236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe
Size

4.1MB
MD5

9e9873acfe2fcac0cee011ab34ebfcbb
SHA1

0328aede3e09727d6e236222e827ce011715f385
SHA256

236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5
SHA512

8270985a4d7fce79d3de6769e65a7bb66bd5ba177ce61ce764b4c60d1b782ace4df7e6eb0488816c0f59670279e1b186ea2f5af83bba123455b8a57f8a1aca1e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB4B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp3bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe

Executes dropped EXE 2 IoCs

pid	Process
2496	sysdevbod.exe
4896	adobsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesN9\\adobsys.exe"	236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax8T\\dobdevsys.exe"	236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2628	236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe
2628	236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe
2628	236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe
2628	236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe
2496	sysdevbod.exe
2496	sysdevbod.exe
4896	adobsys.exe
4896	adobsys.exe
2496	sysdevbod.exe
2496	sysdevbod.exe
4896	adobsys.exe
4896	adobsys.exe
2496	sysdevbod.exe
2496	sysdevbod.exe
4896	adobsys.exe
4896	adobsys.exe
2496	sysdevbod.exe
2496	sysdevbod.exe
4896	adobsys.exe
4896	adobsys.exe
2496	sysdevbod.exe
2496	sysdevbod.exe
4896	adobsys.exe
4896	adobsys.exe
2496	sysdevbod.exe
2496	sysdevbod.exe
4896	adobsys.exe
4896	adobsys.exe
2496	sysdevbod.exe
2496	sysdevbod.exe
4896	adobsys.exe
4896	adobsys.exe
2496	sysdevbod.exe
2496	sysdevbod.exe
4896	adobsys.exe
4896	adobsys.exe
2496	sysdevbod.exe
2496	sysdevbod.exe
4896	adobsys.exe
4896	adobsys.exe
2496	sysdevbod.exe
2496	sysdevbod.exe
4896	adobsys.exe
4896	adobsys.exe
2496	sysdevbod.exe
2496	sysdevbod.exe
4896	adobsys.exe
4896	adobsys.exe
2496	sysdevbod.exe
2496	sysdevbod.exe
4896	adobsys.exe
4896	adobsys.exe
2496	sysdevbod.exe
2496	sysdevbod.exe
4896	adobsys.exe
4896	adobsys.exe
2496	sysdevbod.exe
2496	sysdevbod.exe
4896	adobsys.exe
4896	adobsys.exe
2496	sysdevbod.exe
2496	sysdevbod.exe
4896	adobsys.exe
4896	adobsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 2496	2628	236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe	90
PID 2628 wrote to memory of 2496	2628	236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe	90
PID 2628 wrote to memory of 2496	2628	236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe	90
PID 2628 wrote to memory of 4896	2628	236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe	92
PID 2628 wrote to memory of 4896	2628	236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe	92
PID 2628 wrote to memory of 4896	2628	236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe	92

C:\Users\Admin\AppData\Local\Temp\236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe
"C:\Users\Admin\AppData\Local\Temp\236c7afc16396a5214e2db9c432cb884c037e386df491daf6748240f9403e4e5.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2496
- C:\FilesN9\adobsys.exe
  C:\FilesN9\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesN9\adobsys.exe

Filesize
4.1MB

MD5
fbc2df178995b9a385161c6c6bb663e4

SHA1
dbaace9cb1825a3c20de087659e4fb169a204c47

SHA256
6dd4528965ab84b0a9862be173f394c87f3408e0bce0955a802159b0995c7489

SHA512
d7df492f3998c2aad220a2e51372de175ddf1feff6dfca26d3f5a9e758a6329c6f398768da52337dd2bd1600a21b4bf6feedb5b3ad5d08bf7391c69e900e07e4

Download Submit
C:\Galax8T\dobdevsys.exe

Filesize
4.1MB

MD5
1d336ac0a6c1ffb59bc377e5a163b009

SHA1
8372686ae5ea67f4799e5a54c1a28374beb62bcc

SHA256
8b222c09715b6cbe37a0fafeaf2e570fa547a922566354ed94579ff57ee8c261

SHA512
9cf81bed2d5330c8491dd1b30e114908caa31284d040220caabe0ed5ab98d8563a0649b09d97ed4c3eef597076478218d9d00472b508cb35a2f57515a7fc5168

Download Submit
C:\Galax8T\dobdevsys.exe

Filesize
4.1MB

MD5
2d1b42801396c50785871fd0f026b9cf

SHA1
9f15cc2c00205b5f5d63da1399afee6f273c2b7f

SHA256
b1e84002801593289cf119134ec2b4672e5969201e3b3f973777c9f6d67771b4

SHA512
f5fd32e2dbee3a071301b313db7ff884c25bcffd4f71e43b5ba776d94b3efc1ef7da3cf907be7aaaea317d7f300ddebe04c0df2a7b4112b8772b0e209b856b3f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
6e07ef2fd13028e7e3d1a1320d3c69db

SHA1
60ac5ff1a5c7092d76367b0dfa04ff2a98894124

SHA256
497b54e21633f2b43a13365387af6abee5cdfbc0410fb5496651d08f82c7bb7a

SHA512
0f42cbdf47c9759260ad14a855cb1a818f4def86a75ab3d8df6bdd5baf9b9edfc452703bbc602efd3ed8bc5c13adefce4210e4e649c1a468e5c5dfc354389e85

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
11b1d71abffed12e0cafcf9fcf6a92df

SHA1
b1aff712edc6280d574c97abd40e40f5bc30bae0

SHA256
b0553bf4e3b90cd95e30a8fb90c35d29823b34a920757f535c3d2d54cced38bb

SHA512
310bd94b5475d28b42e0ae00bce5173b25dc07f3bacaba9972241cc4e9e5f196d22de2bd0e323ce631dd0175d20bf9458d4dc66354a03d3be1881bac9fcb7abc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
4.1MB

MD5
4dc09a5a054713b9eceefbb9c8df03c0

SHA1
617d960396415d79d6754ef4fc4f0a412ac56d03

SHA256
012d7877e58a3c4a4ea7927cba164c8c6119b783d18d68e0aba425eb21a2a6cd

SHA512
c97730d0f3a551d03a2b5c05bb6fcbc90f15effea332615126266b9e327c09ff3fdeb0ae06faf8706e19b9bb148ab9f5abbd189dd7a7451c35d4d034ef64dee1

Download Submit