9765466d847c00f0df13030fa48c264d6b9c8ea407f4edaffd10509379ca15ba

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a97cf5a29c1dae93040842ee19a64b0N.exe
Size

2.6MB
MD5

2a97cf5a29c1dae93040842ee19a64b0
SHA1

4c42666c4414bbdbde41e258f1c7351f64f22753
SHA256

9765466d847c00f0df13030fa48c264d6b9c8ea407f4edaffd10509379ca15ba
SHA512

e7c74b2729a54a5c8e31dbd1c8999edaf22749b614e02e9c6b89d02426455afeac309005cb1f66a597e472d90a8e5b69065beaacbf720712f3ff40404ffda68a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB2B/bS:sxX7QnxrloE5dpUpRb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe	2a97cf5a29c1dae93040842ee19a64b0N.exe

Executes dropped EXE 2 IoCs

pid	Process
688	sysdevopti.exe
3388	xdobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeC3\\xdobloc.exe"	2a97cf5a29c1dae93040842ee19a64b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintPG\\dobdevsys.exe"	2a97cf5a29c1dae93040842ee19a64b0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1080	2a97cf5a29c1dae93040842ee19a64b0N.exe
1080	2a97cf5a29c1dae93040842ee19a64b0N.exe
1080	2a97cf5a29c1dae93040842ee19a64b0N.exe
1080	2a97cf5a29c1dae93040842ee19a64b0N.exe
688	sysdevopti.exe
688	sysdevopti.exe
3388	xdobloc.exe
3388	xdobloc.exe
688	sysdevopti.exe
688	sysdevopti.exe
3388	xdobloc.exe
3388	xdobloc.exe
688	sysdevopti.exe
688	sysdevopti.exe
3388	xdobloc.exe
3388	xdobloc.exe
688	sysdevopti.exe
688	sysdevopti.exe
3388	xdobloc.exe
3388	xdobloc.exe
688	sysdevopti.exe
688	sysdevopti.exe
3388	xdobloc.exe
3388	xdobloc.exe
688	sysdevopti.exe
688	sysdevopti.exe
3388	xdobloc.exe
3388	xdobloc.exe
688	sysdevopti.exe
688	sysdevopti.exe
3388	xdobloc.exe
3388	xdobloc.exe
688	sysdevopti.exe
688	sysdevopti.exe
3388	xdobloc.exe
3388	xdobloc.exe
688	sysdevopti.exe
688	sysdevopti.exe
3388	xdobloc.exe
3388	xdobloc.exe
688	sysdevopti.exe
688	sysdevopti.exe
3388	xdobloc.exe
3388	xdobloc.exe
688	sysdevopti.exe
688	sysdevopti.exe
3388	xdobloc.exe
3388	xdobloc.exe
688	sysdevopti.exe
688	sysdevopti.exe
3388	xdobloc.exe
3388	xdobloc.exe
688	sysdevopti.exe
688	sysdevopti.exe
3388	xdobloc.exe
3388	xdobloc.exe
688	sysdevopti.exe
688	sysdevopti.exe
3388	xdobloc.exe
3388	xdobloc.exe
688	sysdevopti.exe
688	sysdevopti.exe
3388	xdobloc.exe
3388	xdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 688	1080	2a97cf5a29c1dae93040842ee19a64b0N.exe	87
PID 1080 wrote to memory of 688	1080	2a97cf5a29c1dae93040842ee19a64b0N.exe	87
PID 1080 wrote to memory of 688	1080	2a97cf5a29c1dae93040842ee19a64b0N.exe	87
PID 1080 wrote to memory of 3388	1080	2a97cf5a29c1dae93040842ee19a64b0N.exe	88
PID 1080 wrote to memory of 3388	1080	2a97cf5a29c1dae93040842ee19a64b0N.exe	88
PID 1080 wrote to memory of 3388	1080	2a97cf5a29c1dae93040842ee19a64b0N.exe	88

C:\Users\Admin\AppData\Local\Temp\2a97cf5a29c1dae93040842ee19a64b0N.exe
"C:\Users\Admin\AppData\Local\Temp\2a97cf5a29c1dae93040842ee19a64b0N.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:688
- C:\AdobeC3\xdobloc.exe
  C:\AdobeC3\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeC3\xdobloc.exe

Filesize
2.6MB

MD5
373feccc63df7fd0ab51d8e190f07105

SHA1
bfbd939a1b216aa7f6031729c6fa75546c0d8790

SHA256
3c0d42253a3f5c01fec18d265cc3428e8c5434f6e5511f85f6ffd54418220bca

SHA512
262f01f3cfc7ab90e7bde480d29beb18914b1650a3d1bbf24708dcee300cbd95f58826bdc6128aa9cf97ba6a88ef2fde8d795e97af4096691f29adfff07a08ab

Download Submit
C:\MintPG\dobdevsys.exe

Filesize
2.6MB

MD5
473b17cd35f294eaa5aae7779fe464ef

SHA1
6531443da2ddcf23fc631b78ca7a35c7b89e8ffd

SHA256
b5821678913feafd5e9b6e804492c3b58b43157e075f4c871309a372d5b1b9e0

SHA512
20313daf4c8af31783f23bf079dfda68bae4e21667ba18d39a690bdc9711b6d7dddafb481bd55319063a001fdecbce65107dc3469cff1f1d5063418f00bf976e

Download Submit
C:\MintPG\dobdevsys.exe

Filesize
928KB

MD5
3c9304f4847391b718611585d79b0801

SHA1
e62a281ddf2b0b65c1122aa50d387a61b78d6f40

SHA256
3b70a704b0db4f3f809c6deca22b017b447c1833e2e91fbcc8b3ddf677ea8f48

SHA512
9a56249531711f9b4d1a15ff2b7e9505dc4f2d7a91906497fdef9f0fb20ed7d5ce0144373a7bb0fdd640a0a9ff56b7e0d9ce78427596c5cb26bd6d44eb7a7b12

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
61b144a48383c7a0eee1e3f4d4918ae3

SHA1
80aa48a104b9eb66734366a96e0867828af5382b

SHA256
0c820837165c415b0e7213c64f4f823175a6809ecfdf857f0fc3ebee4f834fd5

SHA512
7d8f97d9655b9636999b369da5a6a1bb551dc5851a4b04260c5ef3232f11dd198925201fd473164885daf22947190085087601ada7d72bdd7912e7a5cbc6cd08

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
b9edd64b7c935bf69f727af96ad30d7e

SHA1
60efd8ad7f4bda04f3f15b86ed44c3e2497b1219

SHA256
74df726af9393c1042dbf609e1c29816d9dab6206ff70e7912be8a773a44221a

SHA512
05abf3fe43aa81a5ec22e70fdd65fdea60d2f79880c1ae005470763524030247b6ffa6a52c1ba92c20a92f6cac4bc324dea60e7942f9d72a1f5aa44474b101a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

Filesize
2.6MB

MD5
958f4ba0bf747a457554dfb254260e15

SHA1
60b830f2443c88cf66acee2a4300fc663e16cbbb

SHA256
6937c6f27a9414c4d99ed1e9a3125d2212773b9e7450053411ccd37443de1e47

SHA512
1bbb334b4e56462784e7cb3a7b2e2b786cd27cfa76d5d4472c3b5deb1f22ad2932fc6757368eb70921b586cdffd859e1a25dc536098c4527b2bb423900909c25

Download Submit