87cab3379af59c281c0e86b58e8c497ddefb693fd757c53de5d9f4fc40947f8b

Analysis

max time kernel
119s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

038667b9ff12f0fb52c5d2eab925c830N.exe
Size

2.6MB
MD5

038667b9ff12f0fb52c5d2eab925c830
SHA1

108136bd34f9d12300c6c4cfd8293ca6ab64f6e8
SHA256

87cab3379af59c281c0e86b58e8c497ddefb693fd757c53de5d9f4fc40947f8b
SHA512

09f5cb3c90589cceafaf2008ba95fcb8675ec2bf80da3efb8de8e96baf9dc666f1cc769f79bf335ec6d0762ba98208ee73a60910604df0095509bef55a043f5c
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB/B/bS:sxX7QnxrloE5dpUpsb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	038667b9ff12f0fb52c5d2eab925c830N.exe

Executes dropped EXE 2 IoCs

pid	Process
2168	sysdevdob.exe
3316	adobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvLX\\adobloc.exe"	038667b9ff12f0fb52c5d2eab925c830N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintIF\\bodxloc.exe"	038667b9ff12f0fb52c5d2eab925c830N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2708	038667b9ff12f0fb52c5d2eab925c830N.exe
2708	038667b9ff12f0fb52c5d2eab925c830N.exe
2708	038667b9ff12f0fb52c5d2eab925c830N.exe
2708	038667b9ff12f0fb52c5d2eab925c830N.exe
2168	sysdevdob.exe
2168	sysdevdob.exe
3316	adobloc.exe
3316	adobloc.exe
2168	sysdevdob.exe
2168	sysdevdob.exe
3316	adobloc.exe
3316	adobloc.exe
2168	sysdevdob.exe
2168	sysdevdob.exe
3316	adobloc.exe
3316	adobloc.exe
2168	sysdevdob.exe
2168	sysdevdob.exe
3316	adobloc.exe
3316	adobloc.exe
2168	sysdevdob.exe
2168	sysdevdob.exe
3316	adobloc.exe
3316	adobloc.exe
2168	sysdevdob.exe
2168	sysdevdob.exe
3316	adobloc.exe
3316	adobloc.exe
2168	sysdevdob.exe
2168	sysdevdob.exe
3316	adobloc.exe
3316	adobloc.exe
2168	sysdevdob.exe
2168	sysdevdob.exe
3316	adobloc.exe
3316	adobloc.exe
2168	sysdevdob.exe
2168	sysdevdob.exe
3316	adobloc.exe
3316	adobloc.exe
2168	sysdevdob.exe
2168	sysdevdob.exe
3316	adobloc.exe
3316	adobloc.exe
2168	sysdevdob.exe
2168	sysdevdob.exe
3316	adobloc.exe
3316	adobloc.exe
2168	sysdevdob.exe
2168	sysdevdob.exe
3316	adobloc.exe
3316	adobloc.exe
2168	sysdevdob.exe
2168	sysdevdob.exe
3316	adobloc.exe
3316	adobloc.exe
2168	sysdevdob.exe
2168	sysdevdob.exe
3316	adobloc.exe
3316	adobloc.exe
2168	sysdevdob.exe
2168	sysdevdob.exe
3316	adobloc.exe
3316	adobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2168	2708	038667b9ff12f0fb52c5d2eab925c830N.exe	86
PID 2708 wrote to memory of 2168	2708	038667b9ff12f0fb52c5d2eab925c830N.exe	86
PID 2708 wrote to memory of 2168	2708	038667b9ff12f0fb52c5d2eab925c830N.exe	86
PID 2708 wrote to memory of 3316	2708	038667b9ff12f0fb52c5d2eab925c830N.exe	87
PID 2708 wrote to memory of 3316	2708	038667b9ff12f0fb52c5d2eab925c830N.exe	87
PID 2708 wrote to memory of 3316	2708	038667b9ff12f0fb52c5d2eab925c830N.exe	87

C:\Users\Admin\AppData\Local\Temp\038667b9ff12f0fb52c5d2eab925c830N.exe
"C:\Users\Admin\AppData\Local\Temp\038667b9ff12f0fb52c5d2eab925c830N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2168
- C:\SysDrvLX\adobloc.exe
  C:\SysDrvLX\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintIF\bodxloc.exe

Filesize
2.6MB

MD5
bd3a03160ba328baac42c6c385ea4cbc

SHA1
dc50f0f35901023b593c1053f61541a43689146d

SHA256
e5bbfd53ce0924f3cfeaed96a5692a436ffcf199e8f51b91d546a97f8c92a73a

SHA512
1a9b5d52efa14adeaea97ba9912dcca6b4c1c453849dc5df8e70b232cd6264e99df393e812462ac5df9ed28142b964c6ddf411c277502979b0b9357e002bd9ee

Download Submit
C:\MintIF\bodxloc.exe

Filesize
176KB

MD5
d71c487da8f1e8c45d3607408ed01b7c

SHA1
5c16eeb4c1514529a0ddd6e60b1cccccfc8fb59a

SHA256
54e211425f8e0601dfbdc8dee18f20a3b18daa99d828e5639354a1c9a04b8afa

SHA512
925fced28c33622427c74e623db9f705fa6767aab6ab21eeac18c8ef3abb9468740bbb2f10047eff0ee11a74bfca2d15ad8cf78fd05d3b2cc58527b5918839d5

Download Submit
C:\SysDrvLX\adobloc.exe

Filesize
179KB

MD5
bf71ccff1edb7ebe7864719a59242753

SHA1
414fbca2dae2f26f15e5f25177e9b85ce2ffdda8

SHA256
3d3072d4afe057ce10151ad8b3992a79747277d4684a9ea4822514ab17665479

SHA512
d648674f41d48d4b110d4cc743eef9026ea990dc4b5f5b63d0507bd3e6257e5a44ed758794700f7bf03c546f7cb4f0523a3c50b27d9b8ef6591f3be16c66bcee

Download Submit
C:\SysDrvLX\adobloc.exe

Filesize
2.6MB

MD5
d5a9e475202bc0c277017c4e6fd02733

SHA1
7acfdd88c73f232369d2753852b835d6619753a7

SHA256
76858cadf7d1f9a5fcc07613d1675bdc8f58808a8eda22f6e2e17230c8277dca

SHA512
dbd8b28b26c724aebc241a0c9e2b6b174ffce74e979220dbd0e0b8515e3583acfe44fe4671cefd1fca7c10c5d560e35be7ccd1594db9bda1c88f0f7d9cc493a2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
4ad4b7e73efb9f4fae8fcfe85281d35a

SHA1
1091904bb7cfbb84ecb731603f2e87acbc1904ea

SHA256
40cbf09f7c5241578aa1cefbb3c5958be80ba5002ffe3bd30401c41851581078

SHA512
754837cc6529f8286d6e4edf15a4c5733e89186e24a941e46587f81e419972d150b54f80c9b8f896042823a0f7c3a07b4130dde90e5919b9c0aa67f136abe5d3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
d2cdfe430af88a1e5d756a6322c3ddba

SHA1
4d524eae239c5ff6987a5e9b1b8230089a091923

SHA256
750ccaf30a6d7725a371e7448707bcf39d4501ad0a859ba112e68eeabdee5338

SHA512
ec8583a3ea5b58af3605a1671fda6f5d97fd0d8498af14eea15349e456ec20ab7a69d21a4f3eff7e4df67e33b56fb27bb50c7b3f8c3dc473fb08810e8af12af9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
2.6MB

MD5
a9cb2a669c6a31feba6b6429834025ac

SHA1
9e419ecbbac627945558c31063e16de110ecea7b

SHA256
0b26c1df3bf9ab7aedb157b55771dd27611132556149c1b8aac9002be9d5b3df

SHA512
36e1a8411377379ce531f280fc983cb15d5a42c205aa764a4c2e3b52ef2617f757425d7d6fec10cd1c0c6eef38e9b0093415515b42794823ad67d17d68ff98b6

Download Submit