fb30319c9e7590e89990eb65e34ee97c18f1e762e91eb10787b4ba3809fdaba4

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 11:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8cb7339debcadeae7fc93bfe77c511a0N.exe
Size

3.0MB
MD5

8cb7339debcadeae7fc93bfe77c511a0
SHA1

ad7b9e2f78f032635c206b6cc71b074d99535c4b
SHA256

fb30319c9e7590e89990eb65e34ee97c18f1e762e91eb10787b4ba3809fdaba4
SHA512

99f58255ef7478d5ac17a63adcb72724d2aea4e8a41896de303a55d78d4c70837bcf84cd84ebeb84e31f140bf9bae5236c4d95516ebba59016ce57d44b442da7
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBIB/bSqz8:sxX7QnxrloE5dpUpTbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe	8cb7339debcadeae7fc93bfe77c511a0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2672	locaopti.exe
2504	adobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
1716	8cb7339debcadeae7fc93bfe77c511a0N.exe
1716	8cb7339debcadeae7fc93bfe77c511a0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZQ\\adobsys.exe"	8cb7339debcadeae7fc93bfe77c511a0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid8I\\optidevsys.exe"	8cb7339debcadeae7fc93bfe77c511a0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1716	8cb7339debcadeae7fc93bfe77c511a0N.exe
1716	8cb7339debcadeae7fc93bfe77c511a0N.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe
2672	locaopti.exe
2504	adobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2672	1716	8cb7339debcadeae7fc93bfe77c511a0N.exe	30
PID 1716 wrote to memory of 2672	1716	8cb7339debcadeae7fc93bfe77c511a0N.exe	30
PID 1716 wrote to memory of 2672	1716	8cb7339debcadeae7fc93bfe77c511a0N.exe	30
PID 1716 wrote to memory of 2672	1716	8cb7339debcadeae7fc93bfe77c511a0N.exe	30
PID 1716 wrote to memory of 2504	1716	8cb7339debcadeae7fc93bfe77c511a0N.exe	31
PID 1716 wrote to memory of 2504	1716	8cb7339debcadeae7fc93bfe77c511a0N.exe	31
PID 1716 wrote to memory of 2504	1716	8cb7339debcadeae7fc93bfe77c511a0N.exe	31
PID 1716 wrote to memory of 2504	1716	8cb7339debcadeae7fc93bfe77c511a0N.exe	31

C:\Users\Admin\AppData\Local\Temp\8cb7339debcadeae7fc93bfe77c511a0N.exe
"C:\Users\Admin\AppData\Local\Temp\8cb7339debcadeae7fc93bfe77c511a0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2672
- C:\IntelprocZQ\adobsys.exe
  C:\IntelprocZQ\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocZQ\adobsys.exe

Filesize
3.0MB

MD5
0003d2686234e02fdf0af728337b3155

SHA1
a4347506503ceeac9410a7625d7dd5e58f9677a6

SHA256
8b66ed9ff2d94af0b375c8327588ffdc36eeb11f10b7e9e283a2a29278c100c1

SHA512
076090f61947c86236158192e213acafca62d907774d9d6ba59ef3d0f65a0f1a4b57345cad4043654d70fca77af4912d47e844a076dec9da53df499257a95498

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
175B

MD5
63ed4273482c02d72919394c60ff543b

SHA1
0ca1ba3f0b6fde6e1629d7c76b6df1782c573b1b

SHA256
322c57c3713b7484aec7ae944b647d562d02b8161c9eab4176c949bc2931a154

SHA512
f2a7ba555789bcbaf9631990ed4b1d7237dd2818063c39b230b3a4837ea0971a5145291c4d9b2f8b87440c8a1016d2093adf522fcb1d65449ff573b6c01f219f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
a51ba39292c2552116563118cfddd443

SHA1
180dfa82be9057b2fe65661fb27f589a1b463fcf

SHA256
b362c0cd38cd11360ee23c6d553e24bacc273b427e548ee55af8c5d228eef6e3

SHA512
b483c020ad1347ac2be2877ee0ac6d55b5c3d48e8204c60c9c7d2f8f3ad70b343ee65e2d71fc5e5996935f85e6b348ce076e9a0a1f1a5ab785578d42d66ef3c8

Download Submit
C:\Vid8I\optidevsys.exe

Filesize
3.0MB

MD5
cdc781a6a6a35748dc7f25b84c181f5b

SHA1
cbca7722833c8049d96a5fe50ea1f9732e3116f7

SHA256
aef03270347b17b5f46cd31ecb0b0f082bd358d45fc0171744af0d15624e60ec

SHA512
57757fd1e194bb2eaf1c087683117a88c252c246b73e556b895ddb81c44d3b3d794a3c42b9d87ae0fd451fb63cf6a23b8d6fcb0b1d877bb1d897f256dfc9b8b3

Download Submit
C:\Vid8I\optidevsys.exe

Filesize
3.0MB

MD5
3d166635bc6fb6be58fb656588e31c4f

SHA1
0391533d642cf5ae4e66b0caf8fc7fe8ddada7f6

SHA256
e8c8ea5443c69e0ea5a777482a308c988d72f335aeb16782457f2047ec251d1b

SHA512
91e3050bc217ed7b8e96700d45054963a415c519f05670c69b193a1030a0fd7a5dd688805b5cf07b943400b6fc78c3ed63b59f03662802f7972bf6900a94545a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe

Filesize
3.0MB

MD5
6adedc55ddbba80b43d37b043bb133a0

SHA1
2a713f7c6aabede244259e2ed8ae4bd5221dd717

SHA256
0c4b5dd59a3cccad1f0defa48bc7d6717dbe2aa17b095bbd637adcd6ca082f56

SHA512
db8644c86bc11d18eb4460e4d02ef0cedadc95923f7ffe1986813c4fa279ec6735f4896f07173a9790d088f9524b19df75fc759417ab7e4120fc5d0895dcdeb6

Download Submit