891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc

Analysis

max time kernel
150s
max time network
117s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe
Size

2.7MB
MD5

1a632077fc1f1b80d1363719450a2c00
SHA1

23e946a1baf9217e2eba01758b03fc0d5c45666d
SHA256

891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc
SHA512

ac64daa5817c64606e753df6a43d5c0b00f5dbf212c0936bb86d9feb9950e9877e59e764b98942752fd27dacacbfea19e2fcff1f96b9abacb3536dd147306f0a
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBw9w4Sx:+R0pI/IQlUoMPdmpSpW4

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe
2864	adobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe
1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocHZ\\adobloc.exe"	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBT8\\optiasys.exe"	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2204	NETSTAT.EXE
1892	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe
1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe
2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe
2864	adobloc.exe
1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe
2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe
2864	adobloc.exe
1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe
2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe
2864	adobloc.exe
1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe
2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe
2864	adobloc.exe
1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe
2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe
2864	adobloc.exe
1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe
2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe
2864	adobloc.exe
1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe
2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe
2864	adobloc.exe
1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe
2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe
2864	adobloc.exe
1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe
2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe
2864	adobloc.exe
1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe
2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe
2864	adobloc.exe
1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe
2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe
2864	adobloc.exe
1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe
2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe
2864	adobloc.exe
1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe
2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe
2864	adobloc.exe
1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe
2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe
2864	adobloc.exe
1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe
2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe
2864	adobloc.exe
1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe
2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe
2864	adobloc.exe
1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe
2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe
2864	adobloc.exe
1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe
2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe
2864	adobloc.exe
1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe
2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe
2864	adobloc.exe
1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe
2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe
2864	adobloc.exe
1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe
2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe
2864	adobloc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	NETSTAT.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2504	1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe	29
PID 1732 wrote to memory of 2504	1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe	29
PID 1732 wrote to memory of 2504	1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe	29
PID 1732 wrote to memory of 2504	1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe	29
PID 1732 wrote to memory of 2864	1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe	30
PID 1732 wrote to memory of 2864	1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe	30
PID 1732 wrote to memory of 2864	1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe	30
PID 1732 wrote to memory of 2864	1732	891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe	30
PID 2504 wrote to memory of 360	2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe	32
PID 2504 wrote to memory of 360	2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe	32
PID 2504 wrote to memory of 360	2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe	32
PID 2504 wrote to memory of 360	2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe	32
PID 2504 wrote to memory of 3024	2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe	34
PID 2504 wrote to memory of 3024	2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe	34
PID 2504 wrote to memory of 3024	2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe	34
PID 2504 wrote to memory of 3024	2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe	34
PID 2504 wrote to memory of 2156	2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe	36
PID 2504 wrote to memory of 2156	2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe	36
PID 2504 wrote to memory of 2156	2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe	36
PID 2504 wrote to memory of 2156	2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe	36
PID 3024 wrote to memory of 2204	3024	cmd.exe	37
PID 3024 wrote to memory of 2204	3024	cmd.exe	37
PID 3024 wrote to memory of 2204	3024	cmd.exe	37
PID 3024 wrote to memory of 2204	3024	cmd.exe	37
PID 360 wrote to memory of 1892	360	cmd.exe	39
PID 360 wrote to memory of 1892	360	cmd.exe	39
PID 360 wrote to memory of 1892	360	cmd.exe	39
PID 360 wrote to memory of 1892	360	cmd.exe	39
PID 2504 wrote to memory of 1652	2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe	40
PID 2504 wrote to memory of 1652	2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe	40
PID 2504 wrote to memory of 1652	2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe	40
PID 2504 wrote to memory of 1652	2504	Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe	40

C:\Users\Admin\AppData\Local\Temp\891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe
"C:\Users\Admin\AppData\Local\Temp\891617216f4b2e8f831f9ee9dc6f498bb82cbfdf7e7dccc3d22c15829e1d68bc.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe
  C:\Users\Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig > C:\Users\Admin\ipconfig.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:360
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig
      4⤵
      Gathers network information
      PID:1892
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c netstat -a > C:\Users\Admin\netstat.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -a
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c dir C:\*.txt /b /s >> C:\Users\Admin\grubb.list
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c dir C:\*.doc /b /s >> C:\Users\Admin\grubb.list
    3⤵
    PID:1652
- C:\IntelprocHZ\adobloc.exe
  C:\IntelprocHZ\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocHZ\adobloc.exe

Filesize
2.7MB

MD5
e03fe27cb2e0780ce5ef9f6bd4eff4f9

SHA1
5529381f7230cdcf0eab781a2032fd9c3196951b

SHA256
930cce56d4d42666905fc916a760d81ef5c70c42082208122c4a9100e72fb4d7

SHA512
ca06b03b374b16fc74cca9f8b72559b0e64f45a247294c653e0b5cf0236070ceaa5ce6648726a56e335d6f9849711fd633018b84e3ea487fb1e1f083ffe76053

Download Submit
C:\KaVBT8\optiasys.exe

Filesize
2.2MB

MD5
b961261ee047ac73e50f959b8722f42f

SHA1
a5d010fcb90cc2bcda86319bf8d42c3e721cba02

SHA256
e2ea34d3b11d545c6f35914ce896daed0217d70648913e7228acc0063609d080

SHA512
0dbf1a097755f288cbf811e0282e1f0f92d679aaf52c022ce0be7204855cee995c12b7d3e03d5e06de698359a59734e184f724dfbcca6f65e25854caf23d1db6

Download Submit
C:\KaVBT8\optiasys.exe

Filesize
2.7MB

MD5
faffb283b0ca51ccaab73677bd352304

SHA1
816de2f70c6a4e683fc8df209511441150312571

SHA256
8e6d2968066d51ea5b2578f4bb6663e0d6edd176458264643832ed20a50f5aa2

SHA512
f195fc7d0bc1e3a42892ae14a8548e00423ed86f22f063464cc6a645c63acfa1301f8a9b518d752ce34c892c607bb5fa0e463c623bc859ac509d23b7e51b558c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
8c957053b054d009435ef0f09a8da72b

SHA1
b7b83cca944ad47bf0aa9b2ae88e8a26a96f8491

SHA256
c125496a955ed8e2624ba6cd5b62bf4aee2506e3493e1b41d70fbe5d13fbe62d

SHA512
613ab04a73dbca005e811bd9950d135b97726e3f74bbab3bfa9bf793314c3d2e499738331c2a6825e676733f82614a7694944f241e2616cf477a5e9f63a4b4e9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
93e93ddc64062ca6bf539cea770869c6

SHA1
4e7850d00b48e2e635c100b0c894f456214ec7f4

SHA256
26444d3968a64e72757392301e6337a06a2bf636924251afc644048bf18bfa75

SHA512
e75b8f573f8494f1be42a5c739fe717fb7a003676f1bd49d5ca0529682c3770854eb6b93f7d0b207924805c805926a62fa15c9a76f27867adeeb0ef7689c6817

Download Submit
\Users\Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locaopti.exe

Filesize
2.7MB

MD5
69e18f1017fbd30da6ff64e660df59f0

SHA1
5cc2814ca4cc861708e2a7ed023467a03ee96f02

SHA256
c72ef987535a3f9c6c3402a3aabf6829f6939c7a484515a479c3bd4e126bdf38

SHA512
30dfc56dd368ed4c0b661f27838fc9451438ab140cf4da435afe18073ad9bf21b577480a5181d63e7a793c1c259566a15558734de3ceaeb287c475f2fbedca4a

Download Submit