e6902600a9a281182910743371f654a9cf988fe2c6494d7a061ace3a44f859ea

Analysis

max time kernel
118s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

357b4c2ed31bd6162b28608d10e696f0N.exe
Size

2.6MB
MD5

357b4c2ed31bd6162b28608d10e696f0
SHA1

b95b88176b716e4537ca7f5ba3a50b418e23f899
SHA256

e6902600a9a281182910743371f654a9cf988fe2c6494d7a061ace3a44f859ea
SHA512

0ca8a3e6135bc282cd692ff46060aa9308e6a81990bd9024efacb74a65c6a4402ec490821a329435c28b4350cf19a0fd78b738ca93cb11f6c12bc3d15a10b79f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bS:sxX7QnxrloE5dpUp+b

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	357b4c2ed31bd6162b28608d10e696f0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2520	sysxdob.exe
2696	adobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2056	357b4c2ed31bd6162b28608d10e696f0N.exe
2056	357b4c2ed31bd6162b28608d10e696f0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files3P\\adobloc.exe"	357b4c2ed31bd6162b28608d10e696f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxR1\\bodaec.exe"	357b4c2ed31bd6162b28608d10e696f0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2056	357b4c2ed31bd6162b28608d10e696f0N.exe
2056	357b4c2ed31bd6162b28608d10e696f0N.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe
2520	sysxdob.exe
2696	adobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2520	2056	357b4c2ed31bd6162b28608d10e696f0N.exe	29
PID 2056 wrote to memory of 2520	2056	357b4c2ed31bd6162b28608d10e696f0N.exe	29
PID 2056 wrote to memory of 2520	2056	357b4c2ed31bd6162b28608d10e696f0N.exe	29
PID 2056 wrote to memory of 2520	2056	357b4c2ed31bd6162b28608d10e696f0N.exe	29
PID 2056 wrote to memory of 2696	2056	357b4c2ed31bd6162b28608d10e696f0N.exe	30
PID 2056 wrote to memory of 2696	2056	357b4c2ed31bd6162b28608d10e696f0N.exe	30
PID 2056 wrote to memory of 2696	2056	357b4c2ed31bd6162b28608d10e696f0N.exe	30
PID 2056 wrote to memory of 2696	2056	357b4c2ed31bd6162b28608d10e696f0N.exe	30

C:\Users\Admin\AppData\Local\Temp\357b4c2ed31bd6162b28608d10e696f0N.exe
"C:\Users\Admin\AppData\Local\Temp\357b4c2ed31bd6162b28608d10e696f0N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2520
- C:\Files3P\adobloc.exe
  C:\Files3P\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files3P\adobloc.exe

Filesize
2.6MB

MD5
abfb17803aee1d7f84ddb950f7bbaad0

SHA1
0a6e4b6db919eaf889d231c356ac4a66dade194f

SHA256
5451c054a56cf7a983c7a8728064f6eca660c4c5ec27b5b5d8f2a8dfdddcec29

SHA512
8530a41e597c0f7bd35ed69ae99169318f8ba32ec9c93c02c266577dbaebffced97c1d1fd7946b9793da08fa3e4f5c83965271dc4668b27ef5f26c79076aeaaa

Download Submit
C:\GalaxR1\bodaec.exe

Filesize
2.6MB

MD5
8833a04ad45909d75b35f81b75e37f67

SHA1
ed6dc34593c37d54c1019718db8c81f98e59b01c

SHA256
5114e92a0249e335860cfaa263aec3c0efefb0272441331d9530b85e99e1d5dd

SHA512
940f3b07dfa9c313bd65915dbda6bf12a2a178c9067e93fe027a202b4a4a5b0bb90225cdb050f296cb6a0b406b5245db12c4a70d4a1d56dcf33239ef59c88e55

Download Submit
C:\GalaxR1\bodaec.exe

Filesize
2.6MB

MD5
061d592c6b28475b3cb740675fe9db0e

SHA1
783ca48ec8ceb73b607e1dc75d1d1b0b6c0231cf

SHA256
1a51753f31617e2f1a0381e6a71659c05e57d25ad6d034deb36b1c046e2a82cb

SHA512
497bd07917c67d920e38d17f2e3f1853f232b504d4d4eb645d7ec53089c9c93167ce0192bce734e47ff9c9a0ea6529150dd788598724cef3310e1cdaa73844fb

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
52ff42ccbd2088e4288025a6a2b026c0

SHA1
5dc1fa84227c44c8ca068b9ad9ee619475c409ae

SHA256
95929e43745187daec23abeb639411ee7a17d261a8f251a0e81fe1e0421223b8

SHA512
abb1f4da1ad0652a257935d2059829718d119924a414c9981216ec62bf4c125f6fcb714cdba8ddf4867e8359700be33ba39575ab2a43cf41f3657fdf362878b7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
315428c883ddcd8f3f25898002169f6a

SHA1
2e1856184b469ec3c008f3e1a2810560dc5d6048

SHA256
a087839c693f0a47798c2732f257383408f451a81dace4444a13d22043479039

SHA512
5627924cd1d5c92df58ea5d1bbdc28f700ac75fcdb08818a779e44dbd86df20721eb318e7a6ea3306667be2b400791d01e5d76fe8a922a829fcc10e87d2c99e5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
2.6MB

MD5
94989758934731b9440c4833eb703026

SHA1
1fae7117d9e9ac77cce47fdc8cf632f0ad72933e

SHA256
8c0d37e2956483871aaae7425a801179449cc3ade2291271798e81b1bd31b00e

SHA512
c9ab2917fc473f7e50a079d0fecb32084de61fea32c7decf23f35cde232b0e11bc636cf46e4e604299d48b42510a0f90b33edda50aba60160bbe8d72fafb9580

Download Submit