bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe
Size

3.2MB
MD5

47517cc843ec405305007bd7b8ee8d50
SHA1

200a9924d70b4004f722a9d428b03f8d18ddf410
SHA256

bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31
SHA512

be8753e9bd43790f7619131ff7fe80450a327617e57fb65047303e82fbe573e3398ed46bdad135e82888e70ab49212963cdd69dd78762c892f0c74779f4061f3
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBKB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpBbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe

Executes dropped EXE 2 IoCs

pid	Process
2860	sysxdob.exe
2584	adobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2236	bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe
2236	bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesPX\\adobsys.exe"	bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidW5\\dobxloc.exe"	bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2236	bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe
2236	bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe
2860	sysxdob.exe
2584	adobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2860	2236	bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe	28
PID 2236 wrote to memory of 2860	2236	bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe	28
PID 2236 wrote to memory of 2860	2236	bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe	28
PID 2236 wrote to memory of 2860	2236	bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe	28
PID 2236 wrote to memory of 2584	2236	bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe	29
PID 2236 wrote to memory of 2584	2236	bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe	29
PID 2236 wrote to memory of 2584	2236	bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe	29
PID 2236 wrote to memory of 2584	2236	bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe	29

C:\Users\Admin\AppData\Local\Temp\bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe
"C:\Users\Admin\AppData\Local\Temp\bf679ebd1ba24d01909ea1c8f2fee01369613a0fa8ca2f173ca7c76c230dca31.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2860
- C:\FilesPX\adobsys.exe
  C:\FilesPX\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesPX\adobsys.exe

Filesize
3.2MB

MD5
dc1e1fa433f5f79e60da5e85d8fed661

SHA1
7aabc2ca1d53e4976d603c18e7884159ded588a2

SHA256
fa2aeb1dca9173ecd1327bfada25b485288699e4340ba3cd79f583da3c3324c4

SHA512
3ee77a3d8fbd74b02309dcb512ab8e5d9425984a610f89b93e3c12d6d74f28bfaa6a110f7369ca3cdbafdd83eb47e3e0ad0d17e9703c2870354a5ab8c27ad498

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
167B

MD5
474530e2f8d1bf5e5e1b35f2592dd154

SHA1
3697a48d4b8ab1f754d5f409fe23c39be1b7eda3

SHA256
533b65184d1c5004f909f51807891605929e9ee82293c7f3ddb6bfd449122cd4

SHA512
6581719d35764d6ff0c08352cd718753c6fb538213e6d11fa12a333bcf82ac70954dee6aa9582d4647119a65a593707a5c92357a682dc14e81f180a4cae08499

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
199B

MD5
31108434259492d430555cfc5f8d648e

SHA1
af5cc908f6fcbe1340c7abf648852bb02ff3bb19

SHA256
4e6242722fe51d4ca9562f3998a90871270099bcd463cd168d548d8e0d85ba86

SHA512
632b4db16fc42608dad84758ded46e0a849d76c81c2282f7b895aadf90f39f1e22ea4781283e75668f3469bfaec636c93c7a27b6da2187efe3669d9c486b8a19

Download Submit
C:\VidW5\dobxloc.exe

Filesize
3.2MB

MD5
b11f970383809615605da5c9ddf5341d

SHA1
ba3f59d95401a87873df217944ce3e5e59bd6ac6

SHA256
23c60be019ddd3c2a05f6f5ec1d55af861f73704c2f53654fd83e5aef7220773

SHA512
cea33d01ca88397ad1a7536f9294fc702cf6d7ff2f7e730f6ff392f2583c42f3765c71e8601810f414a5999e55bc5844d343917b39b6b4f677c0ee72285815df

Download Submit
C:\VidW5\dobxloc.exe

Filesize
3.2MB

MD5
856f7afb36bf9a5c212874d888fd7e50

SHA1
48b8b18f947e52beb0e421ea2b97d64ba394498b

SHA256
3b8e5a798c448524257a7b7c3a4aca6cb1c9ef76aaff534d339ce1c7c26eefcd

SHA512
a3a923f49c2080e6d3c8eeb6475dc5e4ea13f26553726b6901780a78f9d988b6d167f0395838b823bac9b3338f0eb69cec7361a554c749065bb213a8d6f46cc5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
3.2MB

MD5
e661cd8b77a489975d3aedbafcf8d897

SHA1
a4ac170c77441de0da442130e5fc1ec537864c1f

SHA256
aa5a4d07f3eb198667d51e44d94337d00322831ad3ce37b8f82757ca42891b09

SHA512
709d2d4d058642f85320b78dac0ea735db09ba0cce6767f7ba3158c14db3335a331e702bb32ac20d3d4a57ba50c3d3e3aaf4a69fb520da13867208e08e418720

Download Submit