1200	2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe	41
PID 2064 wrote to memory of 1200	2064	Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe	41

C:\Users\Admin\AppData\Local\Temp\b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe
"C:\Users\Admin\AppData\Local\Temp\b9be8b1a51a34a3cc66d3bd0aaa7336d1303c9964150e59e75edaedf260eb996.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe
  C:\Users\Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig > C:\Users\Admin\ipconfig.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig
      4⤵
      Gathers network information
      PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c netstat -a > C:\Users\Admin\netstat.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:328
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -a
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:1728
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c dir C:\*.txt /b /s >> C:\Users\Admin\grubb.list
    3⤵
    PID:776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c dir C:\*.doc /b /s >> C:\Users\Admin\grubb.list
    3⤵
    PID:1200
- C:\FilesRK\adobec.exe
  C:\FilesRK\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesRK\adobec.exe

Filesize
2.7MB

MD5
7146a80a4461bbe5f6c85472d1d53fbd

SHA1
9514cc6cd368260c63d2ddf203fb861f3d650407

SHA256
763186ba4961b95a7f3292191278abbf2c277022a8628c6f9f4d81fc38b7cb41

SHA512
489a3d11c8dc53b0a32612f23a04f2a2d407ebf02c1512f78a5e9fddf660aead392a96e943ff08310172e80ef592432a38fbaf661907d115f60722c1a22c536f

Download Submit
C:\KaVBDH\optixloc.exe

Filesize
2.7MB

MD5
ade33e57df378e8f45a38d16c88d0c20

SHA1
f70c251d58ab2bf82c934df40b0e38330c22b4f9

SHA256
99d70d30db5f69d6f0a7ba0b6e3ef988a563d924cf13e0fb5e7bcfe10b277a16

SHA512
387b57e7522f628d213ef56c62b0b259f39d7606b3ce1bf58fb7aa5129bf1ffe5efb372fef719380544afd3d929ebf5f0025cadb6f728a2926cf1ce42b0f6333

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
a309dd4fc3db1a7b4fc86d174b3a338e

SHA1
471e1fa156fbe29daf9dc534c6b0fd861860cab8

SHA256
c1bc4907dfea6354a2148e85c85097dbdbe38271b3132e4b7322a94295928968

SHA512
d48e857eb8d2414af1e0e5de2c58e222d73093212ad509c4f1c03c23d08149cdaebd2b587162dc2b683cdfdc5320dbd8e66f5f5f304934c4f277a5930eb8becb

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
18808080ee728fffe97c55929717db5c

SHA1
45a137a01beb62ac7b1efd25a25955c82006a546

SHA256
44afd0b6a5eee8b66e60ced7c2852ad945a7d89cdf26d834683e7b4d9be5c399

SHA512
64128c839ed1c5ee73ff9cdfee8793076eca2cfaea26300397b7cfd76b7a7424e567bbc95a3980b67111f2dae8c0e6fcd0101c34afe0838f10a23a1b354fa9a2

Download Submit
C:\Users\Admin\grubb.list

Filesize
262KB

MD5
e1a5dde8bc5910cc76f7d0361d5e3110

SHA1
5f347e666d7504651f71b56041d2fd223367c585

SHA256
63c6e7d12d9337d4ea9bc862a1973f002904de5967d7317b0b1626fc066a6c1d

SHA512
bb835258d650c9358594dbba0949422091efd9ea6bb489ef98977e2a6e2996a3b092b21fddb5bcd3d6fe14600965f70f0de579e5c95a2596eb64b35c37e3c68f

Download Submit
\Users\Admin`EttHexe`Vseqmrk`Qmgvswsjx`[mrhs{w`Wxevx$Qiry`Tvskveqw`Wxevxyt`locadob.exe

Filesize
2.7MB

MD5
231a8ce13240cd59b93c4890c5c611a0

SHA1
aa34e468d256b9093cc11277fbc440fc3d980b1f

SHA256
8295ba649f7213d910821601b9535db7cb91c687ca9c91beaad5db492504a568

SHA512
dd97a6bc833762736bf02df545ea8e55a131fe7080aa02366497951524033f0877408a14aff447803f9a11c44fcb88e50ad4e493790e9e497674cb96177e665d

Download Submit