ef2885d857be415cbd4ed3aea244ad17e8b8d9d960d0376288772c508962a0f7

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/06/2024, 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07ff24f8d3031ecaf2030cc570b54be0.exe
Size

3.0MB
MD5

07ff24f8d3031ecaf2030cc570b54be0
SHA1

bbf6d0279a9e0af663a6cea372f34279c852145a
SHA256

ef2885d857be415cbd4ed3aea244ad17e8b8d9d960d0376288772c508962a0f7
SHA512

480f77077e20bd9ea3ae664776c378fee0f5d26a5b6191c66959fc694860d0b39d93aea5061374848237d8970501f2c6e03da8087e96b2b69b4af29b2445451d
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBkB/bSqz8b6LNX:sxX7QnxrloE5dpUpbbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	07ff24f8d3031ecaf2030cc570b54be0.exe

Executes dropped EXE 2 IoCs

pid	Process
2276	sysabod.exe
2896	adobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2980	07ff24f8d3031ecaf2030cc570b54be0.exe
2980	07ff24f8d3031ecaf2030cc570b54be0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocWV\\adobsys.exe"	07ff24f8d3031ecaf2030cc570b54be0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintUW\\optixloc.exe"	07ff24f8d3031ecaf2030cc570b54be0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2980	07ff24f8d3031ecaf2030cc570b54be0.exe
2980	07ff24f8d3031ecaf2030cc570b54be0.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe
2276	sysabod.exe
2896	adobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2276	2980	07ff24f8d3031ecaf2030cc570b54be0.exe	28
PID 2980 wrote to memory of 2276	2980	07ff24f8d3031ecaf2030cc570b54be0.exe	28
PID 2980 wrote to memory of 2276	2980	07ff24f8d3031ecaf2030cc570b54be0.exe	28
PID 2980 wrote to memory of 2276	2980	07ff24f8d3031ecaf2030cc570b54be0.exe	28
PID 2980 wrote to memory of 2896	2980	07ff24f8d3031ecaf2030cc570b54be0.exe	29
PID 2980 wrote to memory of 2896	2980	07ff24f8d3031ecaf2030cc570b54be0.exe	29
PID 2980 wrote to memory of 2896	2980	07ff24f8d3031ecaf2030cc570b54be0.exe	29
PID 2980 wrote to memory of 2896	2980	07ff24f8d3031ecaf2030cc570b54be0.exe	29

C:\Users\Admin\AppData\Local\Temp\07ff24f8d3031ecaf2030cc570b54be0.exe
"C:\Users\Admin\AppData\Local\Temp\07ff24f8d3031ecaf2030cc570b54be0.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2276
- C:\IntelprocWV\adobsys.exe
  C:\IntelprocWV\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocWV\adobsys.exe

Filesize
3.0MB

MD5
ed8b9ad23032766fbdcf75c155634f92

SHA1
03e8bdbd973dc14abc1973091e0ce4a8f1c27a2a

SHA256
dcb724be958b58a7d39d73a48a5133e76fbc6e79a3fec6061ee069cba61a261c

SHA512
12f63a7ba52b4f4cd6e917272fb4fe88cc413f0416b3658f88dbe2409606a67e494dc9d99fb5d321ca0d3ba04c249c3bf3ca2c0028f80f11d4259adb95afd73f

Download Submit
C:\MintUW\optixloc.exe

Filesize
3.0MB

MD5
0356bb4d664c31ca5c1c4428c0f96569

SHA1
4e4d7c2830a26233104464826d365edea5b392f6

SHA256
de7a25eb929deb1de2ac467c0582f9e482ef9e4b6a3b58b3fd6faa242fe9184d

SHA512
d213af373c31e57e257b9e38511f1b121d9ad192d7279b62f4aa14cdb2a6c32835ccbd909bda6b93f7b25555bc722bfaae3f3eea7b0e53c5bfb7dbf3e81dd17c

Download Submit
C:\MintUW\optixloc.exe

Filesize
3.0MB

MD5
fb4ec4bc7aa25a90b1ebdb43283a8e3d

SHA1
dc113f46dee42a10042a8a6c137d10596b809905

SHA256
f92e14def42284426a42d62f5b255529c34ee1194f6c22dfc604d59f92ed3145

SHA512
c295c561b5369fed5c469451e00ba19088c37408bf49acd7a3a09e821f1fcbf6c73dcb6881926381e5d5475d96ba3753d0761d0f556560311c698ceb1b4a935d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
02f60d000468500804699f9796e1a184

SHA1
44bb0cb1952999d3ad84db53d580f61d1d3906c3

SHA256
792f37b8b7cf34d9011f8a3753247ffdb05623268e8647bf80c2497260ac1657

SHA512
497f5e4de21c6d36a67e4d4c06c5babc6da459852b59ac63d9f0cf6649824c86965c83fc72b8a58523cd372bdd993c8ae238943827cc97a0766a31672c98b7c2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
33f074ac369d7b3939083e018739fd05

SHA1
442981ef0a6a895a26d7d055671d9ba2825da8b7

SHA256
5b662f20ec2ca8aca1e3c4fcfa7471e2ab1fb6cf1d06253ddccfdc80d5a5d6eb

SHA512
8b26d58b7165eb9f2155ae3ed3856f455186313aa679783d18146d0c98bff2de8fb28d1fd10cd96ac494fa41e32f45bd7111e31a31bfd1846fb0bd498f1c6fd1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
3.0MB

MD5
ee746e16481fab33c78b4df15fe48724

SHA1
288d6993da8f56a887be8427e81f20fb41d52fe9

SHA256
71875f0a2511554e84635c1b5e00ab930e5f93e40160a6115e3bbd866d5925b3

SHA512
15aaccdbd3c27d4715361003cda7c77d86e2d361b7ec5e971b8d0ae32059e292471fe6b391f386c17efad6cc4915d11184e3a9494b4fc86ffa588dbc6b86bdc2

Download Submit