3f002359a9537459079c26b27a8002e3020dfc0267cc130fa27fd6815435bd66

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f002359a9537459079c26b27a8002e3020dfc0267cc130fa27fd6815435bd66.exe
Size

3.1MB
MD5

8c0f0a96771592ddff53126c4b56f0a8
SHA1

58d7c732cd94d91fa1c6b669798c95570a0fd7f9
SHA256

3f002359a9537459079c26b27a8002e3020dfc0267cc130fa27fd6815435bd66
SHA512

4cf0b2f27fced1ef7eaa57c17e4b54a27d6bc958e752259b1ff5afa77c8d5bd1602b23b79e1982b0a3540a4c2aedcd226cf5f92196466fcfa8299b7cdca48d5a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUp0bVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	3f002359a9537459079c26b27a8002e3020dfc0267cc130fa27fd6815435bd66.exe

Executes dropped EXE 2 IoCs

pid	Process
2220	sysdevdob.exe
3016	abodec.exe

Loads dropped DLL 2 IoCs

pid	Process
2808	3f002359a9537459079c26b27a8002e3020dfc0267cc130fa27fd6815435bd66.exe
2808	3f002359a9537459079c26b27a8002e3020dfc0267cc130fa27fd6815435bd66.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ8W\\dobaloc.exe"	3f002359a9537459079c26b27a8002e3020dfc0267cc130fa27fd6815435bd66.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeME\\abodec.exe"	3f002359a9537459079c26b27a8002e3020dfc0267cc130fa27fd6815435bd66.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2808	3f002359a9537459079c26b27a8002e3020dfc0267cc130fa27fd6815435bd66.exe
2808	3f002359a9537459079c26b27a8002e3020dfc0267cc130fa27fd6815435bd66.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe
2220	sysdevdob.exe
3016	abodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2220	2808	3f002359a9537459079c26b27a8002e3020dfc0267cc130fa27fd6815435bd66.exe	28
PID 2808 wrote to memory of 2220	2808	3f002359a9537459079c26b27a8002e3020dfc0267cc130fa27fd6815435bd66.exe	28
PID 2808 wrote to memory of 2220	2808	3f002359a9537459079c26b27a8002e3020dfc0267cc130fa27fd6815435bd66.exe	28
PID 2808 wrote to memory of 2220	2808	3f002359a9537459079c26b27a8002e3020dfc0267cc130fa27fd6815435bd66.exe	28
PID 2808 wrote to memory of 3016	2808	3f002359a9537459079c26b27a8002e3020dfc0267cc130fa27fd6815435bd66.exe	29
PID 2808 wrote to memory of 3016	2808	3f002359a9537459079c26b27a8002e3020dfc0267cc130fa27fd6815435bd66.exe	29
PID 2808 wrote to memory of 3016	2808	3f002359a9537459079c26b27a8002e3020dfc0267cc130fa27fd6815435bd66.exe	29
PID 2808 wrote to memory of 3016	2808	3f002359a9537459079c26b27a8002e3020dfc0267cc130fa27fd6815435bd66.exe	29

C:\Users\Admin\AppData\Local\Temp\3f002359a9537459079c26b27a8002e3020dfc0267cc130fa27fd6815435bd66.exe
"C:\Users\Admin\AppData\Local\Temp\3f002359a9537459079c26b27a8002e3020dfc0267cc130fa27fd6815435bd66.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2220
- C:\AdobeME\abodec.exe
  C:\AdobeME\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeME\abodec.exe

Filesize
3.1MB

MD5
f34e00da81873e3601cfe916917c7552

SHA1
404dfe0f04af0056973bdd6b041385b7937daec8

SHA256
7ea325940751e44521de7aeba2b2605ac59f86849c4c2501fa388e20f8280c6d

SHA512
db5c49c3d17babc220943f823be597be550143aa48139e48cc9cd6ba00a5b3630e140f423e8e584e172bd0d954a6a48f25613ffd4614fbe80b4be85ec1897927

Download Submit
C:\LabZ8W\dobaloc.exe

Filesize
2.9MB

MD5
2797601655d565049b4882aec206c77d

SHA1
3f933f713d97aee7294f8ef9d2a10406585df3af

SHA256
e26026f1179a907180ae83d94d1d26ef765739a43ca9cf9b652ef9dce88e453a

SHA512
7ba2b114ef4b148a6982a7fd7b8ae6aa8ea3ad161c5c97d0e0a558c36b7921a22a70f14510445018878c5de5f26c83fa59bc60b14ad2b71b76069c3e95058dc4

Download Submit
C:\LabZ8W\dobaloc.exe

Filesize
3.1MB

MD5
9c363b1edb0b47852cfb76b335bd9149

SHA1
9ddf16d342c128929f4ce944c5cce02b784e898d

SHA256
78022e1566f501c4da9be1b029563c53765ccf86223fb4b562dba6875f52c34b

SHA512
8b41a32d9bfafc24c7efbffec4fd439cb9127211e80a56fecf876e9edf839aca8b14b9785c05db0a12cdce5e89a9d5e57af2cf6978df186b1367865850f7bf1b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
92def96502a7f3d8d1aa902703408990

SHA1
7dd0d1c5629c4ef20fe8cc361fdf48fd36ea9d1c

SHA256
0855cdc09a1ffa9cca8fdecdec8e8ed35338bc450d2ce1b7d9e0fd5f7d1a5ea9

SHA512
1bb578a40b1e1f231abaa3c2f89d1fc63cbc6452a3349d9165e12796172f815c4f719bee8bb5ab9c1dbd5141a966d6dc956120501c177e8e64ea1d2d6f5bc71e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
05beeab21e4053e6a71e2ec434257142

SHA1
cabb964901c9679d8ae0ff6032b2d4fd77771e0b

SHA256
97529aa98d2c2682fb0c2d113d09786e0a13dab8da150767e967909ea37a0c60

SHA512
cea015852c541237db28e7897e535bd2ba10648e2e0a4d9e9a7afa4648284eecb93835562a7279f0071a4e05cb111af1111ab2721e8e3f09e7423a945fa1c46f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
3.1MB

MD5
de564853f67c1f3760e3a8c50f7d3892

SHA1
0b5e1d5ed4d2d10a23f89202c7bedba4f515e550

SHA256
06bf2bb346dda31253b755c451ce1950e7f5ee60cf5b13a825184e491410c640

SHA512
5ffb427851832190412cda86e4af61955bc7327317524edc1e11a6b7a76af70873bed815c88b9e380a22c21bebb0bdf63cd42fb1a4b6a7cff0b3e0e53f0ffa21

Download Submit