15556f2f4e156d7e04df7822bb3e6cb79984eed113917efc78f177c1df4b7fb6

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 19:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

15556f2f4e156d7e04df7822bb3e6cb79984eed113917efc78f177c1df4b7fb6.exe
Size

2.7MB
MD5

24ad6103258df6b22320081cab1720a7
SHA1

18a9c5048cb48f92edcef3795f773579f8cc429a
SHA256

15556f2f4e156d7e04df7822bb3e6cb79984eed113917efc78f177c1df4b7fb6
SHA512

866f8abe44421be7c31450d4385958891a626a50394021c580c342c81b99c9cb854a8e5cb22e67d7de94bb6b33c04f57e413cc56605cb3a5102989aa7b2b9019
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBPB/bSq:sxX7QnxrloE5dpUpUbV

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	15556f2f4e156d7e04df7822bb3e6cb79984eed113917efc78f177c1df4b7fb6.exe

Executes dropped EXE 2 IoCs

pid	Process
4932	sysaopti.exe
3468	adobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxW0\\dobxsys.exe"	15556f2f4e156d7e04df7822bb3e6cb79984eed113917efc78f177c1df4b7fb6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvG4\\adobec.exe"	15556f2f4e156d7e04df7822bb3e6cb79984eed113917efc78f177c1df4b7fb6.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1808	15556f2f4e156d7e04df7822bb3e6cb79984eed113917efc78f177c1df4b7fb6.exe
1808	15556f2f4e156d7e04df7822bb3e6cb79984eed113917efc78f177c1df4b7fb6.exe
1808	15556f2f4e156d7e04df7822bb3e6cb79984eed113917efc78f177c1df4b7fb6.exe
1808	15556f2f4e156d7e04df7822bb3e6cb79984eed113917efc78f177c1df4b7fb6.exe
4932	sysaopti.exe
4932	sysaopti.exe
3468	adobec.exe
3468	adobec.exe
4932	sysaopti.exe
4932	sysaopti.exe
3468	adobec.exe
3468	adobec.exe
4932	sysaopti.exe
4932	sysaopti.exe
3468	adobec.exe
3468	adobec.exe
4932	sysaopti.exe
4932	sysaopti.exe
3468	adobec.exe
3468	adobec.exe
4932	sysaopti.exe
4932	sysaopti.exe
3468	adobec.exe
3468	adobec.exe
4932	sysaopti.exe
4932	sysaopti.exe
3468	adobec.exe
3468	adobec.exe
4932	sysaopti.exe
4932	sysaopti.exe
3468	adobec.exe
3468	adobec.exe
4932	sysaopti.exe
4932	sysaopti.exe
3468	adobec.exe
3468	adobec.exe
4932	sysaopti.exe
4932	sysaopti.exe
3468	adobec.exe
3468	adobec.exe
4932	sysaopti.exe
4932	sysaopti.exe
3468	adobec.exe
3468	adobec.exe
4932	sysaopti.exe
4932	sysaopti.exe
3468	adobec.exe
3468	adobec.exe
4932	sysaopti.exe
4932	sysaopti.exe
3468	adobec.exe
3468	adobec.exe
4932	sysaopti.exe
4932	sysaopti.exe
3468	adobec.exe
3468	adobec.exe
4932	sysaopti.exe
4932	sysaopti.exe
3468	adobec.exe
3468	adobec.exe
4932	sysaopti.exe
4932	sysaopti.exe
3468	adobec.exe
3468	adobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 4932	1808	15556f2f4e156d7e04df7822bb3e6cb79984eed113917efc78f177c1df4b7fb6.exe	86
PID 1808 wrote to memory of 4932	1808	15556f2f4e156d7e04df7822bb3e6cb79984eed113917efc78f177c1df4b7fb6.exe	86
PID 1808 wrote to memory of 4932	1808	15556f2f4e156d7e04df7822bb3e6cb79984eed113917efc78f177c1df4b7fb6.exe	86
PID 1808 wrote to memory of 3468	1808	15556f2f4e156d7e04df7822bb3e6cb79984eed113917efc78f177c1df4b7fb6.exe	87
PID 1808 wrote to memory of 3468	1808	15556f2f4e156d7e04df7822bb3e6cb79984eed113917efc78f177c1df4b7fb6.exe	87
PID 1808 wrote to memory of 3468	1808	15556f2f4e156d7e04df7822bb3e6cb79984eed113917efc78f177c1df4b7fb6.exe	87

C:\Users\Admin\AppData\Local\Temp\15556f2f4e156d7e04df7822bb3e6cb79984eed113917efc78f177c1df4b7fb6.exe
"C:\Users\Admin\AppData\Local\Temp\15556f2f4e156d7e04df7822bb3e6cb79984eed113917efc78f177c1df4b7fb6.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4932
- C:\SysDrvG4\adobec.exe
  C:\SysDrvG4\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxW0\dobxsys.exe

Filesize
2.7MB

MD5
8f9b5bd196ad25b3cb244fa01e4e301c

SHA1
24506095110c646f83e43495a3e5c7fa487983e3

SHA256
86b7423784108589680f4032be30bb8a3246fc540ac5a8f0f840807aa8a59d47

SHA512
1c09cd31d3acf6625f652a0afdef41a1ab77fe0279fa63510fd2aa32fdf00396c3b4a8a84fa6944b5120ca364f011354db01a03ecea90c945cac9a50c7b19ebf

Download Submit
C:\GalaxW0\dobxsys.exe

Filesize
1.3MB

MD5
954b03cdd63c69a1e3b97f458038af02

SHA1
2ecdbd6d156b90234f5cb28c15cfb8722c9dfb6a

SHA256
f0fee8d114ef81e2a229a33153ed6d46a0ee265ab103ff66def9538ec550973d

SHA512
3c32e5d2b9966766a3ffe0763f9fd3194b5bfef56e133a7b93d9a589d216375df16eb573e07f22fa42041b3b6189ce600115dff2020b3a26ff342bf3284af8f2

Download Submit
C:\SysDrvG4\adobec.exe

Filesize
73KB

MD5
dc15e86e319ef185540511b77b43aa8f

SHA1
8a43b3cafc32391559f9308331f6eeb2dc06f750

SHA256
511c0ba1c55934b3abb666a5d065ba70ec22b6f46bcd10f359acf311132fb4e6

SHA512
c2c2794a0105d7e9a74f5ba6beb99c6e6fab698f142944719234ee326b39f342b36164b40a802c4d2352002fc8aa637a11ef4632c81ab1cad3cc933d6142a667

Download Submit
C:\SysDrvG4\adobec.exe

Filesize
2.7MB

MD5
50d030dc8aa91fe0f5807d8ceb1fbf81

SHA1
f18ba168dcced2ee77dd9cd868cd7187d18499bc

SHA256
223ab019779d671a526c0bee4f1201292cabcfc4d7efc8579914888990a3d460

SHA512
789a28c359c4136b4c686f905ec20b15494d613b5e7b1daef2b069fa43f40688669a79ac0754532c6a2e2bf4a0f796d59141c4fdac7dda16cdd58be9a4d55472

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
8c97311643e3798fcefcc511abc2e2a4

SHA1
9d2b6c5354a8cc3b5798d12d910175c024123c37

SHA256
35e0f10e7b3898f28dca51632602464f86126218b4c0f5d25c706f874348f01d

SHA512
fc1e4d009ca8ac5658190eb786522fbdf29cfdcdf853862c8253d24247c1351988c3552ef3cf59ef52ae3c6013f8053b833616ddb000cc5a6ebdb5ea2058e510

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
170B

MD5
6067aded0d4387242fd1937eff21cf95

SHA1
065f5130acec396165aea28f1e8cfd21707daa02

SHA256
46c699ec51360261fca81f269b7d8c9bbd18303feae9d56dc48c5a37f2be92e4

SHA512
caab92e797c8603cd2ac0c1ae86458e98eef3ccb7a2a1b799e7815f6cd25530bd171f137c8f761104e564546a73129f7c56482296f5add0b45d4516a21b07cac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
2.7MB

MD5
30ba5a2d6e7e16bee142532de8bcc025

SHA1
cad89ed8271bf7bddf19270d8918e4f648b41c27

SHA256
bbfea6fad9b4161a7fd114521dfc2cc45df41caacfe704e3ebb3e4e5fda6a2d0

SHA512
7b4696fb999ca81d393935d86e3e5f64c021d362aa918bb7a33ca4fd153d5fed67f9c516b4233f96c83996273bcf35145ea70ea612cbfbde7236f3e13282ce44

Download Submit